From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 14:13:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F40D116A4CE; Tue, 14 Dec 2004 14:13:21 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D4A443D31; Tue, 14 Dec 2004 14:13:21 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 1B648651FA; Tue, 14 Dec 2004 14:13:19 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 14733-04-4; Tue, 14 Dec 2004 14:13:18 +0000 (GMT) Received: from empiric.dek.spc.org (dhcp120.icir.org [192.150.187.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 0C96D651F7; Tue, 14 Dec 2004 14:13:14 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 280896710; Tue, 14 Dec 2004 06:13:08 -0800 (PST) Date: Tue, 14 Dec 2004 06:13:07 -0800 From: Bruce M Simpson To: Andre Oppermann Message-ID: <20041214141307.GA684@empiric.icir.org> Mail-Followup-To: Andre Oppermann , freebsd-net@freebsd.org References: <41BEF2AF.470F9079@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <41BEF2AF.470F9079@freebsd.org> cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 14:13:22 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Dec 14, 2004 at 03:03:27PM +0100, Andre Oppermann wrote: > Let's take a high level view of the issue at hand and the consider > some alternative approaches to the situation. [snip] I'm wrapping up in Berkeley for the holidays, but I wanted to drop my 2c into this discussion. What I'm really missing in IPFW is the ability to maintain one or more 'shadow rulesets'. These rulesets may not be the active rulesets, but I can manipulate them as tables, independently of the active ruleset(s), push rules into them, flush them, and then atomically switch them to be the active ruleset, using a single syscall. IPF and PF have such functionality, IPFW does not. The lack of a documented ABI/API for access to IPFW by applications other than ipfw(8) is something which I'm leaving out of the picture for the moment. I don't really consider using 'skipto' and separate sections of rule index number space a valid answer here, because we should have the ability to independently flush each ruleset. When extended to stateful rules (I am talking here purely about the simple stateless packet filter case), this comes in even more useful. Regards, BMS --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBvvTzueUpAYYNtTsRAm4PAJ9E8pxkzNI6iq5l3XNeEvpjlHdjRACgn3q0 vZ89qYbXoYIc3wwXGpdvdOA= =fdcw -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--