Site Navigation

Date:      Fri, 1 Dec 2006 20:03:15 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Cc:        freebsd-questions@freebsd.org
Subject:   (no subject)
Message-ID:  <Pine.BSF.3.96.1061201192537.16744A-100000@gaia.nimnet.asn.au>
In-Reply-To: <20061129203900.7B1E016A4FE@hub.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Bit late, catching up on half a dozen questions-digests, but fwiw:

Re: freebsd-questions Digest, Vol 157, Issue 26
 > Message: 33
 > Date: Wed, 29 Nov 2006 14:55:52 -0500 (EST)
 > From: "Dan Mahoney, System Admin" <danm@prime.gushi.org>

 > Hey all, the ipfw man page says rules can be deleted individually or in 
 > groups, but I don't see (other than the sets) an easy way to craft 
 > deletion of rules in a range (for example, 500-550).
 > 
 > As the system I'm using crafts client rules by client numbers, this is a 
 > kinda useful feature, is it available somewhere?

Here's one of a number of scripts I wrote to manage client-group based
rules for ipfw1 (before sets), to do just that; 'scuse debugging noise.

#!/bin/sh
# ipfwdelrange.sh 28/1/4 smithi  optionally noisy for starters ..
version="1.0 28Jan04"
rulelist='/tmp/ipfwdelrange.rn'
set=''; q=''; v=''
[ "$1" = "-q" ] && q=y && shift         # quiet
[ "$1" = "-v" ] && v=y && shift         # verbose
[ ! "$q" ] && echo -n "ipfwdelrange.sh: "
[ $# -ne 2 ] && echo "usage: $0 [-q|-v] firstrule lastrule" && exit 1

/sbin/ipfw list | awk '{print $1}' >$rulelist   # existing rulenumbers
[ $? -ne 0 ] && echo "'ipfw list' failed!" && exit 1

while read rule; do     # find any existing ipfw rules within range
    [ $rule -lt $1 ] && continue
    [ $rule -gt $2 -o $rule -eq 65535 ] && break
    set="$set $rule"    # includes duplicates; each must be deleted
done <$rulelist

if [ "$set" ]; then
    [ ! "$q" ] && echo "deleting all rules in range ${1}-$2"
    [ "$v" ] && echo "$set"
    /sbin/ipfw -q delete $set     # delete all existing in range
    [ $? -ne 0 ] && echo "'ipfw delete' failed!" && exit 1
else
    [ ! "$q" ] && echo "no ipfw rules to delete in range ${1}-$2"
fi

[ -f $rulelist ] && rm $rulelist
exit 0

I seem to recall ipfw2 deletes multiple rules with the same number with
one delete statement.  If that's the case, and you use any, make it: 
    [ ! "`echo $set | grep $rule`" ] && set="$set $rule"
or you'll get error messages on repeated deletes of the same rule.

Cheers, Ian

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1061201192537.16744A-100000>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact