Bug 16179
| Summary: | ipfw(8) poor design of command line parsing | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Crist J. Clark <cjc> |
| Component: | bin | Assignee: | ru <ru> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 3.4-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->feedback Fixed in 5.0-CURRENT, ipfw/ipfw.8,v 1.71 and ipfw/ipfw.c,v 1.95. Responsible Changed From-To: freebsd-bugs->ru Usual MFC reminder. State Changed From-To: feedback->closed Fixed in RELENG_4 (ipfw/ipfw.c,v 1.80.2.6; ipfw/ipfw.8,v 1.63.2.5). |
The design of the ipfw(8) command line parser is poorly designed. The first check it does is whether the last argument on the command line is a readable file. If it is, ipfw assumes that it is a script containing IPFW rules. Therefore, if a user or script ever executes an ipfw command in which the last argument on the command line is a readable file, the command will fail if the file is not in fact a set of IPFW rules. I entered this as a 'change request' rather than 'bug,' but it is a borderline case, IMHO. Fix: To maintain back-compatibility, changing the format for ipfw command to read IPFW rule files is not a viable solution. The manner in which command line parsing is done would need restructuring. One possible method is scanning for keywords at the begining of a rule (flush, zero, delete, resetlog, list, show, add) first. If the command line does not contain one of these, _then_ the line should be treated as one with a IPFW rule file. How-To-Repeat: The problem was brought to my attention by a user who was having all commands that ended with the "setup" keyword fail. He had a file named "setup" in the pwd. The code for this in /usr/src/sbin/ipfw.c quite clearly, if (ac > 1 && access(av[ac - 1], R_OK) == 0) { shows this is the intended, coded behavior. The above code is the first treatment of command line args (ac = argc, av = argv) and if hte above evaluates true, it is assumed the ipfw command is of the form, ipfw [-q] [-p preproc [-D macro[=value]] [-U macro]] file Although the occurance of readable files with names of words that might appear at the end of an ipfw command line is admittedly low, this problem can be corrected with minor, but non-negligbile, effort.