Date: Wed, 21 Mar 2001 12:44:16 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: Paul Richards <paul@freebsd-services.co.uk> Cc: ipfw@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321124416.A57754@sunbay.com> In-Reply-To: <3AB87255.B0D4EF02@freebsd-services.co.uk>; from paul@freebsd-services.co.uk on Wed, Mar 21, 2001 at 09:20:21AM %2B0000 References: <200103210819.f2L8JWm19214@freefall.freebsd.org> <20010321105412.B47802@sunbay.com> <3AB87255.B0D4EF02@freebsd-services.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 21, 2001 at 09:20:21AM +0000, Paul Richards wrote: > Move to developers. > [Redirected to -ipfw, see Committer's Guide for -developers usage rules] > Ruslan Ermilov wrote: > > > > On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > > > paul 2001/03/21 00:19:32 PST > > > > > > Modified files: > > > sys/netinet ip_fw.c > > > Log: > > > Only flush rules that have a rule number above that set by a new > > > sysctl, net.inet.ip.fw.permanent_rules. > > > > > > This allows you to install rules that are persistent across flushes, > > > which is very useful if you want a default set of rules that > > > maintains your access to remote machines while you're reconfiguring > > > the other rules. > > > > > > Reviewed by: Mark Murray <markm@FreeBSD.org> > > > > > You asked for a review and committed this while many of us were asleep! > > There's always people asleep in the project. This wasn't a major > architectural change, I just thought it worthwhile for a second pair of > eyes to look it over and Mark's more than qualified for that. > > > What I would really prefer is if we had a flag that marked individual > > rules as permanent. Then flush command would skip these rules, and > > another flush command would ignore this flag. > > I thought about that first, but there's no bits left in the flag. > Really? 0x80000000 is unused. Or, alternatively, you may change the IP_FW_F_COMMAND to 0x0000007F (we are unlikely to have more than 128 actions) and use 0x00000080. I propose the name IP_FW_F_PINNED. > This solution has minimal impact on the implementation whereas changing the > structure is a lot more intrusive. I'd also have had to fix the userland > parser to recognise a token for persistent rules, whereas a sysctl was > also a minimal impact change. > I think you should back this out and reimplement this. I can do this, if you wish. :-) > One thing I did think would be useful though is being able to pass a > range to flush, i.e. ipfw flush 1000-1999. > Nope, the flush command should flush all rules, and probably also check the IP_FW_F_PINNED bit in the flags. If the latter is set, it should delete pinned rules as well. The same should be done for "delete". Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010321124416.A57754>