Date: Wed, 18 Apr 2007 14:52:43 -0700 From: Julian Elischer <julian@elischer.org> To: Chuck Swiger <cswiger@mac.com> Cc: ipfw@freebsd.org Subject: Re: ipfw changes being contemplated.. Message-ID: <4626932B.20505@elischer.org> In-Reply-To: <B0E21175-5606-4DAB-9810-BA8F162BE17B@mac.com> References: <46268689.1080301@elischer.org> <B0E21175-5606-4DAB-9810-BA8F162BE17B@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote: >> I'm contemplating the following changes to functionality: >> I'd like suggestions and comments... >> >> 1/ Commit capability >> In this change you declare a new firewall, >> and modify/build it, and then you 'commit' it so that >> the whole change is atomic. > [ ... ] >> 5/ >> ability to have multiple firewalls.. (extension of (1)) >> ipfw new 1 ipfw rules 1 add .... >> .... >> ipfw commit 1 bridge "bridge0" >> >> different rule sets for different entry points. >> ethernet layer (Layer2), IP output, bridging, IP input, different >> input interfaces? >> >> 6/ corrolory of 5 >> ability for one firewall to call into another.. >> ipfw new 2 ipfw add [IP tests] >> >> >> ipfw new 1 >> ipfw rules 1 add 1000 check rules 2 mac-type ipv4 >> commit 2 bridge > > It seems to me that IPFW2 already has these three capabilities? > From the manpage: yes but I was thinking of taking it further so that you can apply differnet sets at different places.. I didn't express it very well, I'll try express it better again in a second... ipfw sets are curently impemented by adding a set number to each rule. By enabling and disabling the sets one controls which rules are skipped over, however they are still all in the same linked list of rules. If you have a set of 1000 rules and disable 999 of them, the packet still has to follow 1000 links. I am suggesting to actually duplicate the whole ruleset. including subsets. When different sets are turned on and off, we "recompile" an optimised set of rules and 'commit' that set into the 'current' running ruleset (for that entrypoint?). Allowing each ruleset to be independently assigned to a different entrypoint to some extent is an extension on this.. > > Also, each rule belongs to one of 32 different sets , and there are > ipfw > commands to atomically manipulate sets, such as enable, disable, swap > sets, move all rules in a set to another one, delete all rules in a > set. > These can be useful to install temporary configurations, or to test > them. > See Section SETS OF RULES for more information on sets. > [ ... ] > SETS OF RULES > Each rule belongs to one of 32 different sets , numbered 0 to 31. > Set 31 > is reserved for the default rule. > > By default, rules are put in set 0, unless you use the set N attribute > when entering a new rule. Sets can be individually and atomically > enabled or disabled, so this mechanism permits an easy way to store > mul- > tiple configurations of the firewall and quickly (and atomically) > switch > between them. The command to enable/disable sets is > [ ... ] > > ---Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4626932B.20505>