Page MenuHomeFreeBSD
Differential D18339

Add two new options to "ipfw table <NAME> create" to simplify firewall reload
ClosedPublic
Actions

Authored by lev on Nov 26 2018, 12:33 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 12, 2:45 AM
Unknown Object (File)
Wed, Oct 23, 10:33 AM
Unknown Object (File)
Oct 3 2024, 10:55 PM
Unknown Object (File)
Oct 3 2024, 6:30 AM
Unknown Object (File)
Oct 3 2024, 3:59 AM
Unknown Object (File)
Oct 2 2024, 11:22 PM
Unknown Object (File)
Oct 2 2024, 8:58 PM
Unknown Object (File)
Oct 2 2024, 2:22 PM
View All Files
Subscribers
0mp
debdrup
imp
mizhka

Details

Reviewers
ae
mizhka
melifaro
0mp
cy
Group Reviewers
manpages
Commits
rS348235: Add `missing` and `or-flush` options to "ipfw table <NAME> create"
Summary

Now it is very hard to reload (with service ipfw restart and such) firewall which uses tables and have create table NAME commands, as these commands will fail because tables already exists And delete table NAME will fail for first firewall load, as tables are not exist yet.

This patch adds two new options for create table command:

  • missing — this option suppresses EEXISTS error, but check, that existing table has same parameters as new one.
  • or-flush — this options implies missing and additionally flush table if it exists.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

lev created this revision.Nov 26 2018, 12:33 PM
mizhka requested changes to this revision.Nov 26 2018, 11:21 PM
mizhka added a subscriber: mizhka.
mizhka added inline comments.
ipfw/ipfw.8
2140–2159

Bump date of man doc?

ipfw/tables.c
329–332

Should be tabs instead of spaces

501

(flush != 0)
better to follow same style over whole code ;)

This revision now requires changes to proceed.Nov 26 2018, 11:21 PM
lev updated this revision to Diff 51163.Nov 27 2018, 11:54 AM

Address comments by @mizhka_gmail.com

lev marked 3 inline comments as done.Nov 27 2018, 11:55 AM
mizhka accepted this revision.Mar 21 2019, 6:44 AM
mizhka added inline comments.
sbin/ipfw/tables.c
499–502 ↗(On Diff #51163)

double indentation. please use && to simplify code

This revision is now accepted and ready to land.Mar 21 2019, 6:44 AM
lev updated this revision to Diff 55315.Mar 21 2019, 10:44 AM
This revision now requires review to proceed.Mar 21 2019, 10:44 AM
lev marked an inline comment as done.Mar 21 2019, 10:45 AM
ae added a reviewer: melifaro.Mar 21 2019, 11:18 AM
ae set the repository for this revision to rS FreeBSD src repository - subversion.
Herald added a reviewer: manpages. · View Herald TranscriptMar 21 2019, 11:18 AM
Herald added a subscriber: imp. · View Herald Transcript
0mp requested changes to this revision.Mar 21 2019, 1:47 PM
0mp added a subscriber: 0mp.
0mp added inline comments.
ipfw/ipfw.8
2155

Just a minor thing, but we usually put a new sentence in a new line.

You may find more style issues in the patch by running igor and mandoc -Tlint on the manpage.

This revision now requires changes to proceed.Mar 21 2019, 1:47 PM
lev updated this revision to Diff 55318.Mar 21 2019, 2:12 PM
lev marked an inline comment as done.
lev added inline comments.
ipfw/ipfw.8
2155

mandoc -Tlint shows a lot of errors, much more than my changes.

0mp accepted this revision.Mar 21 2019, 2:25 PM

OK from manpages. Please remember to bump the date in the manual page.

ipfw/ipfw.8
2155

I wouldn't care about those other errors. Not in this patch at least. :) Thanks!

2158

typo? s/tabel/table/

This revision is now accepted and ready to land.Mar 21 2019, 2:25 PM
lev updated this revision to Diff 55320.Mar 21 2019, 2:30 PM
lev marked an inline comment as done.
This revision now requires review to proceed.Mar 21 2019, 2:30 PM
lev marked an inline comment as done.Mar 21 2019, 2:30 PM
mizhka accepted this revision.Mar 21 2019, 3:09 PM
This revision is now accepted and ready to land.Mar 21 2019, 3:09 PM
ae added a comment.Apr 9 2019, 6:19 PM

I think you can add to the beginning of your ipfw rules script something like this:

ipfw -q flush
ipfw -q table all destroy

And then create needed tables and fill them.

lev added a comment.Apr 10 2019, 11:25 AM
In D18339#426430, @ae wrote:

I think you can add to the beginning of your ipfw rules script something like this:

ipfw -q flush
ipfw -q table all destroy

And then create needed tables and fill them.

But this change is more flexible. I could imagine situation when you don't want to flush existing table but want to be sure that it is exists without external (for example, sh) logic.

ae added a comment.Apr 10 2019, 5:29 PM

Ok. It is more flexible, but produces additional options. I think ipfw(8) is already very complex.
What if we will make "missing"+"flush" behavior as default.
It seems if user wants to create table, it is expected that later this table will be filled. So, if we are creating some table, and it is already exist, we will check that the table has the same configuration and then flush it.
If configuration is different, then we return error. What you think?

lev added a comment.Apr 10 2019, 6:19 PM
In D18339#426772, @ae wrote:

Ok. It is more flexible, but produces additional options. I think ipfw(8) is already very complex.
What if we will make "missing"+"flush" behavior as default.
It seems if user wants to create table, it is expected that later this table will be filled. So, if we are creating some table, and it is already exist, we will check that the table has the same configuration and then flush it.
If configuration is different, then we return error. What you think?

Looks good for me personally (for my goals), but what if user doesn't want flush existing, if s/he wants to be sure, that table is exists, but if it exists already, to save current content? It could be programmed externally to ipfw (with sh or by other means), of course, but stadard service ipfw reload doesn't allow it.
For example firewall could have table with addresses which are blacklisted by some log analyzer ("file2ban"). User want to reload firewall, but don't want to lose accumulated black list. Now (or with "default to flush") user need to ether dump table before restart and load after it or temporary commet-out table creation from firewall config (table creation should be here, because same config is used on system boot!). Both solutions are possible (and they are possible now, without any changes) but very inconvenient, IMHO.

Maybe, we could have or-flush by default and or-preserve as new option. It adds only one new option (instead of two), but allows both scenarios.

debdrup added a subscriber: debdrup.May 24 2019, 7:14 AM

Is it okay to ask what the status of this is? Because it looks really useful!

melifaro accepted this revision.May 24 2019, 10:27 AM
Closed by commit rS348235: Add `missing` and `or-flush` options to "ipfw table <NAME> create" (authored by ae). · Explain WhyMay 24 2019, 11:06 AM
This revision was automatically updated to reflect the committed changes.
Herald added a reviewer: cy. · View Herald TranscriptMay 24 2019, 11:06 AM

Revision Contents
Changeset List

PathSize
ipfw/
sbin/
ipfw/
9 lines
3 lines
38 lines

Diff 55320

View Options

ipfw/ipfw.8

Loading...
View Options

ipfw/ipfw2.h

Loading...
View Options

ipfw/tables.c

Loading...