From owner-freebsd-rc@FreeBSD.ORG Sat Nov 17 23:31:27 2012 Return-Path: Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D5BE493; Sat, 17 Nov 2012 23:31:27 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4D48FC13; Sat, 17 Nov 2012 23:31:25 +0000 (UTC) Received: from alph.allbsd.org (p1137-ipbf1505funabasi.chiba.ocn.ne.jp [118.7.212.137]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id qAHNVAaL092557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 18 Nov 2012 08:31:20 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.allbsd.org (8.14.5/8.14.5) with ESMTP id qAHNV7mk051010; Sun, 18 Nov 2012 08:31:10 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sun, 18 Nov 2012 08:29:58 +0900 (JST) Message-Id: <20121118.082958.1681649715655191312.hrs@allbsd.org> To: utisoft@gmail.com Subject: Re: conf/93815 Adding save and reload ability to ipfw From: Hiroki Sato In-Reply-To: <201210291630.q9TGU1t6059484@freefall.freebsd.org> References: <201210291630.q9TGU1t6059484@freefall.freebsd.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Sun_Nov_18_08_29_58_2012_617)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Sun, 18 Nov 2012 08:31:20 +0900 (JST) X-Spam-Status: No, score=-98.1 required=13.0 tests=CONTENT_TYPE_PRESENT, ONLY1HOPDIRECT,SAMEHELOBY2HOP,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: freebsd-rc@FreeBSD.org X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 23:31:27 -0000 ----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Chris Rees wrote in <201210291630.q9TGU1t6059484@freefall.freebsd.org>: ut> The following reply was made to PR conf/93815; it has been noted by GNATS. ut> ut> From: Chris Rees ut> To: bug-followup@freebsd.org ut> Cc: ut> Subject: Re: conf/93815 Adding save and reload ability to ipfw ut> Date: Mon, 29 Oct 2012 16:21:46 +0000 ut> ut> Nowadays we have much simpler firewall scripts. ut> ut> http://www.bayofrum.net/~crees/patches/firewall-saved-rulesets.diff ut> ut> What does everyone think about this? I took a look at this feature but dumping all of the ipfw rules is not so easy (definitions of nat, pipe, queue, sched, table will not be listed by "ipfw -q", for example). We need a way to dump them first to realize this functionality. The directives "add" and "delete" in ipfw_load() and ipfw_unload() do not always work. For the script, the current rc.d/ipfw and rc.firewall are able to load a rule file when firewall_script=/path/to/file, so ipfw_load should use it simply. Generally speaking, writing the rules as a shell script to /foo and then ". /foo" is dangerous in the rc.d scripts because it can break the script if /foo is broken in some way. Just to let ipfw(8) load a rule file as another set and swap the current set with it is much safer. -- Hiroki ----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlCoHfYACgkQTyzT2CeTzy00EACfZtH8TmuAL1nWuBvxrqFxdO4n 9SgAn2yCCFBMs8p3RT/XW4xUlDiosdAA =TlK9 -----END PGP SIGNATURE----- ----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)----