ipfw pipe changes from 5.4 to 6.1-RELEASE

Fri Jul 28 18:08:50 UTC 2006

Hello!

I've noticed some changes in ipfw, as follows:


RELEASE-5.4:

# ipfw pipe 1 config bw 64Kbit/s
# ipfw pipe 2 config bw 512Kbit/s
# ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffffffc
# ipfw pipe show
00001:  64.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00002: 512.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00003: 512.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
     mask: 0x00 0x00000000/0x0000 -> 0xfffffffc/0x0000


RELEASE-6.1

# ipfw pipe 1 config bw 64Kbit/s
# ipfw pipe 2 config bw 512Kbit/s
# ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffffffc
# ipfw pipe show
00001:  64.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
00002: 512.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
00003: 512.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail


In RELEASE-6.1, the line containing mask options is not shown.
IMHO, it should be displayed because it's part of pipe attributes.
I went to check the differences in the source code and it seems that 
adding IPv6 to ipfw2.c made the 'mask' line appears only when there is a 
flow to that pipe.
I made some changes trying to revert to the previous behaviour, but as I 
am not keen to this kind of programming, I'd like to someone more 
experienced to take a look at it.
It seems to work, but currently I can't check whether IPv6 masks are 
shown correctly.

I need the 'old' behaviour because some shell scripts stopped working 
when we upgraded our server.

Thank you,
Tobias.

-------------- next part --------------

--- ipfw2.c.orig	Fri Jul 28 09:52:04 2006
+++ ipfw2.c	Fri Jul 28 12:05:29 2006
@@ -2004,9 +2004,32 @@
 {
 	int l;
 	int index_printed, indexes = 0;
-	char buff[255];
+	int ipv6_masks = 0;
+	char buff[255], buff2[255];
 	struct protoent *pe;
 
+	inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
+	    buff, sizeof(buff));
+	inet_ntop(AF_INET6, &(fs->flow_mask.dst_ip6),
+	    buff2, sizeof(buff2));
+
+	if (fs->flow_mask.flow_id6 != 0 || strlen(buff) > 2 || strlen(buff2) > 2)
+		ipv6_masks = 1;
+
+	if (!ipv6_masks) {
+		printf("    "
+ 		   "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
+		    fs->flow_mask.proto,
+		    fs->flow_mask.src_ip, fs->flow_mask.src_port,
+		    fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
+	} else {
+		printf("    "
+		"mask: proto: 0x%02x, flow_id: 0x%08x,  %s/0x%04x -> %s/0x%04x\n",
+		    fs->flow_mask.proto, fs->flow_mask.flow_id6,
+		    buff, fs->flow_mask.src_port,
+		    buff2, fs->flow_mask.dst_port);
+	}
+
 	if (fs->rq_elements == 0)
 		return;
 
@@ -2027,11 +2050,6 @@
 			if (indexes > 0)	/* currently a no-op */
 				printf("\n");
 			indexes++;
-			printf("    "
-			    "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
-			    fs->flow_mask.proto,
-			    fs->flow_mask.src_ip, fs->flow_mask.src_port,
-			    fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
 
 			printf("BKT Prot ___Source IP/port____ "
 			    "____Dest. IP/port____ "
@@ -2069,14 +2087,6 @@
 			if (indexes > 0)
 				printf("\n");
 			indexes++;
-			printf("\n        mask: proto: 0x%02x, flow_id: 0x%08x,  ",
-			    fs->flow_mask.proto, fs->flow_mask.flow_id6);
-			inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
-			    buff, sizeof(buff));
-			printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port);
-			inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6),
-			    buff, sizeof(buff) );
-			printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port);
 
 			printf("BKT ___Prot___ _flow-id_ "
 			    "______________Source IPv6/port_______________ "
