[Fwd: IPFW PATCH: make the IPFW_DEFUALT_RULE number constant
non private]
Roman Kurakin
rik at inse.ru
Sat Aug 23 22:18:37 UTC 2008
Luigi Rizzo wrote:
> On Sun, Aug 24, 2008 at 01:14:45AM +0400, Roman Kurakin wrote:
>
>> Hi,
>>
>> The IPFW_DEFAULT_RULE is also the max allowed rule number.
>> This value should be definitely public, so here is the patch, if there is
>> no objections I'll commit it within a couple of days.
>> After that, I plan to fix a couple of tools that need to know this value.
>>
>
> unless the tools you have in mind already include ip_fw.h (in which case
> the change is harmless and I have no objection), i think it would be better
> to export the value in a sysctl and let the tools fetch it from there,
> so they do not need to include the header.
>
In fact, I am talking about ipfw(8) and natd(8). The first one uses
hard-coded value, the last one
pass rulenumbers to libalias(3) without a check, libalias(3) flushes
rules also without a check.
Thus if you erroneously set -punch_fw for natd(8) as 50000:60000 (and
not 50000:10000)
you will have to get to the remote server to set back all flashed rules
at the beginning of
the list. Yes, such fix will not save from such stupidities but can
decrease the number of
them.
IIRC the natd(8) doesn't include ip_fw.h, but I do not see why it would
be better to export
this value via sysctl, not compiled in via #include<> for it. The only
thing is binary portability,
but expecting this from system utility that not just reads smth but also
writes is wrong.
Anyway, if you aware of some ports, for which this value would be useful
sysctl also could
be added but we do not have much time before code-freeze.
Best regards,
rik
> cheers
> luigi
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list