From owner-freebsd-net@FreeBSD.ORG Mon Feb 13 11:01:27 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC8751065675 for ; Mon, 13 Feb 2012 11:01:27 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id B281F8FC19 for ; Mon, 13 Feb 2012 11:01:27 +0000 (UTC) Received: by vbbfa15 with SMTP id fa15so4381215vbb.13 for ; Mon, 13 Feb 2012 03:01:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=NDmd29pUXBj2uhylq/UWv6JMfTsivEmhlkct7odegcA=; b=K86wF5Hp4o5OiVg5b0EBPy4PXHN99WPtfe5jqrWFmDmhvjUe4Q4exm79+iaD+xdOa1 9171Ot7eNuPvKdO5pz5bOjqNELDhGCRa7BLobnIX27ZI1bgmNZP07WvrnnUQTlg7uHuY vCEKjCoNvBeEwLzEKgn0StXuRT0CTs4WRi8y4= Received: by 10.52.29.11 with SMTP id f11mr6666682vdh.66.1329129097301; Mon, 13 Feb 2012 02:31:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.34.143 with HTTP; Mon, 13 Feb 2012 02:31:17 -0800 (PST) From: Maxim Ignatenko Date: Mon, 13 Feb 2012 12:31:17 +0200 Message-ID: To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: userfw - modular packet filter X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2012 11:01:28 -0000 Dear -net, Today I want to present new packet filter for FreeBSD: userfw. It's main design goal - to be easily extensible. Source code is here: http://git.userfw.net/ https://github.com/gelraen/userfw/ Dedicated website: http://userfw.net/ userfw's packet processing is, much like ipfw's, based on idea of ruleset as a list of rules that checked sequentially and performing some actions if packet matches the rule. Each rule consists of rule number, rule action and rule condition (match). But unlike in ipfw, action is not just single keyword with one argument and match is not list of options. Instead, it implements something like tree structure: each match and action can have many arguments of different types: numbers, strings, addresses and even other actions and matches. Even basic logical operations implemented as matches that takes one (not) or two (and, or) matches as arguments. Now there is only small number of operations implemented, but it already includes support for dummynet and ipfw tables. I hope to release userfw-0.1 soon and I'll be glad if someone else will join my work on userfw.