conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.

Giorgos Keramidas keramida at FreeBSD.org
Sat Mar 4 19:00:26 PST 2006 

The following reply was made to PR conf/93815; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at FreeBSD.org>
To: Vulpes Velox <v.velox at vvelox.net>
Cc: bug-followup at FreeBSD.org
Subject: Re: conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.
Date: Sun, 5 Mar 2006 04:54:55 +0200

 On 2006-02-25 04:19, Vulpes Velox <v.velox at vvelox.net> wrote:
 > This allows ipfw rules to be saved. /var/db/ipfw is used for that. If
 > a name for the save is not specified, last will be used.
 >
 > They can be saved like this...
 > /etc/rc.d/ipfw save <name>
 >
 > They can be recalled like this...
 > /etc/rc.d/ipfw restart <name>
 
 I feel a bit worried about allowing unquoted user-supplied names to a
 shell script and then using them as filenames.
 
 > --- rc.d_ipfw.patch begins here ---
 > 18a19,29
 > > extra_commands="save"
 > > save_cmd="ipfw_save"
 > >
 > >
 > > #gets the name of the save to use
 > > if [ ! -z $2 ]; then
 > > 	savename="$2"
 > > 	usingsave="yes"
 > > else
 > > 	savename="last"
 > > fi
 
 Please don't.  This should be written at least with a proper quote set
 around $2 like this:
 
     if [ -z "$2" ]; then
 	savename="last"
     else
 	savename="$2"
         usingsave="yes"
     fi
 
 > 31a43,49
 > > ipfw_save()
 > > {
 > >         # Saves the firewall rules to /var/db/ipfw/$savename
 > > 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
 > > 	ipfw list | awk '{print "${fwcmd} add " $0 }' > /var/db/ipfw/$savename
 > > }
 
 The style sucks a bit here, but it's mostly ok.  I'd probably avoid
 constructs that have the potential to end up using really-very-long
 lines, like cmd && cmd && cmd a bit and make the directory of the saved
 firewalls tunable through rc.conf:
 
     ipfw_save()
     {
         # set the firewall save directory if none was specified
         [ -z "${firewall_savedir}" ] && firewall_savedir=/var/db/ipfw
 
 	if [ ! -d "${firewall_savedir}" ]; then
 	    mkdir -p "${firewall_savedir}" || return 1
 	fi
 
         ipfw list | sed -e 's/^/add /' > "${firewall_savedir}/${savename}"
     }
 
 Also, in my opinion, loading saved rulesets shouldn't be overloaded with
 the special 'last' savename, but supported by a similar ipfw_load()
 function.  Then 'last' could be used as a valid savename too :)

More information about the freebsd-rc mailing list