Re: ipfw: several equal rules under same number bug
Andrey == Andrey A Chernov [EMAIL PROTECTED] writes: Andrey I think it is very contr-intuitive way, better action will Andrey be replace if number is the same. Nonsense. This is what 'add' and 'delete' are for. Andrey For example ipfw delete takes number as an argument, Andrey what rule it suppose to delete, if the number is the same? Andrey I.e. how can I delete specific rule if all have the same Andrey number? Etc, etc. You can't, in which case you shouldn't use that facility. However, for those cases where you *do* want to act on a grouped set of rules, sharing rulesnumbers provides that ability. For example, I have a set of rules that count all in- and out-bound traffic to each IP address on an internal network. All of these are under a single rule number. This makes it trivial to do things like take periodic snapshots of the counters: ipfw show 2000 $somefile; ipfw reset 2000 This takes care of 512 individual rule entries in one simple operation. Now if you want to make some useful changes to ipfw, find someone to commit the fix in bin/18550. And get rid of the needlessly verbose usage message ipfw spits out when it fails to parse a command. It would be a lot more useful if ipfw printed (only) the failed command. At least I might have a chance of seeing what the error is, instead of having the usage message cause any useful information to scroll off the console while the machine boots. --lyndon To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
How it can be possible? ipfw -a l: 07001 401680 deny tcp from any to any 7006 070010 0 deny tcp from any to any 7006 070010 0 deny tcp from any to any 7006 I use equal ipfw add several times from the script, but the rule number was the same all times. I expect that rule is replaced, not added with same number several times. Who is our ipfw guru at this moment? This is the way it's been since day one in ipfw. A rule is not an atomic entity, so you can have every rule in your entire list with the same number if you so desire. Nate To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
ipfw: several equal rules under same number bug
How it can be possible? ipfw -a l: 07001 401680 deny tcp from any to any 7006 070010 0 deny tcp from any to any 7006 070010 0 deny tcp from any to any 7006 I use equal ipfw add several times from the script, but the rule number was the same all times. I expect that rule is replaced, not added with same number several times. Who is our ipfw guru at this moment? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
Andrey A. Chernov wrote: I use equal ipfw add several times from the script, but the rule number was the same all times. I expect that rule is replaced, not added with same number several times. No. There can be multiple rules with the same number. If you run multiple ipfw add commands with the same number, they are stored (and executed) in the order in which they were added. Having multiple =identical= rules with the same number doesn't make too much sense, since -- as you noticed -- the ones after the first will never match (unless the rule has a count action, in which case all of the identical rules will match). Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
On Sat, Apr 28, 2001 at 20:21:36 -0700, Rich Wales wrote: Andrey A. Chernov wrote: I use equal ipfw add several times from the script, but the rule number was the same all times. I expect that rule is replaced, not added with same number several times. No. There can be multiple rules with the same number. If you run multiple ipfw add commands with the same number, they are stored (and executed) in the order in which they were added. Having multiple =identical= rules with the same number doesn't make too much sense, since -- as you noticed -- the ones after the first will never match (unless the rule has a count action, in which case all of the identical rules will match). I think it is very contr-intuitive way, better action will be replace if number is the same. We have _enough_ numbers to not compact rules in such bad manner. For example ipfw delete takes number as an argument, what rule it suppose to delete, if the number is the same? I.e. how can I delete specific rule if all have the same number? Etc, etc. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
Date: Sun, 29 Apr 2001 08:11:32 +0400 From: Andrey A. Chernov [EMAIL PROTECTED] I think it is very contr-intuitive way, better action will be replace if number is the same. We have _enough_ numbers to not compact rules in such bad manner. For example ipfw delete takes number as an argument, what rule it suppose to delete, if the number is the same? I.e. how can I delete specific rule if all have the same number? Etc, etc. I understand your stated concern, but the proposed solution is, to me, worse. I have at least one application where I generate ipfw rules in a script, for a set of subnets which I read from a file at execution time. I am able to use the numbers to group the firewall rules , so that for any given subnet, I can predict the order in which the rules will be applied. But since I don't really know the subnets until the script is running, I would need to make the script far more complicated if we required that each ipfw rule were uniquely numbered. (And since I want to get the ipfw rules in place very early in the boot sequence, additional complication is not exactly what appeals to me.) That said, I (personally) wouldn't have an objection to a mechanism (such as a sysctl) that would determine which of the two ways ipfw would behave, as long as I could retain the current behavior. I wouldn't even mind (again, for myself) if the default were to be changed to be the way you suggest. Cheers, david -- David H. Wolfskill [EMAIL PROTECTED] As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
On Sat, Apr 28, 2001 at 21:22:59 -0700, David Wolfskill wrote: I have at least one application where I generate ipfw rules in a script, for a set of subnets which I read from a file at execution time. I am able to use the numbers to group the firewall rules , so that for any given subnet, I can predict the order in which the rules will be applied. In situation you describe you can _add_ rules without any harm, but you can't _delete_ some of them later - it cause totally unpredictable results, i.e. delete operation really not works in the current way. Better way will be to give all subnets unique numbers ranges. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfw: several equal rules under same number bug
Date: Sun, 29 Apr 2001 08:42:20 +0400 From: Andrey A. Chernov [EMAIL PROTECTED] On Sat, Apr 28, 2001 at 21:22:59 -0700, David Wolfskill wrote: I have at least one application where I generate ipfw rules in a script, for a set of subnets which I read from a file at execution time. I am able to use the numbers to group the firewall rules , so that for any given subnet, I can predict the order in which the rules will be applied. In situation you describe you can _add_ rules without any harm, but you can't _delete_ some of them later - it cause totally unpredictable results, i.e. delete operation really not works in the current way. Better way will be to give all subnets unique numbers ranges. Well, in that situation, the rules are sufficiently complicated that I'd modify the script or the input list of netmask specifications, and re-run the whole thing. :-} How about a syntax for being able to specify which instantiation of a given ipfw rule number you mean, and a corresponding change to the code to iterate through those instantiations until that one is encountered. (You can probably tell I haven't actually looked at the code) Cheers, david -- David H. Wolfskill [EMAIL PROTECTED] As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message