Technical data
8. Documentation for Developers
reject: This variable contains the chain to which is branched when a packet is rejected.
After calling
get_count <chain>
the variable res contains the number of rules in the chain <chain>. This position is of
importance because you can not simply use add_rule to add a rule at the end of the predefined
“filter”-chains INPUT, FORWARD and OUTPUT. This is because these chains are completed with a
default rule valid for all remaining packets depending on the content of the PF_<chain>_POLICY-
variable. Adding a rule after this last rule hence has no effect. The function get_count instead
allows to detect the position right in front of this last rule and to pass this position to the
ins_rule-function as a parameter <position> in order to add the rule in the place at the
end of the appropriate chain, but right in front of this last default rule targeting all remaining
packets.
An example from the script opt/etc/rc.d/rc390.dns_dhcp from the package “dns_dhcp”
shall make this clear:
case $OPT_DHCPRELAY in
yes)
begin_script DHCRELAY "starting dhcprelay ..."
idx=1
interfaces=""
while [ $idx -le $DHCPRELAY_IF_N ]
do
eval iface='$DHCPRELAY_IF_'$idx
get_count INPUT
ins_rule filter INPUT "prot:udp if:$iface:any 68 67 ACCEPT" \
$res "dhcprelay access"
interfaces=$interfaces' -i '$iface
idx=`expr $idx + 1`
done
dhcrelay $interfaces $DHCPRELAY_SERVER
end_script
;;
esac
Here you can see in the middle of the loop a call to get_count followed by a call to the
ins_rule function and, among other things, the res variable is passed as position parameter.
8.5.3. Extending The Packet Filter Tests
fli4l uses the syntax match:params in packet filter rules to add additional conditions for packet
matching (see mac:, limit:, length:, prot:, . . . ). If you want to add tests you have to do
this as follows:
1. Creating a file opt/etc/rc.d/fwrules-<name>.ext. The content of this file is something
like this:
322