Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Feb 2001 15:14:36 +0100
From:      Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_fw.c ip_fw.h src/sbin/ipfw ipfw.8 ipfw.c 
Message-ID:  <51205.982073676@critter>
In-Reply-To: Your message of "Tue, 13 Feb 2001 06:12:37 PST." <200102131412.f1DECdZ12064@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <200102131412.f1DECdZ12064@freefall.freebsd.org>, Poul-Henning Kamp 
writes:
>phk         2001/02/13 06:12:37 PST
>
>  Modified files:
>    sys/netinet          ip_fw.c ip_fw.h 
>    sbin/ipfw            ipfw.8 ipfw.c 
>  Log:
>  Introduce a new feature in IPFW:  Check of the source or destination
>  address is configured on a interface.  This is useful for routers with
>  dynamic interfaces.  It is now possible to say:
>  
>          0100 allow       tcp from any to any established
>          0200 skipto 1000 tcp from any to any
>          0300 allow       ip from any to any
>          1000 allow       tcp from 1.2.3.4 to me 22
>          1010 deny        tcp from any to me 22
>          1020 allow       tcp from any to any
>  
>  and not have to worry about the behaviour if dynamic interfaces configure
>  new IP numbers later on.
>  
>  The check is semi expensive (traverses the interface address list)
>  so it should be protected as in the above example if high performance
>  is a requirement.

It would be more elegant to have multiple lists of ipfw rules:
        One input list per interface
        One output list per interface
        One list for packets being forwarded
        One list for packets arriving locally
        One list for packets originating locally

And it would be trivial to implement this in a backwards compatible
fashion, but I guess that is bikeshed coloring material so I'll
just leave that thought to fester here in case anyone feels like
looking at it....

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51205.982073676>