From owner-freebsd-ipfw@FreeBSD.ORG  Tue Feb 19 04:35:07 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7247516A469
	for <freebsd-ipfw@FreeBSD.org>; Tue, 19 Feb 2008 04:35:07 +0000 (UTC)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])
	by mx1.freebsd.org (Postfix) with ESMTP id C4F2A13C4DB
	for <freebsd-ipfw@FreeBSD.org>; Tue, 19 Feb 2008 04:35:06 +0000 (UTC)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m1J4Acuu043831;
	Tue, 19 Feb 2008 11:10:38 +0700 (KRAT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m1J4AbHS043830;
	Tue, 19 Feb 2008 11:10:37 +0700 (KRAT) (envelope-from eugen)
Date: Tue, 19 Feb 2008 11:10:37 +0700
From: Eugene Grosbein <eugen@kuzbass.ru>
To: Julian Elischer <julian@elischer.org>
Message-ID: <20080219041037.GA41453@svzserv.kemerovo.su>
References: <opt6pjttq417d6mn@nuclight.avtf.net>
	<47B9CF40.1050904@elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <47B9CF40.1050904@elischer.org>
User-Agent: Mutt/1.4.2.3i
Cc: Vadim Goncharov <vadim_nuclight@mail.ru>, freebsd-ipfw@FreeBSD.org,
	bug-followup@FreeBSD.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2008 04:35:07 -0000

On Mon, Feb 18, 2008 at 10:32:32AM -0800, Julian Elischer wrote:

> that was me..
> It is my memory that
> before that time tableargs were only used in 16 bit form.
> there were no users in ipfw of the full 32 bit field.

In RELENG_4, they are 32bit.

> I did not consider that someone would put a 32 bit number
> in there just to print it out again.
> (what would you do that for?)

It's very suitable for automatic time-bounded blocking.
A trigger adds IP being blocked to ipfw table with 32-bit value
that is "time-to-live" value for this table entry, and there is a rule
like this:

ipfw add 1000 deny ip from 'table(1)' to any

Cron periodically runs another script that lists the table
and removes entries with time in the past.

Thank you for fixing that!

Eugene Grosbein