Date: Tue, 13 Feb 2001 06:12:37 -0800 (PST) From: Poul-Henning Kamp <phk@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_fw.c ip_fw.h src/sbin/ipfw ipfw.8 ipfw.c Message-ID: <200102131412.f1DECdZ12064@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
phk 2001/02/13 06:12:37 PST
Modified files:
sys/netinet ip_fw.c ip_fw.h
sbin/ipfw ipfw.8 ipfw.c
Log:
Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface. This is useful for routers with
dynamic interfaces. It is now possible to say:
0100 allow tcp from any to any established
0200 skipto 1000 tcp from any to any
0300 allow ip from any to any
1000 allow tcp from 1.2.3.4 to me 22
1010 deny tcp from any to me 22
1020 allow tcp from any to any
and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.
The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
Revision Changes Path
1.158 +13 -1 src/sys/netinet/ip_fw.c
1.57 +5 -2 src/sys/netinet/ip_fw.h
1.78 +15 -1 src/sbin/ipfw/ipfw.8
1.99 +60 -41 src/sbin/ipfw/ipfw.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102131412.f1DECdZ12064>