ipfw changes being contemplated..

Max Laier max at love2party.net
Wed Apr 18 23:33:23 UTC 2007 

On Wednesday 18 April 2007 22:58, Julian Elischer wrote:
> I'm contemplating the following changes to functionality:
> I'd like suggestions and comments...
>
> 1/ Commit capability

Isn't this already there with "set"s ?

>   In this change you declare a new firewall,
>   and modify/build it, and then you 'commit' it so that
>   the whole change is atomic.
>   I have a current bug at work where automatic changes
>   are made to teh firewall, but sometimes packets can arrive
>   between parts of a change and lead to odd behaviour.
>   For example if I have a reset rule after a skipto,
>   and as part of the change I replace the skipto with something else,
>   then for a moment, teh reset it exposed before the new rule is put
> in. this leads to a spurious reset being sent out and terminating a
> perfectly innocent session.  I can code around these sorts of things
> but I'd like to do:
>
>   ipfw duplicate to 1   # make rule list 1 a copy of the current rules
>   ipfw rules 1 delete 1000
>   ipfw rules 1 add 1000 skipto 2000 tcp from any to me ...
>   ... (400 other changes)
>   ipfw commit 1
>
>
> or
>   ipfw new 1   # make rule list 1 a copy of the current rules
>   ipfw rules 1 add 1000 skipto 2000 tcp from any to me ...
>   ... (400 other changes)
>   ipfw commit 1
>   rules that are unchanged would maintain their statistics.
>
> possibly I would not need a rule list number if the ipfw program
> would automatically write to the existing set if there is no new
> (or duplicate) rule list, but would manipulate the 'growing' list
> if it exists. (that way keeping the new behaviour as a superset
> of the old behaviour).

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20070418/768ebb38/attachment.pgp

More information about the freebsd-ipfw mailing list