Date: Wed, 24 Nov 1999 18:58:01 +1100 From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au> To: Brian Fundakowski Feldman <green@freebsd.org> Cc: arch@freebsd.org Subject: Re: new IPFW Message-ID: <99Nov24.185111est.40346@border.alcanet.com.au> In-Reply-To: <Pine.BSF.4.10.9911240047480.40905-100000@green.dyndns.org> References: <Pine.BSF.4.10.9911240047480.40905-100000@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Nov-24 17:33:04 +1100, Brian Fundakowski Feldman wrote: > All actions except for deny should have a "continue" option, where >the packet matching would both match that rule and follow its action, >but also pass on to the next rule. I don't quite follow what Brian means here. I'd like to suggest an additional 'goto rule N' command which, together with a pattern negation operator gives a fairly powerful language. Check out the filtering options in ppp(8) (the examples in /etc/ppp/ppp.conf.sample make them a bit clearer). >This would >allow actual logic in rules, albeit with slightly more complexity in >the IPFW implementation in the kernel. This would be a huge gain for >the administrator of the firewall, in that {,s}he could use a more >natural programming syntax, rather than the current, simplistic, >absolutely non-programmable (but klugeable) IPFW. IMHO, the complexity would be better in a userland `rule compiler' which produced (maybe more) simple rules for the kernel to execute. I suspect that trying to support complex rules in the kernel is unlikely to be a 'win' - think CISC vs RISC. A totally different approach is that used by bpf and libpcap. This could also form the basis of a reasonable IPFW implementation (but the API would probably need to change). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Nov24.185111est.40346>