Date: Tue, 23 Jul 2002 20:28:49 -0700 From: Luigi Rizzo <luigi@freebsd.org> To: stable@freebsd.org Subject: HEADS-UP ipfw now in -stable (as an optional replacement of the old ipfw) Message-ID: <20020723202849.A82296@iguana.icir.org>
next in thread | raw e-mail | index | archive | help
FYI....
(please read the commit log below before complaining).
cheers
luigi
----- Forwarded message from Luigi Rizzo <luigi@FreeBSD.ORG> -----
Date: Tue, 23 Jul 2002 20:21:24 -0700 (PDT)
From: Luigi Rizzo <luigi@FreeBSD.ORG>
Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files
options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile
alias_db.c
To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
luigi 2002/07/23 20:21:24 PDT
Modified files: (Branch: RELENG_4)
sys/conf options files
sbin/ipfw Makefile
lib/libalias Makefile alias_db.c
Added files: (Branch: RELENG_4)
sys/netinet ip_fw2.h ip_fw2.c
sbin/ipfw ipfw2.c
Log:
Bring ipfw2 into the -stable tree. This will give more people a
chance to test it, and hopefully accelerate the transition from the
old to the new ipfw code.
NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE,
NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES.
YOU WILL KEEP USING YOUR OLD "ipfw" UNLESS YOU:
+ add "options IPFW2" (undocumented) to your kernel config file;
+ compile and install sbin/ipfw and lib/libalias with
make -DIPFW2
in other words, you must really want it.
On the other hand, i believe you do really want to use this new
code. In addition to being twice as fast in processing individual
rules, you can use more powerful match patterns such as
... ip from 1.2.3.0/24{50,6,27,158} to ...
... ip from { 1.2.3.4/26 or 5.6.7.8/22 } to ...
... ip from any 5-7,9-66,1020-3000,4000-5000 to ...
i.e. match sparse sets of IP addresses in constant time; use "or"
connectives between match patterns; have multiple port ranges; etc.
which I believe will dramatically reduce your ruleset size.
As an additional bonus, "keep-state" rules will now send keepalives
when the rule is about to expire, so you will not have your remote
login sessions die while you are idle.
The syntax is backward compatible with the old ipfw.
A manual page documenting the extensions has yet to be completed.
Revision Changes Path
1.13.2.5 +4 -1 src/lib/libalias/Makefile
1.21.2.14 +151 -36 src/lib/libalias/alias_db.c
1.6.6.3 +5 -1 src/sbin/ipfw/Makefile
1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new)
1.340.2.107 +1 -0 src/sys/conf/files
1.191.2.41 +1 -0 src/sys/conf/options
1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new)
1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
----- End forwarded message -----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020723202849.A82296>