Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 May 2000 06:57:39 -0400 (EDT)
From:      Omachonu Ogali <oogali@intranova.net>
To:        Darcy Buskermolen <darcy@ok-connect.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: ipfw and rule strangeness
Message-ID:  <Pine.BSF.4.10.10005030640250.8491-100000@hydrant.intranova.net>
In-Reply-To: <3.0.32.20000501190519.01ed3ea0@mail.ok-connect.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 May 2000, Darcy Buskermolen wrote:

> I have a program that I use to dynamically create and destroy ipfw rules,
> however I just noticed something rather frustrating...
> 
> # ipfw add deny ip from hacker.host to server.host
> 00000 deny ip from hacker.host to server.host

00000 is the number shown since you specified no rule number and it isn't
assigned until after the rule is set.
 
> # ipfw show 00000
> ipfw: rule 0 does not exist
> 
> Looks like the rule number that is being echo'd back is not the same rule
> it applied to the rule.
> (my work around has been to grep for deny ip from hacker.host to server.host
>  and grab that rule number, but that seams like a bad way of doing it)
> 
> My question, is this the expected behavior, or is it not, and while I'm on
> the subject is there a way to change the default increment from 100 to
> something smaller ?
> 
> \\DB

Here's a patch.

-- snip -- 
--- sys/netinet/ip_fw.c.orig	Wed May  3 06:42:28 2000
+++ sys/netinet/ip_fw.c	Wed May  3 06:46:29 2000
@@ -176,6 +176,10 @@
     &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for other situations");
 #endif /* STATEFUL */
 
+static u_int32_t rule_increment = 100;
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, rule_increment, CTLFLAG_RW,
+    &rule_increment, 0, "Value to increment non-numbered ipfw rules by");
+
 #endif
 
 #define dprintf(a)	do {						\
@@ -1440,7 +1444,7 @@
 		return(0);
         }
 
-	/* If entry number is 0, find highest numbered rule and add 100 */
+	/* If entry number is 0, find highest numbered rule and add rule_increment */
 	if (ftmp->fw_number == 0) {
 		for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) {
 			if (fcp->rule->fw_number != (u_short)-1)
@@ -1448,8 +1452,8 @@
 			else
 				break;
 		}
-		if (nbr < IPFW_DEFAULT_RULE - 100)
-			nbr += 100;
+		if (nbr < IPFW_DEFAULT_RULE - rule_increment)
+			nbr += rule_increment;
 		ftmp->fw_number = nbr;
 	}
-- snip -- 
 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 

-- 
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali@intranova.net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005030640250.8491-100000>