Date: Wed, 21 Mar 2001 07:42:39 +0000 From: Paul Richards <paul@freebsd-services.co.uk> To: Mark Murray <mark@grondar.za> Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules Message-ID: <3AB85B6F.32E9EE7C@freebsd-services.co.uk> References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote:
>
> > What do people think of the the patch below.
>
> I think it is a nifty idea!
>
> > It sets a rule number below which rules will not be flushed. I've been
> > using it to install permanent rules, like SSH access from the office to
> > remote servers, so I can flush the majority of rules but keep those that
> > are essential to allow me to maintain connectivity to the box.
>
> Erm, could you do this as a unified diff rather - makes it a heck of
> a lot easier to read. :-)
Ok.
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.22
diff -u -r1.131.2.22 ip_fw.c
--- ip_fw.c 2001/03/09 16:37:36 1.131.2.22
+++ ip_fw.c 2001/03/21 00:10:59
@@ -78,6 +78,7 @@
#else
static int fw_verbose_limit = 0;
#endif
+static int fw_permanent_rules = 0;
/*
* Right now, two fields in the IP header are changed to host format
@@ -108,6 +109,8 @@
&fw_verbose, 0, "Log matches to ipfw rules");
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
&fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules
logged");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW,
+ &fw_permanent_rules, 0, "Set rule number, below which rules are
permanent");
/*
* Extension for stateful ipfw.
@@ -1849,16 +1852,22 @@
s = splnet();
remove_dyn_rule(NULL, 1 /* force delete */);
splx(s);
- while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
- fcp->rule->fw_number != IPFW_DEFAULT_RULE ) {
- s = splnet();
- LIST_REMOVE(fcp, next);
+ fcp = LIST_FIRST(&ip_fw_chain_head);
+ while (fcp) {
+ struct ip_fw_chain *next;
+ next = LIST_NEXT(fcp, next);
+ if (fcp->rule->fw_number > fw_permanent_rules &&
+ fcp->rule->fw_number != IPFW_DEFAULT_RULE )
{
+ s = splnet();
+ LIST_REMOVE(fcp, next);
#ifdef DUMMYNET
- dn_rule_delete(fcp);
+ dn_rule_delete(fcp);
#endif
- FREE(fcp->rule, M_IPFW);
- FREE(fcp, M_IPFW);
- splx(s);
+ FREE(fcp->rule, M_IPFW);
+ FREE(fcp, M_IPFW);
+ splx(s);
+ }
+ fcp = next;
}
break;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB85B6F.32E9EE7C>