Date: Fri, 11 Jun 2004 01:51:10 +0200 From: Max Laier <max@love2party.net> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: ipfw@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c Message-ID: <200406110151.17372.max@love2party.net> In-Reply-To: <20040610214059.GA3228@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_1PPyANDVJzK3/2W
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote:
> On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote:
> > On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote:
> > > ru 2004-06-09 20:10:38 UTC
> > >
> > > FreeBSD src repository
> > >
> > > Modified files:
> > > sbin/ipfw ipfw.8 ipfw2.c
> > > sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c
> > > Log:
> > > Introduce a new feature to IPFW2: lookup tables. These are
> > > useful for handling large sparse address sets. Initial
> > > implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me.
> >
> > Idea from: pf ;)
> > Nice!
>
> I've asked Vsevolod, and yes, the original idea attributes to PF.
I have seen the original thread in ipfw@ and posted some comments, hence=20
the mail in the first place.
> Do PF tables allow addr/mask entries as IPFW tables do (I could
> not intuit it from reading the pfctl(8) manpage)?
You might rather want to look at pf.conf(5). Yes, pf tables allow=20
addr/mask and IPv6 addresses. pf allows an additional "not" qualifier to=20
allow to do something like:
{ 10/8, !10.10/16, 10.10.10/24 }
> One nice difference (and I don't believe PF or IPFilter can do
> this) is this optional 32-bit tag value with no special meaning.
> For example, we have several thousands of client IPs, and each
> client is allowed (through a Web form) to limit bandwidth to
> some discrete values (0, 64, 128, 256, 512, and "unlimited") in
> Kbps to/from Ukrainian and foreign networks. We have this all
> implemented using less than ten IPFW tables:
hmmm ... I don't really see the benefit in packing the information into=20
one table. You could as well have different tables for that (with pf only=20
memory limits the number of tables allowed). But it's cool that we=20
inspire eachother and still diverge a bit to find the best solutions for=20
our respective users.
Btw, I find it very helpful that pf refers to a table by a name and not a=20
number. Why did you choose to use numbers?
[ We might want to transfer this thread to ipfw@ ]
=2D-=20
Best regards, | mlaier@freebsd.org
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier@EFnet
--Boundary-02=_1PPyANDVJzK3/2W
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQBAyPP1XyyEoT62BG0RAt7dAJ9DCEFUexCjc9DrkBOFfjB8VRUwoQCaA7mr
DtOgTNLYLkwgZsHPWLCmAjI=
=lHWm
-----END PGP SIGNATURE-----
--Boundary-02=_1PPyANDVJzK3/2W--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406110151.17372.max>