From owner-cvs-all Wed Mar 21 11:36:28 2001 Delivered-To: cvs-all@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id B076437B71E; Wed, 21 Mar 2001 11:36:10 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f2LINtS27894; Wed, 21 Mar 2001 10:23:55 -0800 (PST) Date: Wed, 21 Mar 2001 10:23:55 -0800 From: Alfred Perlstein To: Paul Richards , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321102355.M12319@fw.wintelcom.net> References: <200103210819.f2L8JWm19214@freefall.freebsd.org> <20010321105412.B47802@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010321105412.B47802@sunbay.com>; from ru@FreeBSD.org on Wed, Mar 21, 2001 at 10:54:12AM +0200 X-all-your-base: are belong to us. Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Ruslan Ermilov [010321 00:54] wrote: > On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > > paul 2001/03/21 00:19:32 PST > > > > Modified files: > > sys/netinet ip_fw.c > > Log: > > Only flush rules that have a rule number above that set by a new > > sysctl, net.inet.ip.fw.permanent_rules. > > > > This allows you to install rules that are persistent across flushes, > > which is very useful if you want a default set of rules that > > maintains your access to remote machines while you're reconfiguring > > the other rules. > > > > Reviewed by: Mark Murray > > > You asked for a review and committed this while many of us were asleep! > > What I would really prefer is if we had a flag that marked individual > rules as permanent. Then flush command would skip these rules, and > another flush command would ignore this flag. Er, no that's not as good as being able to put the rules into a class (example): /sbin/ipfw add foo,100 deny ip from any to any /sbin/ipfw add bar,200 deny ip from any to any /sbin/ipfw add baz,300 deny ip from any to any # ^ # | # rule 'class' -/ /sbin/ipfw flush bar # this would flush rule 200 and any others entered with a 'bar' # prefixed to the rule number. A simple flush would just drop all rules added without a 'class' you could also flush based on class, or maybe toggle them all on or off in one motion. We should be able to toggle ipfw rules as well as enter them into the ruleset as "inactive" so that we can toggle them on and off easily. Simply put this is a pretty disgusting hack Paul and should have been thought out better. I mean seriously this doesn't deserve a sysctl! Maybe an option in a config file or something... Leave it in, but I think you owe it another shot when you get a chance. :) None of this probably belongs in the kernel, it really belongs in a ipfw front end tool. thanks, -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message