Date: Sat, 28 Apr 2001 21:48:00 -0700 (PDT) From: David Wolfskill <david@catwhisker.org> To: ache@nagual.pp.ru Cc: current@FreeBSD.ORG Subject: Re: ipfw: several equal rules under same number bug Message-ID: <200104290448.f3T4m0x24954@bunrab.catwhisker.org> In-Reply-To: <20010429084220.A50143@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Sun, 29 Apr 2001 08:42:20 +0400 >From: "Andrey A. Chernov" <ache@nagual.pp.ru> >On Sat, Apr 28, 2001 at 21:22:59 -0700, David Wolfskill wrote: >> I have at least one application where I generate ipfw rules in a script, >> for a set of subnets which I read from a file at execution time. I am >> able to use the numbers to group the firewall rules , so that for any >> given subnet, I can predict the order in which the rules will be >> applied. >In situation you describe you can _add_ rules without any harm, but you >can't _delete_ some of them later - it cause totally unpredictable >results, i.e. delete operation really not works in the current way. Better >way will be to give all subnets unique numbers ranges. Well, in that situation, the rules are sufficiently complicated that I'd modify the script or the input list of netmask specifications, and re-run the whole thing. :-} How about a syntax for being able to specify which instantiation of a given ipfw rule number you mean, and a corresponding change to the code to iterate through those instantiations until that one is encountered. (You can probably tell I haven't actually looked at the code....) Cheers, david -- David H. Wolfskill david@catwhisker.org As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104290448.f3T4m0x24954>