Date: Sat, 13 Sep 2014 22:36:39 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Freddie Cash <fjwcash@gmail.com>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: IPFW rule sets and automatic rule numbering Message-ID: <54148EB7.5060509@FreeBSD.org> In-Reply-To: <CAOjFWZ4rx4FAc4AoPw3d=cSg4-z_QOWEF=phkT2PuzfUjn0y5A@mail.gmail.com> References: <CAOjFWZ4rx4FAc4AoPw3d=cSg4-z_QOWEF=phkT2PuzfUjn0y5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11.09.2014 19:01, Freddie Cash wrote: > Good morning everyone, > > Just wondering if I'm doing things wrong, or if those two features (rule > sets and auto incrementing rule numbers) just don't play well together. > > Until now, I've used the auto-incrementing feature to minimize the amount > of work I need to do when changing/updating/adding rules in the middle of > my scripts. This has been working great, and is controlled via > the net.inet.ip.fw.autoinc_step sysctl. > > Recently I was playing with the rule sets feature and using "ipfw set swap" > to speed up my firewall rules reloading times. Previously, I'd clear the > rules, then load the new rules, but that could leave up to 30 seconds of > downtime. With the use of sets, that's under 1 sec. > > Everything works well on the first run. Everything is loaded correctly > into set 1, then swapped into set 0 and made live. All rules are numbered > correctly. > > On the second run, all the rules are loaded into set 1 using rule numbers > 65524-65534, and then swapped into set 0. > > On the third (and all subsequent run), all rules are loaded into set 1 with > rule number 65534, and then swapping into set 1. > > It seems the rule numbers are global across all sets? Meaning, the "last > used automatic number" is global across all sets? > > I was expecting the rule numbers to be unique per set. I do the following > to clear out rule set 1 before adding rules: > > ipfw -f set 1 flush > ipfw set disable 1 > > Then load all my rules into set 1 using the following syntax: > > ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0 > .... > .... > .... > > Then swap the rules at the end using: > > ipfw set swap 1 0 > > Is there anything I could be doing differently to get the numbering to work > the way I expect it to? Or am I going to have to manually number every > rule in my scripts? No, currently rule auto-numbering ignores sets. So currently you have to to number rules manually to achieve predictable behavior. I think we can consider implementing sysctl which permits per-set auto-numbering. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54148EB7.5060509>