Re: removing some error states

[Michael Sierchio]

Hi, Julian -

On Sat, May 5, 2018 at 11:03 AM, Julian Elischer  wrote:
>...

> it was never "ignore errors" It's "ignore a certain class of error".
>
> table 3 add 1.1.1.1
>>> table 3 add 1.1.1.1   <- no error.. this is what I want..
>>>
>>
I'm wondering if it shouldn't be atomically idempotent, or...

On a public-facing machine, I throttle all traffic until I get a successful
auth event, and then add an IP to a table containing a whitelist, which
bypasses the restrictive pipes.  With a time_t value denoting when it was
added.  It would be nice if it simply replaced the arg value

table 3 add 1.1.1.1 1525547787

   and sometime later

table 3 add 1.1.1.1 1525576587

which I'd like to succeed.  With 11.0+ I can do this atomically with two
tables and swap them, but...



> table 3 swap 21  <--  doesn't quit, but doesn't generate a new
>>
>>
+1 on this. Again, UPSERT semantics instead of DELETE-then-CREATE, or
CREATE.

- M
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: removing some error states

[Julian Elischer]

See inline

thanks for answering

Ont thing you need to understand is that I tend to run ipfw with a 
front-end.

for example which is more efficient:

cat <<-DONE  |ipfw -q -f /dev/stdin
    add 1 (some rule}
    [100 other  operations including table and pipe operations and 
more rules]

    DONE

vs
ipfw -f -q add 1 (some rule)
ipfw -f -q {operation}
[...] 100 more ops, same as above..


obviously the first is orders of magnitude more efficient.
I have wondered if you could feed a script into ipfw's preprocessor  
feature so that it actually generated data instead of just filtering it,

but I haven't tried it yet..
In the version I wrote for Cisco, it is a python program that is 
continually manipulating hte firewall by adding and removing table 
entries and rules as the world changes around it.
So having to not for/exec a new copy of ipfw for every operations i 
important to me.
Maybe we want to add a special mode (-I - ) to allow stdin to be used. 
using /dev/stdin is a hack.

and there is no way to get any output back.

I actually have a way to make it work as a shell script using netcat...
The server part that stays resident does:
 action ()
  {
    local LINE="$*"
    logger -p user.info -t firewall "command $LINE"
    set $LINE
    local COMMAND=$1
    shift
    case ${COMMAND} in
  setup-firewall)
    # called from rc.d/postpixel8 and from rc.conf via 
ip_filter_rules.sh

    setup_firewall $*
    ;;
[... lots of other commands ]


  if [ $MODE = "server" ]
  then
    FIREWALL_DISABLED=
    nc -U -k -l "$CONTROL_SOCKET" | while read LINE
    do
  action $LINE
    done
    logger -p user.info -t firewall "Server loop ended"
    exit 0  # server never goes below this point
  fi
and the client just does:

  if [ "$MODE" = "client" ]
  then
    echo $COMMAND $* | nc -N -U $CONTROL_SOCKET
  fi

sending high level commands to the server,
and the server, keeps state, and feeds commands out via stdout to a 
copy of ipfw that is started at the time the server starts, and keeps 
running until it quits, doing ALL the low level 'ipfw' commands..
this mode of operation if very efficient and can lead to very 
sophisticated active firewalls as the server has local state about hte 
firewall and can  manipulate it with great speed and accuracy.


anyhow.. to do this I need that the ipfw program not quit every time 
it gets something it doesn't like.
Especially things like "clear a rule  without havng to first test 
whether it is there".

or swap with a new table.. (just create an empty table of the same kind).

Or pretty much anything else that would error out.. e.g. I want most  
delete commands to be "optionally" idempotent.


calling it should be ok regardless of whether the 
rule/table/pipe/whatever already exists or has already been deleted.

Like rm -f .

Maybe a special mode for running as a client may be good.. or maybe 
ipfw is in control and fires off a given program and controls both 
stdin and stdout.
that way the script/progra can actually get feedback.  Something I've 
had a hard time doing..

also some ways to get events from the firewall would be amazing.

Maybe what I want is a libipfw.so, but I want to be able to use it 
with shell scripts.






On 4/5/18 6:23 am, Alexander V. Chernikov wrote:

02.05.2018, 06:32, "Julian Elischer" :

On 2/5/18 1:05 am, Julian Elischer wrote:

  On 1/5/18 11:03 pm, Rodney W. Grimes wrote:

  Many years ago I added code to ipfw so that if -q was set it would
  not
  complain about
  things that were unimportant, nor would it return an error code.
  Such things include removing table entries that are already gone and
  similar sorts of 'safe' operations.
  The idea is that you can write 'naive' scripts that don't need to do
  complicated checks to see if XXX is already present or gone..
  In hte ame way that rm -f doesn't complain if the file doesn't
  exist..? You were going to delete it anyhow.

  I'd like that to continue to some of the new additions.
  for example the terribly annoying
    ??? ipfw: DEPRECATED: inserting data into non-existent table 18.
  (auto-created) (who cares?)

  and

    ?? ljcc-78# ipfw table 19 create
     ipfw: Table creation failed: File exists

  As the script needs to run multiple times, I don't care if the table
  already exists.
  but I do care about other errors.
  I don't want to have to write special wrapper code for table create
  that is different
  from the wrappers elsewhere because it has to look for return code 71
  and disregard it.
  Can we just have -q continue to ignore such errors please?

  I think there is a bigger question here, why was auto table creation
  with first insert "Deprecated" at all?   This to me just seems like
  change cause someone could change it that has no usefull purpose or
  is there some great purpose this serves?

In the "old" world we had single type of tables, each of them name by numbers 
from 1.. ip.fw.tables_max range. If the table number