Hello all.
I've got one question about IP Filter (I made all tests on IP Filter
v3.4.29, FreeBSD 4.7-STABLE).
Is it possible to intermix "in" and "out" rules in following way?
/* First syntax. */
count in ... head xxx
count out ... group xxx
count out ... group xxx
Or:
/* Seconds syntax. */
count out ... head xxx
count in ... group xxx
count in ... group xxx
?
ipf(8) understands both syntax, but ipfstat(8) for the second syntax
outputs all rules as "out", I suppose this is because of following
lines at the beginning of fils.c:printlist():
if (opts & OPT_OUTQUE)
fp->fr_flags |= FR_OUTQUE;
and because of following lines in parse.c:printfr():
if (fp->fr_flags & FR_OUTQUE)
printf(" out ");
else
printf(" in ");
BTW: if one writes something incorrect in in-out, then ipfstat(8) outputs
such rules as "out".
I speak mostly about "count" rules, but following can be said about
another types of rules.
There are two lists in struct friostat {}: f_acctin and f_acctout.
Each list represents first in/out rule in the default group (group 0).
If we read some struct frentry {} from the default group, then we expect
that fr_flags has FR_INQUE bit for "in" rule and FR_OUTQUE bit for
"out" rule.
When we follow fr_grp of some rule (that is this rule is a "head"), then
should we expect the same for rules in the "group"? That is, if "head"
of the group is FR_INQUE, then can some rule in the "group" have FR_OUTQUE
bit in fr_flags (and vice versa)?
I will ask my question in other words: is there any sense to use "out"
rules in some "group", which has "in" "head" (and vice versa)? (see two
examples above)
Thanks for your help.
