AW: ipfilter: flushing of Rules
This is a discussion on AW: ipfilter: flushing of Rules within the IPFilter forums, part of the System Security and Security Related category; Hello, i'm sorry, in the old ipfilter version the fr_ref is also increased, but already in the fr_addstate function. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-30-2007
|
|||
|
|||
AW: ipfilter: flushing of Rules
Hello,
i'm sorry, in the old ipfilter version the fr_ref is also increased, but already in the fr_addstate function. The subject of this thread is not anymore correct, because by flushing the rules with ipf -Fa, also rules which have a state will be removed. But the problem is, if I remove rules by ipf -r. The reasons for this is in file fil.c in function frrequest() line 4240: /* * Only return EBUSY if there is a group list, else * it's probably just state information referencing * the rule. */ if (f->fr_ref > 1) { error = EBUSY; goto done; } in an older implementation there was: /* * Return EBUSY if the rule is being reference by * something else (eg state information. */ if ((f->fr_ref > 1) && f->fr_grp && *(f->fr_grp)) return EBUSY; Anybody know why this change was made? Thanks Peter -----Ursprüngliche Nachricht----- Von: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au]Im Auftrag von Peter Jordan Gesendet: Montag, 29. Januar 2007 16:06 An: 'ipfilter@coombs.anu.edu.au' Betreff: ipfilter: flushing of Rules Hello, we use ipfilter as firewall with NetBSD 3.0 and IP Filter: v4.1.8 (396). In an older Version (2001/2002) we ported for windows, it is possible to delete Rules for which exists a state. In the new version it is not anymore possible because fr_ref is increased in function fr_stinsert (ip_state.c). Is this change correct. If yes what are the reasons for? For me it is much better if we can remove rules for which a state exists. Best regards Peter 
|
Linear Mode
