On 2004.12.14 06:13:07 -0800, Bruce M Simpson wrote: > What I'm really missing in IPFW is the ability to maintain one or more > 'shadow rulesets'. These rulesets may not be the active rulesets, but > I can manipulate them as tables, independently of the active ruleset(s), > push rules into them, flush them, and then atomically switch them to be > the active ruleset, using a single syscall.
Isn't that more or less sets you are talking about? Quoting ipfw(8):
Each rule belongs to one of 32 different sets , numbered 0 to 31. Set 31
is reserved for the default rule.
By default, rules are put in set 0, unless you use the set N attribute
when entering a new rule. Sets can be individually and atomically
enabled or disabled, so this mechanism permits an easy way to store mul-
tiple configurations of the firewall and quickly (and atomically) switch
between them. The command to enable/disable sets is
ipfw set [disable number ...] [enable number ...]
where multiple enable or disable sections can be specified. Command exe-
cution is atomic on all the sets specified in the command. By default,
all sets are enabled.
--
Simon L. Nielsen
pgpQ77yh1h0v9.pgp
Description: PGP signature
