Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Dec 2004 15:17:52 +0100
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        freebsd-net@freebsd.org
Cc:        Andre Oppermann <andre@freebsd.org>
Subject:   Re: per-interface packet filters, design approach
Message-ID:  <20041214141752.GC782@zaphod.nitro.dk>
In-Reply-To: <20041214141307.GA684@empiric.icir.org>
References:  <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2004.12.14 06:13:07 -0800, Bruce M Simpson wrote:

> What I'm really missing in IPFW is the ability to maintain one or more
> 'shadow rulesets'. These rulesets may not be the active rulesets, but
> I can manipulate them as tables, independently of the active ruleset(s),
> push rules into them, flush them, and then atomically switch them to be
> the active ruleset, using a single syscall.

Isn't that more or less sets you are talking about?  Quoting ipfw(8):

     Each rule belongs to one of 32 different sets , numbered 0 to 31.  Set=
 31
     is reserved for the default rule.

     By default, rules are put in set 0, unless you use the set N attribute
     when entering a new rule.  Sets can be individually and atomically
     enabled or disabled, so this mechanism permits an easy way to store mu=
l-
     tiple configurations of the firewall and quickly (and atomically) swit=
ch
     between them.  The command to enable/disable sets is

           ipfw set [disable number ...] [enable number ...]

     where multiple enable or disable sections can be specified.  Command e=
xe-
     cution is atomic on all the sets specified in the command.  By default,
     all sets are enabled.

--=20
Simon L. Nielsen

--b5gNqxB1S1yM7hjW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBvvYQh9pcDSc1mlERAo3KAKCKqUVevMhTp4sZOS7Tvno9oEjrzQCeOUPo
qUY7MGxCHypbtTraiVo9MKE=
=AGnE
-----END PGP SIGNATURE-----

--b5gNqxB1S1yM7hjW--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214141752.GC782>