From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 11 15:01:47 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5BFC6B8 for ; Thu, 11 Sep 2014 15:01:47 +0000 (UTC) Received: from mail-oa0-x236.google.com (mail-oa0-x236.google.com [IPv6:2607:f8b0:4003:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A016A904 for ; Thu, 11 Sep 2014 15:01:47 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id jd19so1864837oac.13 for ; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=68KL/tSmUuspUKWB6drrlQ9R112TCj+4ZJO+bCTwyPI=; b=zGh0SSdN2IyW8XYrmGLTZyroINIDjcKI1Q2EDglvMFjfe07njCQnCgPm3cCLIlkqcf EjEGTRYoNsFPWwCTnALUoeRSEvtYgNSc26bKanXpYgvxaTCQGcrPkk87Uu3wdKKgYzK4 KVxIAccfKPpUm4z2hEBchIyhKfc7C9OVe4MqRMolJuKgnfqaBmieiJ85pEFcE5p3AogO 0PydTxjCqlJcAzIbNwFOXeEA34qU3/+iVb+lbi0Z3vRW2WJZsjG6BWKH355DRK7rASvm sak5qrmQqOAC/eM0nW9C06CiMxJv6IeLoqIxQGUE9ttFEfT6WO+sQMOTc/zdRNVfi0YQ UpHQ== MIME-Version: 1.0 X-Received: by 10.60.115.234 with SMTP id jr10mr1683277oeb.85.1410447706752; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) Received: by 10.202.199.11 with HTTP; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) Date: Thu, 11 Sep 2014 08:01:46 -0700 Message-ID: Subject: IPFW rule sets and automatic rule numbering From: Freddie Cash To: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 15:01:47 -0000 Good morning everyone, Just wondering if I'm doing things wrong, or if those two features (rule sets and auto incrementing rule numbers) just don't play well together. Until now, I've used the auto-incrementing feature to minimize the amount of work I need to do when changing/updating/adding rules in the middle of my scripts. This has been working great, and is controlled via the net.inet.ip.fw.autoinc_step sysctl. Recently I was playing with the rule sets feature and using "ipfw set swap" to speed up my firewall rules reloading times. Previously, I'd clear the rules, then load the new rules, but that could leave up to 30 seconds of downtime. With the use of sets, that's under 1 sec. Everything works well on the first run. Everything is loaded correctly into set 1, then swapped into set 0 and made live. All rules are numbered correctly. On the second run, all the rules are loaded into set 1 using rule numbers 65524-65534, and then swapped into set 0. On the third (and all subsequent run), all rules are loaded into set 1 with rule number 65534, and then swapping into set 1. It seems the rule numbers are global across all sets? Meaning, the "last used automatic number" is global across all sets? I was expecting the rule numbers to be unique per set. I do the following to clear out rule set 1 before adding rules: ipfw -f set 1 flush ipfw set disable 1 Then load all my rules into set 1 using the following syntax: ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0 .... .... .... Then swap the rules at the end using: ipfw set swap 1 0 Is there anything I could be doing differently to get the numbering to work the way I expect it to? Or am I going to have to manually number every rule in my scripts? -- Freddie Cash fjwcash@gmail.com