Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Dec 2004 07:05:20 -0800
From:      Bruce M Simpson <bms@spc.org>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        Andre Oppermann <andre@freebsd.org>
Subject:   Re: per-interface packet filters, design approach
Message-ID:  <20041214150520.GD684@empiric.icir.org>
In-Reply-To: <20041214062010.A77933@xorpc.icir.org>
References:  <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> <20041214062010.A77933@xorpc.icir.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--ylS2wUBXLOxYXZFQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Dec 14, 2004 at 06:20:10AM -0800, Luigi Rizzo wrote:
> They do exist, they are called 'set' and you can associate
> rules to a specific set, atomically enable/disable/swap/rename
> sets, etc. This was designed exactly for this purpose (atomic
> updates of firewall configuration with a single syscall).

Thanks for this. I'm trying to consider IPFW1 in the picture as well;
IPFW2 is something I'm considering as a separate entity. However I am put
off by a lot of the limitations in IPFW1.

Are there any nicer ways of telling IPFW v1 and v2 apart both at compile
time and run-time? Right now I do something like this:-

%%%
AC_MSG_CHECKING(for an IPFW firewall build environment)
AC_LANG_SAVE
AC_LANG_C
AC_TRY_COMPILE([
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip_fw.h>
],
[
  int mysockopt = IP_FW_ADD;
#ifdef IPFW2
#error IPFW2 defined (should not be defined for IPFW). Test failed.
#endif
],
  [AC_DEFINE(HAVE_FIREWALL_IPFW, 1,
[Define to 1 if you have an IPFW build environment])
   AC_MSG_RESULT(yes)],
  [AC_MSG_RESULT(no)])
AC_LANG_RESTORE
%%%

The above test is for IPFW1. The equivalent test for IPFW2 simply flips
the sense of the #ifdef inside. This is not ideal because
<netinet/ip_fw.h> can exist in both flavours in the same system (albeit in
the case of FreeBSD 4.11, it will include the IPFW2 header instead if
IPFW2 is defined).

No doubt the present IPFW documentation can be improved. What will soon
exist in XORP is something approximating an IPFW API. I may not have time
to do anything in this area, but what I'm doing for XORP could certainly
be re-used to some extent.

Regards,
BMS

--ylS2wUBXLOxYXZFQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: ''

iD8DBQFBvwEwueUpAYYNtTsRAlFyAJ9DyvwDfDEyZNZtaoQwy2/tDad0RgCfUZsY
UdE39hKtFlXwujCbex4+kUs=
=9AHD
-----END PGP SIGNATURE-----

--ylS2wUBXLOxYXZFQ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214150520.GD684>