From owner-freebsd-hackers  Wed Aug 14 16:50:30 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA03505
          for hackers-outgoing; Wed, 14 Aug 1996 16:50:30 -0700 (PDT)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA03500
          for <hackers@freebsd.org>; Wed, 14 Aug 1996 16:50:27 -0700 (PDT)
Message-Id: <199608142350.QAA03500@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA239006612; Thu, 15 Aug 1996 09:50:12 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: ipfw vs ipfilter?
To: danny@panda.hilink.com.au (Daniel O'Callaghan)
Date: Thu, 15 Aug 1996 09:50:12 +1000 (EST)
Cc: hackers@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960815085157.6553D-100000@panda.hilink.com.au> from "Daniel O'Callaghan" at Aug 15, 96 09:02:33 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Daniel O'Callaghan, sie said:
[...]
> There are a couple of things which I prefer in ipfw-current over ipfilter:
> * The ability to number each rule and insert rules into the middle of the 
> rule table without the need for flush/re-install.

This is possible (and has been for some time), but perhaps not clearly
documented.  For example, assuming you had (say) 30 or 40 rules for each
of input & output and wanted to add one for NTP at a particular point, you
can use a rule of the form:

@23 pass in on ed0 proto tcp/udp from any to any port = 123

to insert a new rule at position 23 for the input list of filters.

Or you might add it to your IP Filter configuration file and load it
like this:

ipf -If new.conf -s

where it loads the new configuration into the "inactive" list and then
switches the active list to the new set.  If you're making permanent
changes, then I'd recommend the later (you do want to be sure you get
the same ruleset when you reboot, right ?) and use the former for the
dynamic type thing.

[...]
> but I *do* like Poul-Henning's rule numbers in ipfw.  Any chance of 
> having numbered rules, Darren?

This reminds me of programming in BASIC, way back, when you needed to
use line numbers for GOTO's, etc, and eventually, you will run into
the same "problem" and need to renumber.  I really don't see a win
from this feature.

Darren