From owner-freebsd-ipfw Wed Mar 21 2:49: 1 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id E2F3B37B718; Wed, 21 Mar 2001 02:48:49 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f2LAiGa59400; Wed, 21 Mar 2001 12:44:16 +0200 (EET) (envelope-from ru) Date: Wed, 21 Mar 2001 12:44:16 +0200 From: Ruslan Ermilov To: Paul Richards Cc: ipfw@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321124416.A57754@sunbay.com> Mail-Followup-To: Paul Richards , ipfw@FreeBSD.org References: <200103210819.f2L8JWm19214@freefall.freebsd.org> <20010321105412.B47802@sunbay.com> <3AB87255.B0D4EF02@freebsd-services.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB87255.B0D4EF02@freebsd-services.co.uk>; from paul@freebsd-services.co.uk on Wed, Mar 21, 2001 at 09:20:21AM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 21, 2001 at 09:20:21AM +0000, Paul Richards wrote: > Move to developers. > [Redirected to -ipfw, see Committer's Guide for -developers usage rules] > Ruslan Ermilov wrote: > > > > On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > > > paul 2001/03/21 00:19:32 PST > > > > > > Modified files: > > > sys/netinet ip_fw.c > > > Log: > > > Only flush rules that have a rule number above that set by a new > > > sysctl, net.inet.ip.fw.permanent_rules. > > > > > > This allows you to install rules that are persistent across flushes, > > > which is very useful if you want a default set of rules that > > > maintains your access to remote machines while you're reconfiguring > > > the other rules. > > > > > > Reviewed by: Mark Murray > > > > > You asked for a review and committed this while many of us were asleep! > > There's always people asleep in the project. This wasn't a major > architectural change, I just thought it worthwhile for a second pair of > eyes to look it over and Mark's more than qualified for that. > > > What I would really prefer is if we had a flag that marked individual > > rules as permanent. Then flush command would skip these rules, and > > another flush command would ignore this flag. > > I thought about that first, but there's no bits left in the flag. > Really? 0x80000000 is unused. Or, alternatively, you may change the IP_FW_F_COMMAND to 0x0000007F (we are unlikely to have more than 128 actions) and use 0x00000080. I propose the name IP_FW_F_PINNED. > This solution has minimal impact on the implementation whereas changing the > structure is a lot more intrusive. I'd also have had to fix the userland > parser to recognise a token for persistent rules, whereas a sysctl was > also a minimal impact change. > I think you should back this out and reimplement this. I can do this, if you wish. :-) > One thing I did think would be useful though is being able to pass a > range to flush, i.e. ipfw flush 1000-1999. > Nope, the flush command should flush all rules, and probably also check the IP_FW_F_PINNED bit in the flags. If the latter is set, it should delete pinned rules as well. The same should be done for "delete". Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message