From 3004afca6e3d29b37e38ec044e76e26481e364f0 Mon Sep 17 00:00:00 2001 From: Luigi Rizzo Date: Tue, 15 Jul 2003 23:08:44 +0000 Subject: [PATCH] Userland side of: Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards --- sbin/ipfw/ipfw.8 | 18 +++++++++++++----- sbin/ipfw/ipfw2.c | 18 +++++++++--------- 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 39dc69e36c50..22dc548d7b46 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -124,7 +124,7 @@ An .Nm ruleset always includes a .Em default -rule (numbered 65535) which cannot be modified, +rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action associated with the .Em default @@ -171,7 +171,7 @@ Rules can be added with the .Cm add command; deleted individually or in groups with the .Cm delete -command, and globally with the +command, and globally (except those in set 31) with the .Cm flush command; displayed, optionally with the content of the counters, using the @@ -482,14 +482,22 @@ non-default value is used instead. .It Cm set Ar set_number Each rule is associated with a .Ar set_number -in the range 0..31, with the latter reserved for the -.Em default -rule. +in the range 0..31. Sets can be individually disabled and enabled, so this parameter is of fundamental importance for atomic ruleset manipulation. It can be also used to simplify deletion of groups of rules. If a rule is entered without specifying a set number, set 0 will be used. +.br +Set 31 is special in that it cannot be disabled, +and rules in set 31 are not deleted by the +.Nm ipfw flush +command (but you can delete them with the +.Nm ipfw delete set 31 +command). +Set 31 is also used for the +.Em default +rule. .It Cm prob Ar match_probability A match is only declared with the specified probability (floating point number between 0 and 1). diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 91761bcbcd77..57349e29ea6a 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -1561,13 +1561,13 @@ sets_handler(int ac, char *av[]) bcopy(&((struct ip_fw *)data)->next_rule, &set_disable, sizeof(set_disable)); - for (i = 0, msg = "disable" ; i < 31; i++) + for (i = 0, msg = "disable" ; i < RESVD_SET; i++) if ((set_disable & (1< 30) + if (!isdigit(*(av[0])) || rulenum > RESVD_SET) errx(EX_DATAERR, "invalid set number %s\n", av[0]); - if (!isdigit(*(av[1])) || new_set > 30) + if (!isdigit(*(av[1])) || new_set > RESVD_SET) errx(EX_DATAERR, "invalid set number %s\n", av[1]); masks[0] = (4 << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); @@ -1596,10 +1596,10 @@ sets_handler(int ac, char *av[]) errx(EX_USAGE, "syntax: set move [rule] X to Y\n"); rulenum = atoi(av[0]); new_set = atoi(av[2]); - if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > 30) || + if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) || (cmd == 2 && rulenum == 65535) ) errx(EX_DATAERR, "invalid source number %s\n", av[0]); - if (!isdigit(*(av[2])) || new_set > 30) + if (!isdigit(*(av[2])) || new_set > RESVD_SET) errx(EX_DATAERR, "invalid dest. set %s\n", av[1]); masks[0] = (cmd << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); @@ -1613,7 +1613,7 @@ sets_handler(int ac, char *av[]) while (ac) { if (isdigit(**av)) { i = atoi(*av); - if (i < 0 || i > 30) + if (i < 0 || i > RESVD_SET) errx(EX_DATAERR, "invalid set number %d\n", i); masks[which] |= (1< 1 && !strncmp(*av, "set", strlen(*av))) { int set = strtoul(av[1], NULL, 10); - if (set < 0 || set > 30) + if (set < 0 || set > RESVD_SET) errx(EX_DATAERR, "illegal set %s", av[1]); rule->set = set; av += 2; ac -= 2;