From owner-freebsd-ipfw@freebsd.org Tue Aug 2 08:08:17 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ACB49BACD26 for ; Tue, 2 Aug 2016 08:08:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 9A1A3113D for ; Tue, 2 Aug 2016 08:08:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 99639BACD25; Tue, 2 Aug 2016 08:08:17 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99113BACD24 for ; Tue, 2 Aug 2016 08:08:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 79C04113C for ; Tue, 2 Aug 2016 08:08:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7288CLM088871 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 2 Aug 2016 01:08:15 -0700 (PDT) (envelope-from julian@freebsd.org) To: ipfw mailing list From: Julian Elischer Subject: your thoughts on a particualar ipfw action. Message-ID: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org> Date: Tue, 2 Aug 2016 16:08:06 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2016 08:08:17 -0000 looking for thoughts from people who know the new IPFW features well.. A recent addition to our armory is the geoip program that, given an address can tell you what country it is in and given a country code, can give an ipfw table that describes all the ip addresses in that country. SO I was thinking how to use this, and the obvious way would be to have a set of rules for each country, and use the "skipto tablearg" facility to skip to the right rules for each country. But the trouble is that a tablearg skipto is very inefficient. It's also a hard thing to set up with a set of rules for each country (how many countries are there in the internet allocation system?). Another way would be to just put 'action numbers' in the tablearg field and have a few actions, shared by countries, but the trouble comes when you want to change the action for a country, you need to rewrite potentially thousands of entries (USA has over 15800 allocations). A second way woudl be to somehow map the tablearg of the country, into a table of actions. effectively doing two levels of lookup. The first table converting IP addresses to a country number and a second lookup converting that to an action. the only trouble is that I don't know of a way to do that. If the new changes allow that, and anyone knows how, please let me know :-).