Michal Mertl wrote: > In IPFW (and I believe some Linux packet filtering package does it the > same way) you don't supply the controlling program with list of rules > (but you can do that). The original way (I believe) was to invoke the > program once for each rule in the ruleset. The rule numbering by default > is sparse, you can insert and delete the rules at any position in the > list. The rule number you or the program assigns to the rule stays in > kernel and you can rely on it. I don't want to flush all the rules and > lose counters and state and whatnot just to modify some netmask or such.
In ipfilter, you can likewise insert and delete the rules at any position in the list without flushing all the rules. But note that the rule numbers are not assigned to the rules but are just sequence numbers, separately counted for "in" and "out" and for each group. Thus to insert a rule, first call ipfstat -in (or -on) and look for the place where the rule should be inserted, say, at place N. Then do: echo '@N RULE' | ipf -f - (This does not overwrite the old rule N but shifts the old N to N+1 etc.) To remove a rule, it suffices to do echo 'RULE' | ipf -r -f - The number may be given but is not necessary since the RULE is usually of unique form.
