From owner-freebsd-audit Tue Mar 20 23:41:52 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id 5CB8A37B71A for ; Tue, 20 Mar 2001 23:41:48 -0800 (PST) (envelope-from paul@freebsd-services.co.uk) Received: from freebsd-services.co.uk (lobster.originative.co.uk [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id 12AFD1D149; Wed, 21 Mar 2001 07:41:47 +0000 (GMT) Message-ID: <3AB85B6F.32E9EE7C@freebsd-services.co.uk> Date: Wed, 21 Mar 2001 07:42:39 +0000 From: Paul Richards X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Murray wrote: > > > What do people think of the the patch below. > > I think it is a nifty idea! > > > It sets a rule number below which rules will not be flushed. I've been > > using it to install permanent rules, like SSH access from the office to > > remote servers, so I can flush the majority of rules but keep those that > > are essential to allow me to maintain connectivity to the box. > > Erm, could you do this as a unified diff rather - makes it a heck of > a lot easier to read. :-) Ok. Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.22 diff -u -r1.131.2.22 ip_fw.c --- ip_fw.c 2001/03/09 16:37:36 1.131.2.22 +++ ip_fw.c 2001/03/21 00:10:59 @@ -78,6 +78,7 @@ #else static int fw_verbose_limit = 0; #endif +static int fw_permanent_rules = 0; /* * Right now, two fields in the IP header are changed to host format @@ -108,6 +109,8 @@ &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, + &fw_permanent_rules, 0, "Set rule number, below which rules are permanent"); /* * Extension for stateful ipfw. @@ -1849,16 +1852,22 @@ s = splnet(); remove_dyn_rule(NULL, 1 /* force delete */); splx(s); - while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) && - fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { - s = splnet(); - LIST_REMOVE(fcp, next); + fcp = LIST_FIRST(&ip_fw_chain_head); + while (fcp) { + struct ip_fw_chain *next; + next = LIST_NEXT(fcp, next); + if (fcp->rule->fw_number > fw_permanent_rules && + fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { + s = splnet(); + LIST_REMOVE(fcp, next); #ifdef DUMMYNET - dn_rule_delete(fcp); + dn_rule_delete(fcp); #endif - FREE(fcp->rule, M_IPFW); - FREE(fcp, M_IPFW); - splx(s); + FREE(fcp->rule, M_IPFW); + FREE(fcp, M_IPFW); + splx(s); + } + fcp = next; } break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message