From owner-freebsd-ipfw Sun Jan 12 8: 6: 3 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D25E37B401 for ; Sun, 12 Jan 2003 08:06:01 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D81543E4A for ; Sun, 12 Jan 2003 08:06:00 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 54C7E10BF87; Sun, 12 Jan 2003 17:05:59 +0100 (CET) Date: Sun, 12 Jan 2003 17:05:59 +0100 From: "Simon L. Nielsen" To: "Scott M. Nolde" Cc: freebsd-ipfw@freebsd.org Subject: Re: Feature Request Message-ID: <20030112160558.GE348@nitro.dk> References: <20030108145020.GA15778@smnolde.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline In-Reply-To: <20030108145020.GA15778@smnolde.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.01.08 09:50:20 +0000, Scott M. Nolde wrote: > Has there been consideration to make a "relative skip" function similar to > skipto, where the number of rules are skipped relative to the rule itself? I found this could be useful so I have implemented this in my own firewall script to get the functionality like this : fwcmd_add deny ip from 10.0.0.0/8 to any fwcmd_add skipto ${rule_skip_1} ip from 192.168.1.0/24 to any fwcmd_add deny ip from 192.168.0.0/16 to any fwcmd_add count ip from any to any When run this gives : add 500 deny ip from 10.0.0.0/8 to any add 510 skipto 530 ip from 192.168.1.0/24 to any add 520 deny ip from 192.168.0.0/16 to any add 530 count ip from any to any It is not perfect but it works...=20 The implemetation is not complete yet but you can get the idea : is_num() { expr "$*" + 1 >/dev/null 2>&1 return $? } rule_first=3D500 rule_inc=3D10 # How much to inc pr rule rule_next=3D${rule_first} # The next rule to use # Add a firewall rule fwcmd_add() { # Check if we have a rule number if is_num "$1"; then rule_next=3D$1 shift fi ${fwcmd} add ${rule_next} $@ rule_next=3D$((${rule_next} + ${rule_inc})) =20 # Note the are a bit odd since they are used by the next rule # Warning: These will FAIL if an absoule rule nr is used in one of # the rules before the one being skipped to rule_skip_1=3D$((${rule_next} + ${rule_inc} * 2)) rule_skip_2=3D$((${rule_next} + ${rule_inc} * 3)) rule_skip_3=3D$((${rule_next} + ${rule_inc} * 4)) } --=20 Simon L. Nielsen --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+IZJm8kocFXgPTRwRAiqnAKDV4dS+3x+4vXAFLktin3deB99UywCg1C8E k472IQc1ZiT75XuhRLzAHBA= =pz7b -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message