Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Feb 2000 21:43:22 -0500 (EST)
From:      John Woodruff <jjw@us.net>
To:        Juergen Lock <nox@jelal.kn-bremen.de>
Cc:        freebsd-isp@freebsd.org
Subject:   Re: `higer level' packet filter rules language/editor to ease maintainance?
Message-ID:  <200002230243.VAA45061@laurel.us.net>
In-Reply-To: <20000219003334.A1117@saturn.kn-bremen.de> from Juergen Lock at "Feb 19, 2000 00:33:34 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> Is there such a thing as in the subject? [...]
> I currently need something for ipfw [...]

I've got 93 lines of Perl I used with 2.2.8's ipfw:
  Preprocessor for ipfw(8) rules, or anything else that
  uses line-oriented statements.  Functionality:
       - Removes #-style comments and blank lines
       - Compresses all white space
       - Replaces macros, which are any line with an = sign, as in:
               name = value containing spaces
       - Append to macro values using +=, as in
               longmacro = A macro with lots of
               longmacro += added words.
         Note that *no* whitespace is added between parts
       - Special multi-line macros.  Any input line containing
         a macro that was defined with '==' gets generated once
         for each word in the macro definition
  Note that macros don't have arguments at all.

so you can say something like:
  Ifc    =    ed1                   # Card facing outside world
  MyNet  ==   198.240.64.0/18       # List of subnets
  MyNet  +==  206.225.0.0/19
  Any    =    from any to any
  # Branch on direction
  add skipto 1000 ip Any recv Ifc   # Recieved from outside world
  add skipto 4000 ip Any xmit Ifc   # Sent to outside world
  add permit      ip Any
  # Recieve rules
  add 1000 deny log ip from MyNet to any

It made a 170-line ipfw filter much more understandable and
maintainable, since the critical address ranges could easily
be edited into several different rules.

I also wrote a version of this for Cisco configs; it expanded
CIDR notation addresses in several different ways, like:
  PRIVIP == 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
  access-list 112 deny ip any PRIVIP # No private nets leaking out

Ask and ye shall recieve.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002230243.VAA45061>