Date: Mon, 2 Sep 2002 08:27:43 -0700 From: Luigi Rizzo <rizzo@icir.org> To: ipfw@freebsd.org Subject: ipfw2 vs. ipfw1 and 4.7 Message-ID: <20020902082743.D87097@iguana.icir.org>
next in thread | raw e-mail | index | archive | help
People,
now that the release of 4.7 is approaching, i would really appreciate
if you could give ipfw2 a try and see whether it breaks anything
in your rulesets. Also have a look at the manpage highlighting the
differences between ipfw1 and ipfw2 to see if your rulesets can be
simplified/made more efficient.
While I am not suggesting a switch in the default to be used in the
distribution, i think it would be appropriate to mention ipfw2's
existence in the release notes and elsewhere.
I really believe it to be at least as reliable as ipfw1 and a lot
more powerful in terms of features.
I know there are several people already using ipfw2 in production,
and I have no outstanding bug reports for the kernel part of
ipfw2 (there were very few anyways) and only one for the userland
part (wrong byte order for port numbers in "fwd" commands, for which
the [trivial] fix below will be committed soon.
Also, I am not going to put work on extending ipfw1's life --
if you have an ipfw1 bug report or feature request for something
that is working in ipfw2, you know what my answer will be...
cheers
luigi
NOTE:
In order to use ipfw2, you must compile your kernel with
options IPFW2
in addition to all other IPFIREWALL* options, and also
rebuild and reinstall /sbin/ipfw and usr/lib/libalias with
make -DIPFW2
make -DIPFW2 install
The manpage for ipfw now tells you the syntax for ipfw2 commands
and has a section highlighting the differences between ipfw1 and ipfw2.
Index: ipfw2.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.12
diff -u -r1.12 ipfw2.c
--- ipfw2.c 19 Aug 2002 12:36:54 -0000 1.12
+++ ipfw2.c 2 Sep 2002 15:01:31 -0000
@@ -908,7 +908,7 @@
printf("fwd %s", inet_ntoa(s->sa.sin_addr));
if (s->sa.sin_port)
- printf(",%d", ntohs(s->sa.sin_port));
+ printf(",%d", s->sa.sin_port);
}
break;
@@ -2592,7 +2592,7 @@
if (s == end)
errx(EX_DATAERR,
"illegal forwarding port ``%s''", s);
- p->sa.sin_port = htons( (u_short)i );
+ p->sa.sin_port = (u_short)i;
}
lookup_host(*av, &(p->sa.sin_addr));
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020902082743.D87097>