Date: Wed, 3 May 2000 06:57:39 -0400 (EDT) From: Omachonu Ogali <oogali@intranova.net> To: Darcy Buskermolen <darcy@ok-connect.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and rule strangeness Message-ID: <Pine.BSF.4.10.10005030640250.8491-100000@hydrant.intranova.net> In-Reply-To: <3.0.32.20000501190519.01ed3ea0@mail.ok-connect.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 May 2000, Darcy Buskermolen wrote:
> I have a program that I use to dynamically create and destroy ipfw rules,
> however I just noticed something rather frustrating...
>
> # ipfw add deny ip from hacker.host to server.host
> 00000 deny ip from hacker.host to server.host
00000 is the number shown since you specified no rule number and it isn't
assigned until after the rule is set.
> # ipfw show 00000
> ipfw: rule 0 does not exist
>
> Looks like the rule number that is being echo'd back is not the same rule
> it applied to the rule.
> (my work around has been to grep for deny ip from hacker.host to server.host
> and grab that rule number, but that seams like a bad way of doing it)
>
> My question, is this the expected behavior, or is it not, and while I'm on
> the subject is there a way to change the default increment from 100 to
> something smaller ?
>
> \\DB
Here's a patch.
-- snip --
--- sys/netinet/ip_fw.c.orig Wed May 3 06:42:28 2000
+++ sys/netinet/ip_fw.c Wed May 3 06:46:29 2000
@@ -176,6 +176,10 @@
&dyn_rst_lifetime, 0, "Lifetime of dyn. rules for other situations");
#endif /* STATEFUL */
+static u_int32_t rule_increment = 100;
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, rule_increment, CTLFLAG_RW,
+ &rule_increment, 0, "Value to increment non-numbered ipfw rules by");
+
#endif
#define dprintf(a) do { \
@@ -1440,7 +1444,7 @@
return(0);
}
- /* If entry number is 0, find highest numbered rule and add 100 */
+ /* If entry number is 0, find highest numbered rule and add rule_increment */
if (ftmp->fw_number == 0) {
for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) {
if (fcp->rule->fw_number != (u_short)-1)
@@ -1448,8 +1452,8 @@
else
break;
}
- if (nbr < IPFW_DEFAULT_RULE - 100)
- nbr += 100;
+ if (nbr < IPFW_DEFAULT_RULE - rule_increment)
+ nbr += rule_increment;
ftmp->fw_number = nbr;
}
-- snip --
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
>
--
+-------------------------------------------------------------------------+
| Omachonu Ogali oogali@intranova.net |
| Intranova Networking Group http://tribune.intranova.net |
| PGP Key ID: 0xBFE60839 |
| PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005030640250.8491-100000>