diff options
author | paul <paul@FreeBSD.org> | 2001-03-21 08:19:31 +0000 |
---|---|---|
committer | paul <paul@FreeBSD.org> | 2001-03-21 08:19:31 +0000 |
commit | 217aacd05929f24fd65fb934002d71c1f4258754 (patch) | |
tree | fc1eae9b6162ccc0084e61968bf7aa06c0106bb9 /sys/netinet | |
parent | 69603157dedb4757ce880ddfc5157558441cf985 (diff) | |
download | FreeBSD-src-217aacd05929f24fd65fb934002d71c1f4258754.zip FreeBSD-src-217aacd05929f24fd65fb934002d71c1f4258754.tar.gz |
Only flush rules that have a rule number above that set by a new
sysctl, net.inet.ip.fw.permanent_rules.
This allows you to install rules that are persistent across flushes,
which is very useful if you want a default set of rules that
maintains your access to remote machines while you're reconfiguring
the other rules.
Reviewed by: Mark Murray <markm@FreeBSD.org>
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_fw.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index dcff9e7..f87b8ef 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -77,6 +77,7 @@ static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; #else static int fw_verbose_limit = 0; #endif +static int fw_permanent_rules = 0; /* * Right now, two fields in the IP header are changed to host format @@ -107,6 +108,8 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, + &fw_permanent_rules, 0, "Set rule number, below which rules are permanent"); /* * Extension for stateful ipfw. @@ -1898,16 +1901,22 @@ ip_fw_ctl(struct sockopt *sopt) s = splnet(); remove_dyn_rule(NULL, 1 /* force delete */); splx(s); - while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) && - fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { - s = splnet(); - LIST_REMOVE(fcp, next); + fcp = LIST_FIRST(&ip_fw_chain_head); + while (fcp) { + struct ip_fw_chain *next; + next = LIST_NEXT(fcp, next); + if (fcp->rule->fw_number > fw_permanent_rules && + fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { + s = splnet(); + LIST_REMOVE(fcp, next); #ifdef DUMMYNET - dn_rule_delete(fcp); + dn_rule_delete(fcp); #endif - FREE(fcp->rule, M_IPFW); - FREE(fcp, M_IPFW); - splx(s); + FREE(fcp->rule, M_IPFW); + FREE(fcp, M_IPFW); + splx(s); + } + fcp = next; } break; |