Date: Mon, 19 Sep 2005 02:40:12 -0700 From: John-Mark Gurney <gurney_j@resnet.uoregon.edu> To: Brett Glass <brett@lariat.org> Cc: Luigi Rizzo <rizzo@icir.org>, net@freebsd.org Subject: Re: Efficient use of Dummynet pipes in IPFW Message-ID: <20050919094012.GB821@funkthat.com> In-Reply-To: <6.2.3.4.2.20050919010035.07dfc448@localhost> References: <6.2.3.4.2.20050918205708.08cff430@localhost> <20050918235659.B60185@xorpc.icir.org> <6.2.3.4.2.20050919010035.07dfc448@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote this message on Mon, Sep 19, 2005 at 01:32 -0600:
> At 12:56 AM 9/19/2005, Luigi Rizzo wrote:
>
> >[see long original request below]
> >
> >Bret, you want a block structured ipfw control language, but
> >ipfw is an assembly language. You have to live with that.
> >Your only way out is
> >A. write a translator from high level to low level language
> > (many people do use sh scripts to generate ipfw configurations)
>
> I've tried this. Alas, it quickly gets out of hand because objects
> in IPFW (for example pipes) aren't named. You wind up literally
> having to build a symbol table to keep track of rule numbers, pipe
> numbers, etc. Yes, you can do it, but it's very awkward.
What's awkward about:
#define PIPE_FOO 1
#define PIPE_BAR 2
add pipe PIPE_FOO config bw 64kbit/sec
/* ... etc ... */
??
There's this nice option -p that passes your firewall file through a
preprocessor.. and cpp is quite nice for this...
I little bit of my firewall.conf:
#ifndef SET
#define SET
#endif
/* little useful macros */
#if 1
#define DENY deny
#else
#define DENY skipto BLACKHOLE
#endif
/* Defines for rules */
#if 0
#define IPSEC(x) x
#else
#define IPSEC(x)
#endif
#if 1
#define PIF vlan0
#define PIP 69.17.45.168
#define PNET 69.17.45.0/24
#define PUB(x) x
#else
#define PUB(x)
#endif
[...]
/* labels */
#define DIVERT 15900
#define BLACKHOLE 65000
#define THEEND BLACKHOLE
#define DECL(x) add x SET count ip from any to any
#define GOTO_THEEND add SET skipto THEEND ip from any to any
/* nat */
DECL(DIVERT)
PUB(add SET divert 8668 ip from any to any via PIF)
MAN(add SET divert 8669 ip from any to any via MIF)
This lets me enable/disable parts of my configuration a lot easier...
and use those symbols you like to use... :)
and to enable all this:
firewall_flags="-p /usr/bin/cpp" # Flags passed to ipfw when type is a file
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050919094012.GB821>