From owner-freebsd-ipfw Wed May 3 3:57:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hydrant.intranova.net (msb-ts-slip11.UMDNJ.EDU [130.219.28.71]) by hub.freebsd.org (Postfix) with SMTP id AEC6137BC2A for ; Wed, 3 May 2000 03:57:31 -0700 (PDT) (envelope-from oogali@intranova.net) Received: (qmail 513 invoked from network); 3 May 2000 10:57:39 -0000 Received: from localhost.abuselabs.com (HELO localhost) (missnglnk@127.0.0.1) by localhost.abuselabs.com with SMTP; 3 May 2000 10:57:39 -0000 Date: Wed, 3 May 2000 06:57:39 -0400 (EDT) From: Omachonu Ogali To: Darcy Buskermolen Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and rule strangeness In-Reply-To: <3.0.32.20000501190519.01ed3ea0@mail.ok-connect.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 1 May 2000, Darcy Buskermolen wrote: > I have a program that I use to dynamically create and destroy ipfw rules, > however I just noticed something rather frustrating... > > # ipfw add deny ip from hacker.host to server.host > 00000 deny ip from hacker.host to server.host 00000 is the number shown since you specified no rule number and it isn't assigned until after the rule is set. > # ipfw show 00000 > ipfw: rule 0 does not exist > > Looks like the rule number that is being echo'd back is not the same rule > it applied to the rule. > (my work around has been to grep for deny ip from hacker.host to server.host > and grab that rule number, but that seams like a bad way of doing it) > > My question, is this the expected behavior, or is it not, and while I'm on > the subject is there a way to change the default increment from 100 to > something smaller ? > > \\DB Here's a patch. -- snip -- --- sys/netinet/ip_fw.c.orig Wed May 3 06:42:28 2000 +++ sys/netinet/ip_fw.c Wed May 3 06:46:29 2000 @@ -176,6 +176,10 @@ &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for other situations"); #endif /* STATEFUL */ +static u_int32_t rule_increment = 100; +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, rule_increment, CTLFLAG_RW, + &rule_increment, 0, "Value to increment non-numbered ipfw rules by"); + #endif #define dprintf(a) do { \ @@ -1440,7 +1444,7 @@ return(0); } - /* If entry number is 0, find highest numbered rule and add 100 */ + /* If entry number is 0, find highest numbered rule and add rule_increment */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) @@ -1448,8 +1452,8 @@ else break; } - if (nbr < IPFW_DEFAULT_RULE - 100) - nbr += 100; + if (nbr < IPFW_DEFAULT_RULE - rule_increment) + nbr += rule_increment; ftmp->fw_number = nbr; } -- snip -- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message