From owner-freebsd-ipfw Tue Jul 23 20:28:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E8B37B400; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7362443E67; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6O3SnY82543; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) (envelope-from rizzo) Date: Tue, 23 Jul 2002 20:28:49 -0700 From: Luigi Rizzo To: stable@freebsd.org Subject: HEADS-UP ipfw now in -stable (as an optional replacement of the old ipfw) Message-ID: <20020723202849.A82296@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FYI.... (please read the commit log below before complaining). cheers luigi ----- Forwarded message from Luigi Rizzo ----- Date: Tue, 23 Jul 2002 20:21:24 -0700 (PDT) From: Luigi Rizzo Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile alias_db.c To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG luigi 2002/07/23 20:21:24 PDT Modified files: (Branch: RELENG_4) sys/conf options files sbin/ipfw Makefile lib/libalias Makefile alias_db.c Added files: (Branch: RELENG_4) sys/netinet ip_fw2.h ip_fw2.c sbin/ipfw ipfw2.c Log: Bring ipfw2 into the -stable tree. This will give more people a chance to test it, and hopefully accelerate the transition from the old to the new ipfw code. NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE, NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES. YOU WILL KEEP USING YOUR OLD "ipfw" UNLESS YOU: + add "options IPFW2" (undocumented) to your kernel config file; + compile and install sbin/ipfw and lib/libalias with make -DIPFW2 in other words, you must really want it. On the other hand, i believe you do really want to use this new code. In addition to being twice as fast in processing individual rules, you can use more powerful match patterns such as ... ip from 1.2.3.0/24{50,6,27,158} to ... ... ip from { 1.2.3.4/26 or 5.6.7.8/22 } to ... ... ip from any 5-7,9-66,1020-3000,4000-5000 to ... i.e. match sparse sets of IP addresses in constant time; use "or" connectives between match patterns; have multiple port ranges; etc. which I believe will dramatically reduce your ruleset size. As an additional bonus, "keep-state" rules will now send keepalives when the rule is about to expire, so you will not have your remote login sessions die while you are idle. The syntax is backward compatible with the old ipfw. A manual page documenting the extensions has yet to be completed. Revision Changes Path 1.13.2.5 +4 -1 src/lib/libalias/Makefile 1.21.2.14 +151 -36 src/lib/libalias/alias_db.c 1.6.6.3 +5 -1 src/sbin/ipfw/Makefile 1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new) 1.340.2.107 +1 -0 src/sys/conf/files 1.191.2.41 +1 -0 src/sys/conf/options 1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new) 1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message