Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Aug 2016 16:08:06 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        ipfw mailing list <ipfw@freebsd.org>
Subject:   your thoughts on a particualar ipfw action.
Message-ID:  <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org>

Next in thread | Raw E-Mail | Index | Archive | Help
looking for thoughts from people who know the new IPFW features well..


A recent addition to our armory is the geoip program that, given an 
address can tell you what country it is in and given a country code, 
can give an ipfw table that describes all the ip addresses in that 
country.

SO I was thinking how to use this, and the obvious way would be to 
have a set of rules for each country, and use the "skipto tablearg" 
facility to skip to the right rules for each country. But the trouble 
is that a tablearg skipto is very inefficient. It's also a hard thing 
to set up with a set of rules for each country (how many countries are 
there in the internet allocation system?).

Another way would be to just put 'action numbers' in the tablearg 
field and have a few actions, shared by countries, but the trouble 
comes when you want to  change the action for  a country, you need to 
rewrite potentially thousands of entries (USA has over 15800 allocations).

A second way woudl be to somehow map the tablearg of the country, into 
a table of actions. effectively doing two levels of lookup.

The first table converting IP addresses to a country number and a 
second lookup converting that to an action.

the only trouble is that I don't know of a way to do that.  If the new 
changes allow that, and anyone knows how, please let me know :-).






Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?7f573fc4-2820-ebd3-7b15-d8a1cd023372>