[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Cc:  "Manuel Kasper" <mk at neon1 dot net>
 Subject:  RE: [m0n0wall-dev] Captive Portal - rulesearch mechanism
 Date:  Tue, 28 Mar 2006 21:42:18 +0200
Trying to think of a 'good mechanism' to interactively trying to find
free fw rulenumbers I started coding to make a "proof of concept"

This is the output of my testscript:

Array
(
    [0] => 09999  8409  886490 allow ip from any to any
    [1] => 10000 20300 3374066 allow ip from any to any
    [2] => 10005     0       0 skipto 50000 ip from any to 192.168.0.254
in
    [3] => 10005     0       0 skipto 50000 ip from 192.168.0.254 to any
out
    [4] => 65535    37    3023 deny ip from any to any
)
Full FW rules: 
09999  8409  886490 allow ip from any to any
10000 20300 3374066 allow ip from any to any
10005     0       0 skipto 50000 ip from any to 192.168.0.254 in
10005     0       0 skipto 50000 ip from 192.168.0.254 to any out
65535    37    3023 deny ip from any to any
FW rulenos in use: 
Array
(
    [0] => 09999
    [1] => 10000
    [2] => 10005
    [3] => 10005
    [4] => 65535
)
Unique FW rulenos in use: 
Array
(
    [0] => 09999
    [1] => 10000
    [2] => 10005
    [4] => 65535
)
Unique Free FW rulenos: 
Array
(
    [1] => 10001
    [2] => 10002
    [3] => 10003
    [4] => 10004
    [6] => 10006
    [7] => 10007
    [8] => 10008
    [9] => 10009
    [10] => 10010
)
Going to use ruleno: 10001

----------------------------------------------------------------------
Now we add another firewall rule:

Array
(
    [0] => 09999  8643  906729 allow ip from any to any
    [1] => 10000 20300 3374066 allow ip from any to any
    [2] => 10001     0       0 skipto 50000 ip from 192.168.0.254 to any
out
    [3] => 10005     0       0 skipto 50000 ip from any to 192.168.0.254
in
    [4] => 10005     0       0 skipto 50000 ip from 192.168.0.254 to any
out
    [5] => 65535    37    3023 deny ip from any to any
)
Full FW rules: 
09999  8643  906729 allow ip from any to any
10000 20300 3374066 allow ip from any to any
10001     0       0 skipto 50000 ip from 192.168.0.254 to any out
10005     0       0 skipto 50000 ip from any to 192.168.0.254 in
10005     0       0 skipto 50000 ip from 192.168.0.254 to any out
65535    37    3023 deny ip from any to any
FW rulenos in use: 
Array
(
    [0] => 09999
    [1] => 10000
    [2] => 10001
    [3] => 10005
    [4] => 10005
    [5] => 65535
)
Unique FW rulenos in use: 
Array
(
    [0] => 09999
    [1] => 10000
    [2] => 10001
    [3] => 10005
    [5] => 65535
)
Unique Free FW rulenos: 
Array
(
    [2] => 10002
    [3] => 10003
    [4] => 10004
    [6] => 10006
    [7] => 10007
    [8] => 10008
    [9] => 10009
    [10] => 10010
)
Going to use ruleno: 10002

I think this is the best solution we can have allowing fully dynamic
assignment of UNIQUE!!! rulenumbers while still having the possibility
to add fw rules on the fly without rebooting. It also eliminates
possible user collisions. It acts as pool (currently set to 9899
possible ruleno). If one is in use, it is removed from the freepool.

I will try to implement this tomorrow so we maybe could have this
already for the upcoming 1.22 release :))))

J.