IPFW rule sets and automatic rule numbering

Ian Smith smithi at nimnet.asn.au
Sun Sep 14 11:44:25 UTC 2014 

On Sun, 14 Sep 2014 12:36:43 +0200, Willem Jan Withagen wrote:
 > On 13-9-2014 21:51, Freddie Cash wrote:
 > > You can replicate it using 3 rules, loaded into two sets:
 > > 
 > > ipfw set disable 1
 > > ipfw add allow ip from any to any
 > > ipfw add 65524 allow ip from any to any
 > > ipfw add allow ip from any to any
 > > ipfw set swap 1 0
 > > 
 > > Run that two or 3 times. Every rule will be numbered 65534 after the 2nd or
 > > 3rd run.
 > 
 > > 
 > > I expected it to be numbered 10, 65524, 65534 after every run.
 > > 
 > > However, after reading the man page a few more times and thinking about it
 > > a little more, it makes sense that the numbering is global across all sets,
 > > as you can have multiple sets enabled simultaneously.
 > > 
 > > It just doesn't mesh with my desire to use auto numbering. I'm in the midst
 > > of manually numbering all my rules now. :)

 > This is easily circumvented by making shure that the first rule is
 > 
 > ipfw add 10 .....
 > like:
 > ipfw add count ip4 from any to any via vlan126
 > 	(vlan126 is my outside connection)
 > And then you are home free.
 > 
 > I actually use this to also separate diffent types of block by injecting:
 > ipfw add <blocknumber> count ip from any to any
 > 
 > like:
 > 03000 713812041 425643462848 count ip from any to any
 > 03010         0            0 deny ip6 from fc00::/7 to any via vlan126
 > 
 > And the 3000 block contains all antispoofing and likes.

I'd almost replied along the same lines - also tending to number first 
rules in a block and then add unnumbered rules until other sections - 
before realising that once Freddie had added his rule 65524, maybe in 
another set, it's game over; every unnumbered rule added after that is 
going to be >= 65524 and <= 65534.

And even as you have it above, if you rerun your script again without 
flushing the entire ruleset, apart from specifically numbered rule/s,
everything will get readded after the highest rule previously used.

Alexander said:
 > I think we can consider implementing sysctl which permits per-set
 > auto-numbering.

Perhaps rather than a separate high water mark per set that would be 
reset on set N flush - which I think is what Alexander means? - if one
could set something like maybe 'net.inet.ip.fw.autoinc_last' which would 
default, as now, to the highest rule added so far, but could be reset to
something else before adding more auto_inc rules?  Might get tricky, and 
of course it has to not break older rule scripts - some VERY old :)

cheers, Ian

More information about the freebsd-ipfw mailing list