Date: Tue, 14 Dec 2004 06:13:07 -0800 From: Bruce M Simpson <bms@spc.org> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach Message-ID: <20041214141307.GA684@empiric.icir.org> In-Reply-To: <41BEF2AF.470F9079@freebsd.org> References: <41BEF2AF.470F9079@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Dec 14, 2004 at 03:03:27PM +0100, Andre Oppermann wrote: > Let's take a high level view of the issue at hand and the consider > some alternative approaches to the situation. [snip] I'm wrapping up in Berkeley for the holidays, but I wanted to drop my 2c into this discussion. What I'm really missing in IPFW is the ability to maintain one or more 'shadow rulesets'. These rulesets may not be the active rulesets, but I can manipulate them as tables, independently of the active ruleset(s), push rules into them, flush them, and then atomically switch them to be the active ruleset, using a single syscall. IPF and PF have such functionality, IPFW does not. The lack of a documented ABI/API for access to IPFW by applications other than ipfw(8) is something which I'm leaving out of the picture for the moment. I don't really consider using 'skipto' and separate sections of rule index number space a valid answer here, because we should have the ability to independently flush each ruleset. When extended to stateful rules (I am talking here purely about the simple stateless packet filter case), this comes in even more useful. Regards, BMS --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBvvTzueUpAYYNtTsRAm4PAJ9E8pxkzNI6iq5l3XNeEvpjlHdjRACgn3q0 vZ89qYbXoYIc3wwXGpdvdOA= =fdcw -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214141307.GA684>