Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Jan 2003 17:05:59 +0100
From:      "Simon L. Nielsen" <simon@nitro.dk>
To:        "Scott M. Nolde" <scott@smnolde.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Feature Request
Message-ID:  <20030112160558.GE348@nitro.dk>
In-Reply-To: <20030108145020.GA15778@smnolde.com>
References:  <20030108145020.GA15778@smnolde.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.01.08 09:50:20 +0000, Scott M. Nolde wrote:

> Has there been consideration to make a "relative skip" function similar to
> skipto, where the number of rules are skipped relative to the rule itself?
I found this could be useful so I have implemented this in my own firewall
script to get the functionality like this :

fwcmd_add deny ip from 10.0.0.0/8 to any
fwcmd_add skipto ${rule_skip_1} ip from 192.168.1.0/24 to any
fwcmd_add deny ip from 192.168.0.0/16 to any
fwcmd_add count ip from any to any

When run this gives :

add 500 deny ip from 10.0.0.0/8 to any
add 510 skipto 530 ip from 192.168.1.0/24 to any
add 520 deny ip from 192.168.0.0/16 to any
add 530 count ip from any to any

It is not perfect but it works...=20

The implemetation is not complete yet but you can get the idea :

is_num() {
    expr "$*" + 1 >/dev/null 2>&1
    return $?
}

rule_first=3D500
rule_inc=3D10 # How much to inc pr rule
rule_next=3D${rule_first} # The next rule to use
# Add a firewall rule
fwcmd_add() {
    # Check if we have a rule number
    if is_num "$1"; then
        rule_next=3D$1
        shift
    fi

    ${fwcmd} add ${rule_next} $@

    rule_next=3D$((${rule_next} + ${rule_inc}))
   =20
    # Note the are a bit odd since they are used by the next rule
    # Warning: These will FAIL if an absoule rule nr is used in one of
    # the rules before the one being skipped to
    rule_skip_1=3D$((${rule_next} + ${rule_inc} * 2))
    rule_skip_2=3D$((${rule_next} + ${rule_inc} * 3))
    rule_skip_3=3D$((${rule_next} + ${rule_inc} * 4))
}

--=20
Simon L. Nielsen

--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+IZJm8kocFXgPTRwRAiqnAKDV4dS+3x+4vXAFLktin3deB99UywCg1C8E
k472IQc1ZiT75XuhRLzAHBA=
=pz7b
-----END PGP SIGNATURE-----

--EVF5PPMfhYS0aIcm--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030112160558.GE348>