diff options
author | luigi <luigi@FreeBSD.org> | 2002-08-10 04:37:32 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2002-08-10 04:37:32 +0000 |
commit | e3c4c6c9daa5f8657f056c8088ad060282c15bbe (patch) | |
tree | f7920d98ba96bcec6ea0554ffeab5871047ce1d5 /sys/netinet/ip_fw.h | |
parent | 1627a3b4bec29eb5ba77515bce9ea0fcde4b5c43 (diff) | |
download | FreeBSD-src-e3c4c6c9daa5f8657f056c8088ad060282c15bbe.zip FreeBSD-src-e3c4c6c9daa5f8657f056c8088ad060282c15bbe.tar.gz |
One bugfix and one new feature.
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.
The new feature (all this description will go in the manpage):
each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:
ipfw add 100 set 23 allow ip from any to any
If "set N" is not specified, the rule belongs to set 0.
Individual sets can be disabled, enabled, and deleted with the commands:
ipfw disable set N
ipfw enable set N
ipfw delete set N
Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.
All sets are enabled by default. The enable/disable status of the sets
can be shown with the command
ipfw show sets
Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:
To add a set of rules atomically:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18
To delete a set of rules atomically
ipfw disable set 18
ipfw delete set 18
ipfw enable set 18
To test a ruleset and disable it and regain control if something
goes wrong:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18
here if everything goes well, you press control-C before
the "sleep" terminates, and your ruleset will be left
active. Otherwise, e.g. if you cannot access your box,
the ruleset will be disabled after the sleep terminates.
I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
Diffstat (limited to 'sys/netinet/ip_fw.h')
-rw-r--r-- | sys/netinet/ip_fw.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 12073b5..90bac5c 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -88,7 +88,6 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_TCPACK, /* u32 = desired seq. */ O_ICMPTYPE, /* u32 = icmp bitmap */ O_TCPOPTS, /* arg1 = 2*u8 bitmap */ - O_IPOPTS, /* arg1 = 2*u8 bitmap */ O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ @@ -276,11 +275,12 @@ typedef struct _ipfw_insn_log { struct ip_fw { struct ip_fw *next; /* linked list of rules */ - struct ip_fw *next_rule; /* ptr to next [skipto] rule */ + struct ip_fw *next_rule; /* ptr to next [skipto] rule */ u_int16_t act_ofs; /* offset of action in 32-bit units */ u_int16_t cmd_len; /* # of 32-bit words in cmd */ u_int16_t rulenum; /* rule number */ - u_int16_t _pad; /* padding */ + u_int8_t set; /* rule set (0..31) */ + u_int8_t _pad; /* padding */ /* These fields are present in all rules. */ u_int64_t pcnt; /* Packet counter */ |