Date: Mon, 10 Jun 2013 15:30:59 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Julian Elischer <julian@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-hackers@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) Message-ID: <CAPBZQG3X4da93rvORyF169yWUokS5V_HhazN-wMeiJEDvDB-4Q@mail.gmail.com> In-Reply-To: <4F344CE4.301@freebsd.org> References: <CAPBZQG32iyzkec4PG%2Bqay9bKfd0GiffKyRBapLkATKvHr7cVww@mail.gmail.com> <20120131110204.GA95472@onelab2.iet.unipi.it> <20120208133559.GK13554@FreeBSD.org> <CAPBZQG0edS3sru=D_iGMsNDC5EA8H=A=wwRUDOGZi9DtU5-CkQ@mail.gmail.com> <20120208140921.GM13554@glebius.int.ru> <4F344CE4.301@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, reviving this old thread since i had time to bring the patch to FreeBSD 10 and unified the whole controlling under ipfw(8) binary. For reminder, the patch located at [1] provides multiple instances for ipfw(4). Basically you can control which interfaces belong to which context/ruleset to make maintaining easier. Also it gives more flexibility in general to ipfw(4) for various scenarios. It works by initializing a context of ipfw(4) and assigning specific interfaces explicitly by administrator to each instance. The context is not lost even on interface destruction and recreation, based on interface name match. Upon entering ipfw(4) processing the configured context/instance for that interface is selected if none no filtering is done. Most of the patch is rather straight forward and only some intrusive changes to ipfw NAT KPI, in kernel implementation is done to remove a global variable referring to the active instance and passing it explicitly. You can create a instance of ipfw by running: ipfw zone 1 create Add a member with ipfw zone 1 madd em0 ipfw zone 1 madd vlan0 Remove members with ipfw zone 1 mdel em0 Also destroy an instance by: ipfw zone 1 destroy All the other operations on ipfw(4) will be the same as before just require the -x $context argument added for each of them. The patch uses all the IP_FW3 option commands to avoid changes in other areas apart ipfw(4) related sources. Any objections on pushing this into FreeBSD? [1] https://github.com/pfsense/pfsense-tools/blob/master/patches/RELENG_10_0/CP_multi_instance_ipfw.diff -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG3X4da93rvORyF169yWUokS5V_HhazN-wMeiJEDvDB-4Q>