Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Mar 2001 07:27:35 +0000
From:      Paul "=?iso-8859-1?Q?Richards=FC?=" <paul@freebsd-services.co.uk>
To:        freebsd-audit@freebsd.org
Subject:   ipfw permanent rules
Message-ID:  <3AB857E7.D4CEBD40@freebsd-services.co.uk>
next in thread | raw e-mail | index | archive | help 
What do people think of the the patch below.

It sets a rule number below which rules will not be flushed. I've been
using it to install permanent rules, like SSH access from the office to
remote servers, so I can flush the majority of rules but keep those that
are essential to allow me to maintain connectivity to the box.

===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.22
diff -r1.131.2.22 ip_fw.c
80a81
> static int fw_permanent_rules = 0;
110a112,113
> SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW,
>     &fw_permanent_rules, 0, "Set rule number, below which rules are permanent");
1852,1855c1855,1862
<               while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
<                    fcp->rule->fw_number != IPFW_DEFAULT_RULE ) {
<                       s = splnet();
<                       LIST_REMOVE(fcp, next);
---
>               fcp = LIST_FIRST(&ip_fw_chain_head);
>               while (fcp) {
>                       struct ip_fw_chain *next;
>                       next = LIST_NEXT(fcp, next);
>                       if (fcp->rule->fw_number > fw_permanent_rules &&
>                            fcp->rule->fw_number != IPFW_DEFAULT_RULE ) {
>                               s = splnet();
>                               LIST_REMOVE(fcp, next);
1857c1864
<                       dn_rule_delete(fcp);
---
>                               dn_rule_delete(fcp);
1859,1861c1866,1870
<                       FREE(fcp->rule, M_IPFW);
<                       FREE(fcp, M_IPFW);
<                       splx(s);
---
>                               FREE(fcp->rule, M_IPFW);
>                               FREE(fcp, M_IPFW);
>                               splx(s);
>                       }
>                       fcp = next;


Paul Richards

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB857E7.D4CEBD40>