From owner-freebsd-current  Sat Apr 28 21:48: 6 2001
Delivered-To: freebsd-current@freebsd.org
Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122])
	by hub.freebsd.org (Postfix) with ESMTP id 33D6037B424
	for <current@FreeBSD.ORG>; Sat, 28 Apr 2001 21:48:04 -0700 (PDT)
	(envelope-from david@catwhisker.org)
Received: (from david@localhost)
	by bunrab.catwhisker.org (8.10.0/8.10.0) id f3T4m0x24954;
	Sat, 28 Apr 2001 21:48:00 -0700 (PDT)
Date: Sat, 28 Apr 2001 21:48:00 -0700 (PDT)
From: David Wolfskill <david@catwhisker.org>
Message-Id: <200104290448.f3T4m0x24954@bunrab.catwhisker.org>
To: ache@nagual.pp.ru
Subject: Re: ipfw: several equal rules under same number bug
Cc: current@FreeBSD.ORG
In-Reply-To: <20010429084220.A50143@nagual.pp.ru>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>Date: Sun, 29 Apr 2001 08:42:20 +0400
>From: "Andrey A. Chernov" <ache@nagual.pp.ru>

>On Sat, Apr 28, 2001 at 21:22:59 -0700, David Wolfskill wrote:
>> I have at least one application where I generate ipfw rules in a script,
>> for a set of subnets which I read from a file at execution time.  I am
>> able to use the numbers to group the firewall rules , so that for any
>> given subnet, I can predict the order in which the rules will be
>> applied. 

>In situation you describe you can _add_ rules without any harm, but you
>can't _delete_ some of them later - it cause totally unpredictable
>results, i.e. delete operation really not works in the current way. Better
>way will be to give all subnets unique numbers ranges.

Well, in that situation, the rules are sufficiently complicated that I'd
modify the script or the input list of netmask specifications, and
re-run the whole thing.  :-}

How about a syntax for being able to specify which instantiation of a
given ipfw rule number you mean, and a corresponding change to the code
to iterate through those instantiations until that one is encountered.
(You can probably tell I haven't actually looked at the code....)

Cheers,
david
-- 
David H. Wolfskill				david@catwhisker.org
As a computing professional, I believe it would be unethical for me to
advise, recommend, or support the use (save possibly for personal
amusement) of any product that is or depends on any Microsoft product.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message