Somewhere between versions 4.1.3 and 4.1.5 the ability to
insert rules at a specific point into a group seems to have
"gone away". The following shows the problem with 4.1.5:
bash-2.05b# ipf -I -Fa
bash-2.05b# ipfstat -Iion
empty list for inactive ipfilter(out)
empty list for inactive ipfilter(in)
bash-2.05b# ipf -I -f -
pass in quick all
pass out quick all
bash-2.05b# ipfstat -Iion
@1 pass out quick all
@1 pass in quick all
bash-2.05b# ipf -I -f -
@1 block in quick proto gre all
bash-2.05b# ipfstat -Iion
@1 pass out quick all
@1 pass in quick all
@2 block in quick proto gre from any to any
bash-2.05b#
which has "inserted" the "block" at the end instead of at the beginning.
while 4.1.3 (same machine and kernel, just a different loaded module) gives:
bash-2.05b# ipf -I -Fa
bash-2.05b# ipfstat -Iion
empty list for inactive ipfilter(out)
empty list for inactive ipfilter(in)
bash-2.05b# ipf -I -f -
pass in quick all
pass out quick all
bash-2.05b# ipfstat -Iion
@1 pass out quick all
@1 pass in quick all
bash-2.05b# ipf -I -f -
@1 block in quick proto gre all
bash-2.05b# ipfstat -Iion
@1 pass out quick all
@1 block in quick proto gre from any to any
@2 pass in quick all
bash-2.05b#
which has inserted the "block" rule in the right place.
I've had a look at the source code but it's not obvious what's
gone wrong.
--
David Pick
