per-interface packet filters, design approach
Simon L. Nielsen
simon at FreeBSD.org
Tue Dec 14 06:17:55 PST 2004
On 2004.12.14 06:13:07 -0800, Bruce M Simpson wrote:
> What I'm really missing in IPFW is the ability to maintain one or more
> 'shadow rulesets'. These rulesets may not be the active rulesets, but
> I can manipulate them as tables, independently of the active ruleset(s),
> push rules into them, flush them, and then atomically switch them to be
> the active ruleset, using a single syscall.
Isn't that more or less sets you are talking about? Quoting ipfw(8):
Each rule belongs to one of 32 different sets , numbered 0 to 31. Set 31
is reserved for the default rule.
By default, rules are put in set 0, unless you use the set N attribute
when entering a new rule. Sets can be individually and atomically
enabled or disabled, so this mechanism permits an easy way to store mul-
tiple configurations of the firewall and quickly (and atomically) switch
between them. The command to enable/disable sets is
ipfw set [disable number ...] [enable number ...]
where multiple enable or disable sections can be specified. Command exe-
cution is atomic on all the sets specified in the command. By default,
all sets are enabled.
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20041214/0ea345cb/attachment.bin
More information about the freebsd-net
mailing list