From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 23:50:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC3EC16A4D0; Thu, 10 Jun 2004 23:50:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 418AA43D2D; Thu, 10 Jun 2004 23:50:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BYZJO-00074P-00; Fri, 11 Jun 2004 01:50:22 +0200 Received: from [84.128.139.222] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1BYZJN-0006Fa-00; Fri, 11 Jun 2004 01:50:22 +0200 From: Max Laier To: Ruslan Ermilov Date: Fri, 11 Jun 2004 01:51:10 +0200 User-Agent: KMail/1.6.2 References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> In-Reply-To: <20040610214059.GA3228@ip.net.ua> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_1PPyANDVJzK3/2W"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200406110151.17372.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: ipfw@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 23:50:24 -0000 --Boundary-02=_1PPyANDVJzK3/2W Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote: > On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote: > > On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote: > > > ru 2004-06-09 20:10:38 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > sbin/ipfw ipfw.8 ipfw2.c > > > sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c > > > Log: > > > Introduce a new feature to IPFW2: lookup tables. These are > > > useful for handling large sparse address sets. Initial > > > implementation by Vsevolod Lobko , refined by me. > > > > Idea from: pf ;) > > Nice! > > I've asked Vsevolod, and yes, the original idea attributes to PF. I have seen the original thread in ipfw@ and posted some comments, hence=20 the mail in the first place. > Do PF tables allow addr/mask entries as IPFW tables do (I could > not intuit it from reading the pfctl(8) manpage)? You might rather want to look at pf.conf(5). Yes, pf tables allow=20 addr/mask and IPv6 addresses. pf allows an additional "not" qualifier to=20 allow to do something like: { 10/8, !10.10/16, 10.10.10/24 } > One nice difference (and I don't believe PF or IPFilter can do > this) is this optional 32-bit tag value with no special meaning. > For example, we have several thousands of client IPs, and each > client is allowed (through a Web form) to limit bandwidth to > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > Kbps to/from Ukrainian and foreign networks. We have this all > implemented using less than ten IPFW tables: hmmm ... I don't really see the benefit in packing the information into=20 one table. You could as well have different tables for that (with pf only=20 memory limits the number of tables allowed). But it's cool that we=20 inspire eachother and still diverge a bit to find the best solutions for=20 our respective users. Btw, I find it very helpful that pf refers to a table by a name and not a=20 number. Why did you choose to use numbers? [ We might want to transfer this thread to ipfw@ ] =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --Boundary-02=_1PPyANDVJzK3/2W Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAyPP1XyyEoT62BG0RAt7dAJ9DCEFUexCjc9DrkBOFfjB8VRUwoQCaA7mr DtOgTNLYLkwgZsHPWLCmAjI= =lHWm -----END PGP SIGNATURE----- --Boundary-02=_1PPyANDVJzK3/2W--