From owner-freebsd-net@FreeBSD.ORG Mon Sep 19 09:40:15 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0025B16A41F for ; Mon, 19 Sep 2005 09:40:14 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (gate.funkthat.com [69.17.45.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78C3143D49 for ; Mon, 19 Sep 2005 09:40:14 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (localhost.funkthat.com [127.0.0.1]) by hydrogen.funkthat.com (8.13.3/8.13.3) with ESMTP id j8J9eDis051780; Mon, 19 Sep 2005 02:40:13 -0700 (PDT) (envelope-from jmg@hydrogen.funkthat.com) Received: (from jmg@localhost) by hydrogen.funkthat.com (8.13.3/8.13.3/Submit) id j8J9eC4u051749; Mon, 19 Sep 2005 02:40:12 -0700 (PDT) (envelope-from jmg) Date: Mon, 19 Sep 2005 02:40:12 -0700 From: John-Mark Gurney To: Brett Glass Message-ID: <20050919094012.GB821@funkthat.com> Mail-Followup-To: Brett Glass , Luigi Rizzo , net@freebsd.org References: <6.2.3.4.2.20050918205708.08cff430@localhost> <20050918235659.B60185@xorpc.icir.org> <6.2.3.4.2.20050919010035.07dfc448@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.3.4.2.20050919010035.07dfc448@localhost> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 5.4-RELEASE-p6 i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html Cc: Luigi Rizzo , net@freebsd.org Subject: Re: Efficient use of Dummynet pipes in IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: John-Mark Gurney List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 09:40:15 -0000 Brett Glass wrote this message on Mon, Sep 19, 2005 at 01:32 -0600: > At 12:56 AM 9/19/2005, Luigi Rizzo wrote: > > >[see long original request below] > > > >Bret, you want a block structured ipfw control language, but > >ipfw is an assembly language. You have to live with that. > >Your only way out is > >A. write a translator from high level to low level language > > (many people do use sh scripts to generate ipfw configurations) > > I've tried this. Alas, it quickly gets out of hand because objects > in IPFW (for example pipes) aren't named. You wind up literally > having to build a symbol table to keep track of rule numbers, pipe > numbers, etc. Yes, you can do it, but it's very awkward. What's awkward about: #define PIPE_FOO 1 #define PIPE_BAR 2 add pipe PIPE_FOO config bw 64kbit/sec /* ... etc ... */ ?? There's this nice option -p that passes your firewall file through a preprocessor.. and cpp is quite nice for this... I little bit of my firewall.conf: #ifndef SET #define SET #endif /* little useful macros */ #if 1 #define DENY deny #else #define DENY skipto BLACKHOLE #endif /* Defines for rules */ #if 0 #define IPSEC(x) x #else #define IPSEC(x) #endif #if 1 #define PIF vlan0 #define PIP 69.17.45.168 #define PNET 69.17.45.0/24 #define PUB(x) x #else #define PUB(x) #endif [...] /* labels */ #define DIVERT 15900 #define BLACKHOLE 65000 #define THEEND BLACKHOLE #define DECL(x) add x SET count ip from any to any #define GOTO_THEEND add SET skipto THEEND ip from any to any /* nat */ DECL(DIVERT) PUB(add SET divert 8668 ip from any to any via PIF) MAN(add SET divert 8669 ip from any to any via MIF) This lets me enable/disable parts of my configuration a lot easier... and use those symbols you like to use... :) and to enable all this: firewall_flags="-p /usr/bin/cpp" # Flags passed to ipfw when type is a file -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."