Userland side of:

Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
author: luigi <luigi@FreeBSD.org> 2003-07-15 23:08:44 +0000
committer: luigi <luigi@FreeBSD.org> 2003-07-15 23:08:44 +0000
commit: d9b36adf9db6e55ce3c1c5daac171320822b286b (patch)
tree: b992f79766f5caaa15e7aea78a3133c66a4e057f /sbin/ipfw
parent: b907f7d38c39083f86123e6fca202f45f663a114 (diff)
download: FreeBSD-src-d9b36adf9db6e55ce3c1c5daac171320822b286b.zip
FreeBSD-src-d9b36adf9db6e55ce3c1c5daac171320822b286b.tar.gz
2 files changed, 22 insertions, 14 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 39dc69e..22dc548 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -124,7 +124,7 @@ An
 .Nm
 ruleset always includes a
 .Em default
-rule (numbered 65535) which cannot be modified,
+rule (numbered 65535) which cannot be modified or deleted,
 and matches all packets.
 The action associated with the
 .Em default
@@ -171,7 +171,7 @@ Rules can be added with the
 .Cm add
 command; deleted individually or in groups with the
 .Cm delete
-command, and globally with the
+command, and globally (except those in set 31) with the
 .Cm flush
 command; displayed, optionally with the content of the
 counters, using the
@@ -482,14 +482,22 @@ non-default value is used instead.
 .It Cm set Ar set_number
 Each rule is associated with a
 .Ar set_number
-in the range 0..31, with the latter reserved for the
-.Em default
-rule.
+in the range 0..31.
 Sets can be individually disabled and enabled, so this parameter
 is of fundamental importance for atomic ruleset manipulation.
 It can be also used to simplify deletion of groups of rules.
 If a rule is entered without specifying a set number,
 set 0 will be used.
+.br
+Set 31 is special in that it cannot be disabled,
+and rules in set 31 are not deleted by the
+.Nm ipfw flush
+command (but you can delete them with the
+.Nm ipfw delete set 31
+command).
+Set 31 is also used for the
+.Em default
+rule.
 .It Cm prob Ar match_probability
 A match is only declared with the specified probability
 (floating point number between 0 and 1).
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 91761bc..57349e2 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -1561,13 +1561,13 @@ sets_handler(int ac, char *av[])
 		bcopy(&((struct ip_fw *)data)->next_rule,
 			&set_disable, sizeof(set_disable));
 
-		for (i = 0, msg = "disable" ; i < 31; i++)
+		for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
 			if ((set_disable & (1<<i))) {
 				printf("%s %d", msg, i);
 				msg = "";
 			}
 		msg = (set_disable) ? " enable" : "enable";
-		for (i = 0; i < 31; i++)
+		for (i = 0; i < RESVD_SET; i++)
 			if (!(set_disable & (1<<i))) {
 				printf("%s %d", msg, i);
 				msg = "";
@@ -1579,9 +1579,9 @@ sets_handler(int ac, char *av[])
 			errx(EX_USAGE, "set swap needs 2 set numbers\n");
 		rulenum = atoi(av[0]);
 		new_set = atoi(av[1]);
-		if (!isdigit(*(av[0])) || rulenum > 30)
+		if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
 			errx(EX_DATAERR, "invalid set number %s\n", av[0]);
-		if (!isdigit(*(av[1])) || new_set > 30)
+		if (!isdigit(*(av[1])) || new_set > RESVD_SET)
 			errx(EX_DATAERR, "invalid set number %s\n", av[1]);
 		masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
 		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
@@ -1596,10 +1596,10 @@ sets_handler(int ac, char *av[])
 			errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
 		rulenum = atoi(av[0]);
 		new_set = atoi(av[2]);
-		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > 30) ||
+		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
 			(cmd == 2 && rulenum == 65535) )
 			errx(EX_DATAERR, "invalid source number %s\n", av[0]);
-		if (!isdigit(*(av[2])) || new_set > 30)
+		if (!isdigit(*(av[2])) || new_set > RESVD_SET)
 			errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
 		masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
 		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
@@ -1613,7 +1613,7 @@ sets_handler(int ac, char *av[])
 		while (ac) {
 			if (isdigit(**av)) {
 				i = atoi(*av);
-				if (i < 0 || i > 30)
+				if (i < 0 || i > RESVD_SET)
 					errx(EX_DATAERR,
 					    "invalid set number %d\n", i);
 				masks[which] |= (1<<i);
@@ -2750,10 +2750,10 @@ add(int ac, char *av[])
 		ac--;
 	}
 
-	/* [set N]	-- set number (0..30), optional */
+	/* [set N]	-- set number (0..RESVD_SET), optional */
 	if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
 		int set = strtoul(av[1], NULL, 10);
-		if (set < 0 || set > 30)
+		if (set < 0 || set > RESVD_SET)
 			errx(EX_DATAERR, "illegal set %s", av[1]);
 		rule->set = set;
 		av += 2; ac -= 2;
author	luigi <luigi@FreeBSD.org>	2003-07-15 23:08:44 +0000
committer	luigi <luigi@FreeBSD.org>	2003-07-15 23:08:44 +0000
commit	d9b36adf9db6e55ce3c1c5daac171320822b286b (patch)
tree	b992f79766f5caaa15e7aea78a3133c66a4e057f /sbin/ipfw
parent	b907f7d38c39083f86123e6fca202f45f663a114 (diff)
download	FreeBSD-src-d9b36adf9db6e55ce3c1c5daac171320822b286b.zip FreeBSD-src-d9b36adf9db6e55ce3c1c5daac171320822b286b.tar.gz