1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-20 11:11:24 +00:00
freebsd/sbin
Luigi Rizzo 43405724ec One bugfix and one new feature.
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.

The new feature (all this description will go in the manpage):

each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:

	ipfw add 100 set 23 allow ip from any to any

If "set N" is not specified, the rule belongs to set 0.

Individual sets can be disabled, enabled, and deleted with the commands:

	ipfw disable set N
	ipfw enable set N
	ipfw delete set N

Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.

All sets are enabled by default. The enable/disable status of the sets
can be shown with the command

	ipfw show sets

Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:

To add a set of rules atomically:

	ipfw disable set 18
	ipfw add ... set 18 ...		# repeat as needed
	ipfw enable set 18

To delete a set of rules atomically

	ipfw disable set 18
	ipfw delete set 18
	ipfw enable set 18

To test a ruleset and disable it and regain control if something
goes wrong:

	ipfw disable set 18
	ipfw add ... set 18 ...         # repeat as needed
	ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18

    here if everything goes well, you press control-C before
    the "sleep" terminates, and your ruleset will be left
    active. Otherwise, e.g. if you cannot access your box,
    the ruleset will be disabled after the sleep terminates.

I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
2002-08-10 04:37:32 +00:00
..
adjkerntz The .Nm utility 2002-07-06 19:34:18 +00:00
atacontrol Also print the serial # on atacontrol cap .... 2002-07-31 18:30:38 +00:00
atm The .Nm utility 2002-07-06 19:34:18 +00:00
badsect The .Nm utility 2002-07-06 19:34:18 +00:00
bsdlabel The .Nm utility 2002-07-06 19:34:18 +00:00
camcontrol The .Nm utility 2002-07-06 19:34:18 +00:00
ccdconfig The .Nm utility 2002-07-06 19:34:18 +00:00
clri The .Nm utility 2002-07-06 19:34:18 +00:00
comcontrol The .Nm utility 2002-07-06 19:34:18 +00:00
conscontrol The .Nm utility 2002-07-06 19:34:18 +00:00
cxconfig Default to WARNS=2. 2001-12-04 02:19:58 +00:00
devfs Don't depend on pollution in <machine/limits.h> (by way of 2002-07-29 17:09:21 +00:00
dhclient Removed now unused INTERNALSTATICLIB. 2002-05-13 11:09:07 +00:00
disklabel The .Nm utility 2002-07-06 19:34:18 +00:00
dmesg The .Nm utility 2002-07-06 19:34:18 +00:00
dump Change utimes to set the file creation time (for filesystems that 2002-07-17 02:03:19 +00:00
dumpfs Remove unused variables due to libufs(3) commit. Clean up extraneous use of 2002-07-11 21:46:12 +00:00
dumpon Replace the 'at least the amount of physical memory + 64K' with a better 2002-07-09 17:27:08 +00:00
fdisk Fixed some print format errors. Avoid some warnings about possible 2002-07-16 23:18:29 +00:00
fdisk_pc98 The .Nm utility 2002-07-06 19:34:18 +00:00
ffsinfo mdoc(7) police: nits. 2002-05-29 16:47:55 +00:00
fsck The .Nm utility 2002-07-06 19:34:18 +00:00
fsck_ffs preen.c was a stragler after the fsck/fsck_ffs divorce. 2002-08-09 14:41:37 +00:00
fsck_msdosfs The .Nm utility 2002-07-06 19:34:18 +00:00
fsdb Warning cleanup. 2002-07-30 13:01:25 +00:00
fsirand The .Nm utility 2002-07-06 19:34:18 +00:00
gpt Grab a snapshot of Marcel's gpt tool. This is still a work-in-progress 2002-07-20 19:27:43 +00:00
growfs The .Nm utility 2002-07-06 19:34:18 +00:00
ifconfig The .Nm utility 2002-07-06 19:34:18 +00:00
init I should have committed this ages ago... 2002-08-03 16:21:33 +00:00
ip6fw The .Nm utility 2002-07-06 19:34:18 +00:00
ipf * add extra -I path to get the "matching" header files. 2002-03-20 09:02:48 +00:00
ipfs add extra include path to get .h files from source being used to compile 2002-03-26 10:09:09 +00:00
ipfstat Hopefully fix make world. 2002-03-19 22:51:53 +00:00
ipfw One bugfix and one new feature. 2002-08-10 04:37:32 +00:00
ipmon * add extra -I path to get the "matching" header files. (and split the one 2002-03-20 09:04:34 +00:00
ipnat * need to compile printnat.c now that this function is in a separate .c file 2002-03-20 09:01:48 +00:00
kldconfig The .Nm utility 2002-07-06 19:34:18 +00:00
kldload The .Nm utility 2002-07-06 19:34:18 +00:00
kldstat The .Nm utility 2002-07-06 19:34:18 +00:00
kldunload The .Nm utility 2002-07-06 19:34:18 +00:00
ldconfig The .Nm utility 2002-07-06 19:34:18 +00:00
mca Grab a snapshot of Marcel's WIP ia64 machine check decoder. 2002-07-20 19:31:11 +00:00
md5 Use `The .Nm utility' 2002-04-19 23:06:29 +00:00
mdconfig Replace extra call to "tunefs" with the equivalent of "newfs -U". 2002-07-15 11:30:21 +00:00
mdmfs The .Nm utility 2002-07-06 19:34:18 +00:00
mknod The .Nm utility 2002-07-06 19:34:18 +00:00
mount Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_cd9660 This should have been committed too, I have no idea 2002-08-03 17:05:14 +00:00
mount_ext2fs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_hpfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_msdosfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_nfs Fix -o ac(reg|dir)(min|max) options. The appropriate flags weren't 2002-08-06 20:26:30 +00:00
mount_ntfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_nullfs Small diffs that p4 didn't catch when I extracted 2002-08-03 17:06:51 +00:00
mount_nwfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_portalfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_smbfs Add bmake glue for src/contrib/smbfs and connect userland smbfs 2001-12-14 11:41:22 +00:00
mount_std Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_udf Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_umapfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
mount_unionfs Now that the kernel is able to load modules itself, 2002-08-03 16:03:21 +00:00
natd The .Nm utility 2002-07-06 19:34:18 +00:00
newfs di_createtime -> di_birthtime. 2002-07-17 10:31:38 +00:00
newfs_msdos The .Nm utility 2002-07-06 19:34:18 +00:00
nfsiod WARNS clean 2002-07-24 22:13:08 +00:00
nologin The .Nm utility 2002-07-06 19:34:18 +00:00
nos-tun The .Nm utility 2002-07-06 19:34:18 +00:00
ping Fix the broken "avoid unaligned data" fix. The problem is that the builtin 2002-08-10 03:00:55 +00:00
ping6 Don't explicit kill of the process' own pid. 2002-07-07 18:19:48 +00:00
quotacheck Fixup preen.c to match its new residence. 2002-08-09 16:25:32 +00:00
rcorder The .Nm utility. Add FreeBSD Id. 2002-07-06 19:34:37 +00:00
reboot The .Nm utility. 2002-07-06 19:35:14 +00:00
restore Change utimes to set the file creation time (for filesystems that 2002-07-17 02:03:19 +00:00
route The .Nm utility. 2002-07-06 19:35:14 +00:00
routed The .Nm utility. 2002-07-06 19:35:14 +00:00
rtsol Default to WARNS=2. 2001-12-04 02:19:58 +00:00
savecore The .Nm utility. 2002-07-06 19:35:14 +00:00
setkey Fix spacing for -P (policy) examples. 2002-07-27 21:06:06 +00:00
shutdown The .Nm utility. 2002-07-06 19:35:14 +00:00
slattach The .Nm utility. 2002-07-06 19:35:14 +00:00
spppcontrol mdoc(7) police: tidy up the markup. 2002-01-10 16:02:23 +00:00
startslip Use `The .Nm utility' 2002-04-19 23:06:29 +00:00
swapon The .Nm utility. 2002-07-06 19:35:14 +00:00
sysctl The .Nm utility. 2002-07-06 19:35:14 +00:00
tunefs The .Nm utility. 2002-07-06 19:35:14 +00:00
umount The .Nm utility. 2002-07-06 19:35:14 +00:00
vinum The .Nm utility. 2002-07-06 19:35:14 +00:00
Makefile Turn nfsiod back on. It is basically now just a sysctl wrapper that also 2002-07-24 22:14:27 +00:00
Makefile.inc Default to WARNS=2. 2001-12-04 02:19:58 +00:00