From fc7c441d693f85bdec821b709bcc26dacf4e34a2 Mon Sep 17 00:00:00 2001
From: r-caamano <robert.caamano@netfoundry.io>
Date: Thu, 16 May 2024 14:39:09 +0000
Subject: [PATCH 1/2] reverted to only allow interfaces with indexes below 256
 to participate in per-interface-rules due to memory requirements

---
 CHANGELOG.md         |  7 +++++++
 src/zfw.c            | 10 ++++++----
 src/zfw_tc_ingress.c | 10 +---------
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eac5467..2d12ac5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.6.2] - 2024-05-16
+
+###
+
+- Reverted to only support per-interface rules if an interface ifindex is < 255.  This was done to
+  reduce per rule memory load which can greatly increase memory requirements when dealing with 1000s or rules.
+
 # [0.6.1] - 2024-05-14
 
 ###
diff --git a/src/zfw.c b/src/zfw.c
index 1ee309d..c3d5c7e 100644
--- a/src/zfw.c
+++ b/src/zfw.c
@@ -170,10 +170,10 @@ char *service_string;
 char *log_file_name;
 char *object_file;
 char *direction_string;
-const char *argp_program_version = "0.6.1";
+const char *argp_program_version = "0.6.2";
 struct ring_buffer *ring_buffer;
 
-__u32 if_list[MAX_IF_LIST_ENTRIES];
+__u8 if_list[MAX_IF_LIST_ENTRIES];
 struct interface
 {
     uint32_t index;
@@ -251,7 +251,7 @@ struct tproxy_port_mapping
     __u16 low_port;
     __u16 high_port;
     __u16 tproxy_port;
-    __u32 if_list[MAX_IF_LIST_ENTRIES];
+    __u8 if_list[MAX_IF_LIST_ENTRIES];
     char service_id[23];
 };
 
@@ -3117,9 +3117,11 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state)
         }
         if (ifcount < MAX_IF_LIST_ENTRIES)
         {
-            if ((idx > 0) && (idx < UINT32_MAX))
+            if ((idx > 0) && (idx < MAX_IF_ENTRIES))
             {
                 if_list[ifcount] = idx;
+            }else{
+                printf("A rule can be assigned to interfaces with ifindex 1 - %d\n", MAX_IF_ENTRIES-1);
             }
         }
         else
diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
index e7a48ba..9429d03 100644
--- a/src/zfw_tc_ingress.c
+++ b/src/zfw_tc_ingress.c
@@ -71,7 +71,7 @@ struct tproxy_port_mapping {
     __u16 low_port;
     __u16 high_port;
     __u16 tproxy_port;
-    __u32 if_list[MAX_IF_LIST_ENTRIES];
+    __u8 if_list[MAX_IF_LIST_ENTRIES];
     char service_id[23]; 
 };
 
@@ -237,14 +237,6 @@ struct {
      __uint(map_flags, BPF_F_NO_PREALLOC);
 } zet_transp_map SEC(".maps");
 
-/*struct {
-     __uint(type, BPF_MAP_TYPE_ARRAY);
-     __uint(key_size, sizeof(uint32_t));
-     __uint(value_size,sizeof(uint32_t));
-     __uint(max_entries, 1);
-     __uint(pinning, LIBBPF_PIN_BY_NAME);
-} syn_count_map SEC(".maps");*/
-
 struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __uint(key_size, sizeof(uint32_t));

From 6504ba636ad071063ced683539b252dbe02e1cbc Mon Sep 17 00:00:00 2001
From: r-caamano <robert.caamano@netfoundry.io>
Date: Thu, 16 May 2024 16:51:01 +0000
Subject: [PATCH 2/2] Reverted service_id logging due to large memory
 requirements

---
 CHANGELOG.md             |  1 +
 README.md                | 52 ++++++++++++++++++------------------
 src/zfw.c                | 57 +++++++++-------------------------------
 src/zfw_tc_ingress.c     |  3 +--
 src/zfw_tunnel_wrapper.c | 17 +++++-------
 5 files changed, 47 insertions(+), 83 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d12ac5..014257d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. The format
 
 - Reverted to only support per-interface rules if an interface ifindex is < 255.  This was done to
   reduce per rule memory load which can greatly increase memory requirements when dealing with 1000s or rules.
+- Reverted addition of service_id as well since it also greatly increased memory requirements 
 
 # [0.6.1] - 2024-05-14
 
diff --git a/README.md b/README.md
index 3f89b1d..c5274b2 100644
--- a/README.md
+++ b/README.md
@@ -111,10 +111,10 @@ If running:
 ```
 Assuming you are using the default address range for ziti-edge-tunnel should see output like:
 
-service id              proto    origin              destination               mapping:                                                   interface list
-----------------------  -----    ---------------     ------------------        --------------------------------------------------------- ----------------
-0000000000000000000000  tcp      0.0.0.0/0           100.64.0.0/10             dpts=1:65535             TUNMODE redirect:tun0            []
-0000000000000000000000  udp      0.0.0.0/0           100.64.0.0/10             dpts=1:65535             TUNMODE redirect:tun0            []
+target  	proto	origin              destination             mapping:                				                interface list                 
+--------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
+TUNMODE    	tcp	    0.0.0.0/0           100.64.0.0/10           dpts=1:65535     	TUNMODE redirect:tun0               []
+TUNMODE    	udp	    0.0.0.0/0           100.64.0.0/10           dpts=1:65535     	TUNMODE redirect:tun0               []
 ```
 
 Verify running: (zfw-router)
@@ -125,8 +125,8 @@ If running:
 ```
 Assuming no services configured yet:
 
-service id              proto    origin              destination               mapping:                                                   interface list
-----------------------  -----    ---------------     ------------------        --------------------------------------------------------- ----------------
+target  	proto	origin              	destination                     mapping:                				 interface list                 
+--------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
 Rule Count: 0
 prefix_tuple_count: 0 / 100000
 
@@ -367,19 +367,19 @@ Example: List all rules in Firewall
 sudo zfw -L
 ```
 ```
-service id              proto    origin              destination               mapping:                                                   interface list
-----------------------  -----    ---------------     ------------------        --------------------------------------------------------- ----------------
-5XzC8mf1RrFO2vmfHGG5GL  tcp      0.0.0.0/0           10.0.0.16/28              dpts=22:22                TPROXY redirect 127.0.0.1:33381  [ens33,lo]
-5XzC8mf1RrFO2vmfHGG5GL  tcp      0.0.0.0/0           10.0.0.16/28              dpts=30000:40000          TPROXY redirect 127.0.0.1:33381  []
-0000000000000000000000  udp      0.0.0.0/0           172.20.1.0/24             dpts=5000:10000           TPROXY redirect 127.0.0.1:59394  []
-5XzC8mf1RrFO2vmfHGG5GL  tcp      0.0.0.0/0           172.16.1.0/24             dpts=22:22                TPROXY redirect 127.0.0.1:33381  []
-5XzC8mf1RrFO2vmfHGG5GL  tcp      0.0.0.0/0           172.16.1.0/24             dpts=30000:40000          TPROXY redirect 127.0.0.1:33381  []
-0000000000000000000000  udp      0.0.0.0/0           192.168.3.0/24            dpts=5:7                  PASSTHRU to 192.168.3.0/24       []
-0000000000000000000000  udp      10.1.1.1/32         192.168.100.100/32        dpts=50000:60000          PASSTHRU to 192.168.100.100/32   []
-0000000000000000000000  tcp      10.230.40.1/32      192.168.100.100/32        dpts=60000:65535          PASSTHRU to 192.168.100.100/32   []
-FO2vmfHGG5GLvmfHGG5GLU  udp      0.0.0.0/0           192.168.0.3/32            dpts=5000:10000           TPROXY redirect 127.0.0.1:59394  []
-0000000000000000000000  tcp      0.0.0.0/0           192.168.100.100/32        dpts=60000:65535          PASSTHRU to 192.168.100.100/32   []
-FO2vmfHGG5GLvmfHGG5GLU  udp      0.0.0.0/0           100.64.0.0/10             dpts=1:65535              TUNMODE redirect:tun0            []
+target     proto    origin              destination               mapping:                                                   interface list
+------     -----    ---------------     ------------------        --------------------------------------------------------- ----------------
+TPROXY     tcp      0.0.0.0/0           10.0.0.16/28              dpts=22:22                TPROXY redirect 127.0.0.1:33381  [ens33,lo]
+TPROXY     tcp      0.0.0.0/0           10.0.0.16/28              dpts=30000:40000          TPROXY redirect 127.0.0.1:33381  []
+TPROXY     udp      0.0.0.0/0           172.20.1.0/24             dpts=5000:10000           TPROXY redirect 127.0.0.1:59394  []
+TPROXY     tcp      0.0.0.0/0           172.16.1.0/24             dpts=22:22                TPROXY redirect 127.0.0.1:33381  []
+TPROXY     tcp      0.0.0.0/0           172.16.1.0/24             dpts=30000:40000          TPROXY redirect 127.0.0.1:33381  []
+PASSTHRU   udp      0.0.0.0/0           192.168.3.0/24            dpts=5:7                  PASSTHRU to 192.168.3.0/24       []
+PASSTHRU   udp      10.1.1.1/32         192.168.100.100/32        dpts=50000:60000          PASSTHRU to 192.168.100.100/32   []
+PASSTHRU   tcp      10.230.40.1/32      192.168.100.100/32        dpts=60000:65535          PASSTHRU to 192.168.100.100/32   []
+TPROXY     udp      0.0.0.0/0           192.168.0.3/32            dpts=5000:10000           TPROXY redirect 127.0.0.1:59394  []
+PASSTHRU   tcp      0.0.0.0/0           192.168.100.100/32        dpts=60000:65535          PASSTHRU to 192.168.100.100/32   []
+TUNMODE    udp	    0.0.0.0/0           100.64.0.0/10             dpts=1:65535     	        TUNMODE redirect:tun0            []
 ```
     
 - Example: List rules in firewall for a given prefix and protocol.  If source specific you must include the o 
@@ -389,9 +389,9 @@ FO2vmfHGG5GLvmfHGG5GLU  udp      0.0.0.0/0           100.64.0.0/10             d
 sudo zfw -L -c 192.168.100.100 -m 32 -p udp
 ```
 ```  
-service id              proto    origin           destination                  mapping:                                                  interface list
-----------              -----    --------         ------------------           --------------------------------------------------------- ------------------
-0000000000000000000000  udp      0.0.0.0/0        192.168.100.100/32           dpts=50000:60000          PASSTHRU to 192.168.100.100/32  []
+target     proto    origin           destination              mapping:                                                  interface list
+------     -----    --------         ------------------       --------------------------------------------------------- ------------------    
+PASSTHRU   udp      0.0.0.0/0        192.168.100.100/32       dpts=50000:60000 	      PASSTHRU to 192.168.100.100/32     []
 ```
 
 - Example: List rules in firewall for a given prefix
@@ -400,10 +400,10 @@ Usage: zfw -L -c <ip dest address or prefix> -m <prefix len> -p <protocol>
 sudo zfw -L -c 192.168.100.100 -m 32
 ```
 ```
-service id              proto    origin           destination                  mapping:                                                  interface list
-----------              -----    --------         ------------------           --------------------------------------------------------- ------------------
-0000000000000000000000  udp      0.0.0.0/0        192.168.100.100/32           dpts=50000:60000          PASSTHRU to 192.168.100.100/32  []
-0000000000000000000000  tcp      0.0.0.0/0        192.168.100.100/32           dpts=60000:65535          PASSTHRU to 192.168.100.100/32  []
+target     proto    origin           destination              mapping:                                                  interface list
+------     -----    --------         ------------------       --------------------------------------------------------- -------------------
+PASSTHRU   udp      0.0.0.0/0        192.168.100.100/32       dpts=50000:60000 	      PASSTHRU to 192.168.100.100/32     []
+PASSTHRU   tcp      0.0.0.0/0        192.168.100.100/32       dpts=60000:65535	      PASSTHRU to 192.168.100.100/32     []
 ```
 - Example: List all interface settings
 
diff --git a/src/zfw.c b/src/zfw.c
index c3d5c7e..e41da20 100644
--- a/src/zfw.c
+++ b/src/zfw.c
@@ -100,7 +100,6 @@ bool interface = false;
 bool disable = false;
 bool all_interface = false;
 bool ssh_disable = false;
-bool service = false;
 bool tc = false;
 bool tcfilter = false;
 bool direction = false;
@@ -166,7 +165,6 @@ char *vrrp_interface;
 char *ddos_interface;
 char *monitor_interface;
 char *tc_interface;
-char *service_string;
 char *log_file_name;
 char *object_file;
 char *direction_string;
@@ -252,7 +250,6 @@ struct tproxy_port_mapping
     __u16 high_port;
     __u16 tproxy_port;
     __u8 if_list[MAX_IF_LIST_ENTRIES];
-    char service_id[23];
 };
 
 struct tproxy_tuple
@@ -671,14 +668,14 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
             bool entry_exists = false;
             if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535)
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block,
                        dpts, o_tunif.ifname);
                 entry_exists = true;
                 *rule_count += 1;
             }
             else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0)
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block,
                        dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port));
                 entry_exists = true;
                 *rule_count += 1;
@@ -712,7 +709,7 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
         {
             if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 0)
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block,
                        dpts, "PASSTHRU", dcidr_block);
                 char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
                 for (int i = 0; i < MAX_IF_LIST_ENTRIES; i++)
@@ -745,17 +742,17 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
         {
             if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535)
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block,
                        dpts, o_tunif.ifname);
             }
             else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0)
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block,
                        dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port));
             }
             else
             {
-                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
+                printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block,
                        dpts, "PASSTHRU", dcidr_block);
             }
             char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
@@ -2308,17 +2305,6 @@ void map_insert()
             port_mapping->if_list[x] = if_list[x];
         }
     }
-    /*if(service){
-        sprintf(port_mapping->service_id, "%s", service_string);
-    }else{
-        sprintf(port_mapping->service_id, "%s", "0000000000000000000000");
-    }*/
-    char *sid = "0000000000000000000000";
-    if(service){
-        memcpy(port_mapping->service_id, service_string, strlen(service_string) + 1);
-    }else{
-        memcpy(port_mapping->service_id, sid, strlen(sid) + 1);
-    }
     /*
      * Check result of lookup if not 0 then create a new entry
      * else edit an existing entry
@@ -2769,8 +2755,8 @@ void map_list()
     map.key = (uint64_t)&key;
     map.value = (uint64_t)&orule;
     int lookup = 0;
-    printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
-    printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
+    printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
+    printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
     int rule_count = 0;
     if (prot)
     {
@@ -2797,8 +2783,8 @@ void map_list()
                 printf("Rule Count: %d\n", rule_count);
                 if (x == 0)
                 {
-                    printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
-                    printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
+                    printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
+                    printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
                 }
             }
         }
@@ -2987,8 +2973,8 @@ void map_list_all()
     map.value = (uint64_t)&orule;
     int lookup = 0;
     int ret = 0;
-    printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
-    printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
+    printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
+    printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
     int rule_count = 0;
     while (true)
     {
@@ -3044,7 +3030,6 @@ static struct argp_option options[] = {
     {"oprefix-len", 'n', "", 0, "Set origin prefix length (1-32) <mandatory for insert/delete/list >", 0},
     {"ocidr-block", 'o', "", 0, "Set origin ip prefix i.e. 192.168.1.0 <mandatory for insert/delete/list>", 0},
     {"protocol", 'p', "", 0, "Set protocol (tcp or udp) <mandatory insert/delete>", 0},
-    {"service-id", 's', "", 0, "set ziti service id", 0},
     {"route", 'r', NULL, 0, "Add or Delete static ip/prefix for intercept dest to lo interface <optional insert/delete>", 0},
     {"tproxy-port", 't', "", 0, "Set high-port value (0-65535)> <mandatory for insert>", 0},
     {"verbose", 'v', "", 0, "Enable verbose tracing on interface", 0},
@@ -3362,20 +3347,6 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state)
     case 'r':
         route = true;
         break;
-    case 's':
-        if (!strlen(arg))
-        {
-            fprintf(stderr, "service id required as arg to -s, --service-id: %s\n", arg);
-            fprintf(stderr, "%s --help for more info\n", program_name);
-            exit(1);
-        }
-        if(strlen(arg) > 22){
-            printf("Invalid service ID: ID too long\n");
-            exit(1);
-        }
-        service = true;
-        service_string = arg;
-        break;
     case 't':
         tproxy_port = port2s(arg);
         tpt = true;
@@ -3640,10 +3611,6 @@ int main(int argc, char **argv)
     signal(SIGTERM, INThandler);
     argp_parse(&argp, argc, argv, 0, 0, 0);
 
-    if(service && (!add && !delete)){
-        usage("-s, --service-id requires -I, --insert or -D, --delete");
-    }
-
     if (tcfilter && !object && !disable)
     {
         usage("-X, --set-tc-filter requires -O, --object-file for add operation");
diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
index 9429d03..adde0a8 100644
--- a/src/zfw_tc_ingress.c
+++ b/src/zfw_tc_ingress.c
@@ -71,8 +71,7 @@ struct tproxy_port_mapping {
     __u16 low_port;
     __u16 high_port;
     __u16 tproxy_port;
-    __u8 if_list[MAX_IF_LIST_ENTRIES];
-    char service_id[23]; 
+    __u8 if_list[MAX_IF_LIST_ENTRIES]; 
 };
 
 struct tproxy_tuple {
diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c
index 18797a6..d802266 100644
--- a/src/zfw_tunnel_wrapper.c
+++ b/src/zfw_tunnel_wrapper.c
@@ -58,7 +58,7 @@ typedef unsigned char byte;
 void close_maps(int code);
 void open_transp_map();
 void open_tun_map();
-void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action);
+void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action);
 void unbind_route_loopback(struct in_addr *address, unsigned short mask);
 void INThandler(int sig);
 void map_delete_key(char *service_id);
@@ -358,7 +358,7 @@ void string2Byte(char* string, byte* bytes)
     }
 }
 
-void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action){
+void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action){
     if (access("/usr/sbin/zfw", F_OK) != 0)
     {
         printf("ebpf not running: Cannot find /usr/sbin/zfw\n");
@@ -366,8 +366,8 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto
     }
     pid_t pid;
     //("%s, %s\n", action ,rules_temp->parmList[3]);
-    char *const parmList[17] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l",
-     lowport, "-h", highport, "-t", "65535", "-p", protocol, "-s", service_id, NULL};
+    char *const parmList[15] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l",
+     lowport, "-h", highport, "-t", "65535", "-p", protocol, NULL};
     if ((pid = fork()) == -1){
         perror("fork error: can't spawn bind");
     }else if (pid == 0) {
@@ -491,9 +491,6 @@ int process_bind(json_object *jobj, char *action)
 }
 
 int process_dial(json_object *jobj, char *action){
-    struct json_object *service_id_obj = json_object_object_get(jobj, "Id");
-    char service_id[strlen(json_object_get_string(service_id_obj)) + 1];
-    sprintf(service_id, "%s", json_object_get_string(service_id_obj));
     struct json_object *addresses_obj = json_object_object_get(jobj, "Addresses");
     if(addresses_obj)
     {
@@ -590,7 +587,7 @@ int process_dial(json_object *jobj, char *action){
                                                             }  
                                                         }
                                                     } 
-                                                    zfw_update(ip, mask, lowport, highport, protocol, service_id, action);
+                                                    zfw_update(ip, mask, lowport, highport, protocol, action);
                                                 }  
                                             }
                                         }
@@ -748,8 +745,8 @@ int run(){
                             if((sizeof(o_tunif.cidr) > 0) && (sizeof(o_tunif.mask) >0)){
                                 sprintf(tunip_string, "%s" , o_tunif.cidr);
                                 sprintf(tunip_mask_string, "%s", o_tunif.mask);
-                                zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "0000000000000000000000", "-I");
-                                zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "0000000000000000000000", "-I");
+                                zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "-I");
+                                zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "-I");
                                 tun_ifname = o_tunif.ifname;
                             }
                         }