Hans Werner Strube wrote: > Michal Mertl wrote: > > In IPFW (and I believe some Linux packet filtering package does it the > > same way) you don't supply the controlling program with list of rules > > (but you can do that). The original way (I believe) was to invoke the > > program once for each rule in the ruleset. The rule numbering by default > > is sparse, you can insert and delete the rules at any position in the > > list. The rule number you or the program assigns to the rule stays in > > kernel and you can rely on it. I don't want to flush all the rules and > > lose counters and state and whatnot just to modify some netmask or such. > > In ipfilter, you can likewise insert and delete the rules at any position > in the list without flushing all the rules. But note that the rule numbers > are not assigned to the rules but are just sequence numbers, separately > counted for "in" and "out" and for each group. Thus to insert a rule, first > call ipfstat -in (or -on) and look for the place where the rule should be > inserted, say, at place N. Then do: > echo '@N RULE' | ipf -f - > (This does not overwrite the old rule N but shifts the old N to N+1 etc.) > To remove a rule, it suffices to do > echo 'RULE' | ipf -r -f - > The number may be given but is not necessary since the RULE is usually > of unique form.
I see. In fact that is what I thought I was also testing but now it works :-). Operator error I suppose. I like the fixed rule numbers more but this is good enough for most purposes. One of my uses of ipfw is using it as a basis for simple accounting. I use ipa (http://ipa-system.sourceforge.net/) for the task. In it's configuration one uses rule numbers to specify what firewall rules to store accounting information for. If I used ipfilter with ipa and had changing rules in ipfilter it will be painful to keep ipa configuration in sync. I'd like to hear what do you all think about changing the ipfilter a bit to store some rule number in the rule itself. I understand we would probably have to do that to maintain backwards compatability. Thank you. Michal
