Date: Fri, 5 Aug 2016 13:44:01 +0800 From: Julian Elischer <julian@freebsd.org> To: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> In-Reply-To: <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/08/2016 2:22 AM, Dr. Rolf Jansen wrote:
> I am completely free of passions on this CC encoding thingy. I won't use this feature anyway. Please, may I suggest that the experts of the ipfw community come to an agreement, and I then I will change the implementation accordingly.
>
> Another possibility could be to attach the desired rule numbers directly to the country codes in the argument of the -t option, How about:
>
> geoip -t AU=50000:RU=50010:US=50020:BR=50030
>
> The present behaviour would be kept without attached numbers. Please let me know your choices. Furthermore, if the new ipfw allows for more sophisticated table construction directives, that could be beneficial for country code based table processing, please advice.
>
I can hear the exasperation in your writing :-)
I've lost track..
Was the present behaviour just a single value? or a generated number
with -x offset? (not sure if you actually added that or just described
it).
your "US=50020" idea is nice but a lot of work I think for you.
I guess you would do it with script
geoip -t US=${LINE_US} |ipfw -q /dev/stdin
ipfw add ${LINE_US} drop all tcp from any to any 80
ipfw add $((${LINE_US} + 1)) skipto ${FINISH_UP}
probably in a shell function
it would also allow you to put 'action numbers' rather than line
numbers as it doesn't interpret the values, just passes them through.
On the other hand the same thing can be achieved by embedding geoip in
a loop in a script.
I think we should just let you get on with your life and be happy with
what you have given us. mapping a set of country codes to a number. I
can always make more complicated setups using that and 15 minutes of
shell script.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6>