Userland side of:

Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
svn path=/head/; revision=117655
2003-07-15 23:08:44 +00:00 · 2003-07-15 23:08:44 +00:00 · 3004afca6e · 2020-12-20 02:59:44 +00:00
commit 3004afca6e
parent 4805529cf8
2 changed files with 22 additions and 14 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -124,7 +124,7 @@ An
 .Nm
 ruleset always includes a
 .Em default
-rule (numbered 65535) which cannot be modified,
+rule (numbered 65535) which cannot be modified or deleted,
 and matches all packets.
 The action associated with the
 .Em default
@ -171,7 +171,7 @@ Rules can be added with the
 .Cm add
 command; deleted individually or in groups with the
 .Cm delete
-command, and globally with the
+command, and globally (except those in set 31) with the
 .Cm flush
 command; displayed, optionally with the content of the
 counters, using the
@ -482,14 +482,22 @@ non-default value is used instead.
 .It Cm set Ar set_number
 Each rule is associated with a
 .Ar set_number
-in the range 0..31, with the latter reserved for the
-.Em default
-rule.
+in the range 0..31.
 Sets can be individually disabled and enabled, so this parameter
 is of fundamental importance for atomic ruleset manipulation.
 It can be also used to simplify deletion of groups of rules.
 If a rule is entered without specifying a set number,
 set 0 will be used.
+.br
+Set 31 is special in that it cannot be disabled,
+and rules in set 31 are not deleted by the
+.Nm ipfw flush
+command (but you can delete them with the
+.Nm ipfw delete set 31
+command).
+Set 31 is also used for the
+.Em default
+rule.
 .It Cm prob Ar match_probability
 A match is only declared with the specified probability
 (floating point number between 0 and 1).
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -1561,13 +1561,13 @@ sets_handler(int ac, char *av[])
 		bcopy(&((struct ip_fw *)data)->next_rule,
 			&set_disable, sizeof(set_disable));

-		for (i = 0, msg = "disable" ; i < 31; i++)
+		for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
 			if ((set_disable & (1<<i))) {
 				printf("%s %d", msg, i);
 				msg = "";
 			}
 		msg = (set_disable) ? " enable" : "enable";
-		for (i = 0; i < 31; i++)
+		for (i = 0; i < RESVD_SET; i++)
 			if (!(set_disable & (1<<i))) {
 				printf("%s %d", msg, i);
 				msg = "";
@ -1579,9 +1579,9 @@ sets_handler(int ac, char *av[])
 			errx(EX_USAGE, "set swap needs 2 set numbers\n");
 		rulenum = atoi(av[0]);
 		new_set = atoi(av[1]);
-		if (!isdigit(*(av[0])) || rulenum > 30)
+		if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
 			errx(EX_DATAERR, "invalid set number %s\n", av[0]);
-		if (!isdigit(*(av[1])) || new_set > 30)
+		if (!isdigit(*(av[1])) || new_set > RESVD_SET)
 			errx(EX_DATAERR, "invalid set number %s\n", av[1]);
 		masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
 		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
@ -1596,10 +1596,10 @@ sets_handler(int ac, char *av[])
 			errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
 		rulenum = atoi(av[0]);
 		new_set = atoi(av[2]);
-		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > 30) ||
+		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
 			(cmd == 2 && rulenum == 65535) )
 			errx(EX_DATAERR, "invalid source number %s\n", av[0]);
-		if (!isdigit(*(av[2])) || new_set > 30)
+		if (!isdigit(*(av[2])) || new_set > RESVD_SET)
 			errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
 		masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
 		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
@ -1613,7 +1613,7 @@ sets_handler(int ac, char *av[])
 		while (ac) {
 			if (isdigit(**av)) {
 				i = atoi(*av);
-				if (i < 0 || i > 30)
+				if (i < 0 || i > RESVD_SET)
 					errx(EX_DATAERR,
 					    "invalid set number %d\n", i);
 				masks[which] |= (1<<i);
@ -2750,10 +2750,10 @@ add(int ac, char *av[])
 		ac--;
 	}

-	/* [set N]	-- set number (0..30), optional */
+	/* [set N]	-- set number (0..RESVD_SET), optional */
 	if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
 		int set = strtoul(av[1], NULL, 10);
-		if (set < 0 || set > 30)
+		if (set < 0 || set > RESVD_SET)
 			errx(EX_DATAERR, "illegal set %s", av[1]);
 		rule->set = set;
 		av += 2; ac -= 2;