See inline
thanks for answering
Ont thing you need to understand is that I tend to run ipfw with a
front-end.
for example which is more efficient:
cat <<-DONE |ipfw -q -f /dev/stdin
add 1 (some rule}
[100 other operations including table and pipe operations and
more rules]
DONE
vs
ipfw -f -q add 1 (some rule)
ipfw -f -q {operation}
[...] 100 more ops, same as above..
obviously the first is orders of magnitude more efficient.
I have wondered if you could feed a script into ipfw's preprocessor
feature so that it actually generated data instead of just filtering it,
but I haven't tried it yet..
In the version I wrote for Cisco, it is a python program that is
continually manipulating hte firewall by adding and removing table
entries and rules as the world changes around it.
So having to not for/exec a new copy of ipfw for every operations i
important to me.
Maybe we want to add a special mode (-I - ) to allow stdin to be used.
using /dev/stdin is a hack.
and there is no way to get any output back.
I actually have a way to make it work as a shell script using netcat...
The server part that stays resident does:
action ()
{
local LINE="$*"
logger -p user.info -t firewall "command $LINE"
set $LINE
local COMMAND=$1
shift
case ${COMMAND} in
setup-firewall)
# called from rc.d/postpixel8 and from rc.conf via
ip_filter_rules.sh
setup_firewall $*
;;
[... lots of other commands ]
if [ $MODE = "server" ]
then
FIREWALL_DISABLED=
nc -U -k -l "$CONTROL_SOCKET" | while read LINE
do
action $LINE
done
logger -p user.info -t firewall "Server loop ended"
exit 0 # server never goes below this point
fi
and the client just does:
if [ "$MODE" = "client" ]
then
echo $COMMAND $* | nc -N -U $CONTROL_SOCKET
fi
sending high level commands to the server,
and the server, keeps state, and feeds commands out via stdout to a
copy of ipfw that is started at the time the server starts, and keeps
running until it quits, doing ALL the low level 'ipfw' commands..
this mode of operation if very efficient and can lead to very
sophisticated active firewalls as the server has local state about hte
firewall and can manipulate it with great speed and accuracy.
anyhow.. to do this I need that the ipfw program not quit every time
it gets something it doesn't like.
Especially things like "clear a rule without havng to first test
whether it is there".
or swap with a new table.. (just create an empty table of the same kind).
Or pretty much anything else that would error out.. e.g. I want most
delete commands to be "optionally" idempotent.
calling it should be ok regardless of whether the
rule/table/pipe/whatever already exists or has already been deleted.
Like rm -f .
Maybe a special mode for running as a client may be good.. or maybe
ipfw is in control and fires off a given program and controls both
stdin and stdout.
that way the script/progra can actually get feedback. Something I've
had a hard time doing..
also some ways to get events from the firewall would be amazing.
Maybe what I want is a libipfw.so, but I want to be able to use it
with shell scripts.
On 4/5/18 6:23 am, Alexander V. Chernikov wrote:
02.05.2018, 06:32, "Julian Elischer" :
On 2/5/18 1:05 am, Julian Elischer wrote:
On 1/5/18 11:03 pm, Rodney W. Grimes wrote:
Many years ago I added code to ipfw so that if -q was set it would
not
complain about
things that were unimportant, nor would it return an error code.
Such things include removing table entries that are already gone and
similar sorts of 'safe' operations.
The idea is that you can write 'naive' scripts that don't need to do
complicated checks to see if XXX is already present or gone..
In hte ame way that rm -f doesn't complain if the file doesn't
exist..? You were going to delete it anyhow.
I'd like that to continue to some of the new additions.
for example the terribly annoying
??? ipfw: DEPRECATED: inserting data into non-existent table 18.
(auto-created) (who cares?)
and
?? ljcc-78# ipfw table 19 create
ipfw: Table creation failed: File exists
As the script needs to run multiple times, I don't care if the table
already exists.
but I do care about other errors.
I don't want to have to write special wrapper code for table create
that is different
from the wrappers elsewhere because it has to look for return code 71
and disregard it.
Can we just have -q continue to ignore such errors please?
I think there is a bigger question here, why was auto table creation
with first insert "Deprecated" at all? This to me just seems like
change cause someone could change it that has no usefull purpose or
is there some great purpose this serves?
In the "old" world we had single type of tables, each of them name by numbers
from 1.. ip.fw.tables_max range. If the table number