https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214980

--- Comment #1 from Kurt Lidl <l...@freebsd.org> ---
The relevant bit of the current blacklist-helper script:

        ipfw)
                # use $ipfw_offset+$port for rule number
                rule=$(($ipfw_offset + $6))
                tname="port$6"
                /sbin/ipfw table $tname create type addr 2>/dev/null
                /sbin/ipfw -q table $tname add "$addr/$mask"
                /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
                    any dst-port $6 && echo OK
                ;;

I think that the problem is the '-q' on the last line is forcing "quiet"
behaviour, and (I missed this when adapting the code from 'pf'), it no
longer errors out on duplicate rules with the same number.

There's two different ways to address this that come to mind immediately:

1) Check to see if the rule exists before attempting to add it, and if
   it already exists, don't add it a second time.
2) Attempt to add the rule without -q, but with stderr redirected to /dev/null.
   I don't particularly like this, as it means that otherwise legitimate
   errors cannot be handled.

I'll take a stab at implementing #1 in the next few days.  (My dev machines
run 'pf'.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
freebsd-amd64@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to "freebsd-amd64-unsubscr...@freebsd.org"

Reply via email to