Date: Wed, 24 Nov 1999 18:58:01 +1100 From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au> To: Brian Fundakowski Feldman <green@freebsd.org> Cc: arch@freebsd.org Subject: Re: new IPFW Message-ID: <99Nov24.185111est.40346@border.alcanet.com.au> In-Reply-To: <Pine.BSF.4.10.9911240047480.40905-100000@green.dyndns.org> References: <Pine.BSF.4.10.9911240047480.40905-100000@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Nov-24 17:33:04 +1100, Brian Fundakowski Feldman wrote:
> All actions except for deny should have a "continue" option, where
>the packet matching would both match that rule and follow its action,
>but also pass on to the next rule.
I don't quite follow what Brian means here. I'd like to suggest an
additional 'goto rule N' command which, together with a pattern
negation operator gives a fairly powerful language. Check out the
filtering options in ppp(8) (the examples in /etc/ppp/ppp.conf.sample
make them a bit clearer).
>This would
>allow actual logic in rules, albeit with slightly more complexity in
>the IPFW implementation in the kernel. This would be a huge gain for
>the administrator of the firewall, in that {,s}he could use a more
>natural programming syntax, rather than the current, simplistic,
>absolutely non-programmable (but klugeable) IPFW.
IMHO, the complexity would be better in a userland `rule compiler'
which produced (maybe more) simple rules for the kernel to execute.
I suspect that trying to support complex rules in the kernel is
unlikely to be a 'win' - think CISC vs RISC.
A totally different approach is that used by bpf and libpcap. This
could also form the basis of a reasonable IPFW implementation (but
the API would probably need to change).
Peter
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Nov24.185111est.40346>