IPFW rule sets and automatic rule numbering

Alexander V. Chernikov melifaro at FreeBSD.org
Sat Sep 13 18:37:12 UTC 2014 

On 11.09.2014 19:01, Freddie Cash wrote:
> Good morning everyone,
>
> Just wondering if I'm doing things wrong, or if those two features (rule
> sets and auto incrementing rule numbers) just don't play well together.
>
> Until now, I've used the auto-incrementing feature to minimize the amount
> of work I need to do when changing/updating/adding rules in the middle of
> my scripts.  This has been working great, and is controlled via
> the net.inet.ip.fw.autoinc_step sysctl.
>
> Recently I was playing with the rule sets feature and using "ipfw set swap"
> to speed up my firewall rules reloading times.  Previously, I'd clear the
> rules, then load the new rules, but that could leave up to 30 seconds of
> downtime.  With the use of sets, that's under 1 sec.
>
> Everything works well on the first run.  Everything is loaded correctly
> into set 1, then swapped into set 0 and made live.  All rules are numbered
> correctly.
>
> On the second run, all the rules are loaded into set 1 using rule numbers
> 65524-65534, and then swapped into set 0.
>
> On the third (and all subsequent run), all rules are loaded into set 1 with
> rule number 65534, and then swapping into set 1.
>
> It seems the rule numbers are global across all sets?  Meaning, the "last
> used automatic number" is global across all sets?
>
> I was expecting the rule numbers to be unique per set.  I do the following
> to clear out rule set 1 before adding rules:
>
> ipfw -f set 1 flush
> ipfw set disable 1
>
> Then load all my rules into set 1 using the following syntax:
>
> ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0
> ....
> ....
> ....
>
> Then swap the rules at the end using:
>
> ipfw set swap 1 0
>
> Is there anything I could be doing differently to get the numbering to work
> the way I expect it to?  Or am I going to have to manually number every
> rule in my scripts?
No, currently rule auto-numbering ignores sets.
So currently you have to to number rules manually to achieve predictable 
behavior.

I think we can consider implementing sysctl which permits per-set 
auto-numbering.

>
>

More information about the freebsd-ipfw mailing list