Date: Mon, 17 May 2004 17:53:19 +0300 From: Dmitry Sergienko <trooper+freebsd+ipfw@email.dp.ua> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: ipfw@freebsd.org Subject: Re: ipfw prefix-list support request Message-ID: <40A8D1DF.8010605@email.dp.ua> In-Reply-To: <Pine.BSF.4.53.0405171400530.27806@e0-0.zab2.int.zabbadoz.net> References: <40A8C12D.5040906@email.dp.ua> <Pine.BSF.4.53.0405171400530.27806@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi!
Bjoern A. Zeeb wrote:
>>The main advantage is to maintain list of prefixes separately from
>>rule, without tweaking the rule.
>>Current syntax in ipfw2 doesn't allow to do this (or have I missed
>>something?).
>>
>>Please tell your opinion about this feature, is it really will be useful
>>not only for me? If so, we will try to implement this.
>
>
> use ipfw -p
>
> p.ex. with m4 you can do
>
> define(`goodcustomers',`{ 10.0.0.0/8 or 192.168.0.0/24 }')dnl
> add permit ip from goodcustomers to goodcustomers
>
> or s.th. like that. Of course you do not need -p /usr/bin/m4
> if you simply want to write
>
> add permit ip from { 10.0.0.0/8 or 192.168.0.0/24 } to { 10.0.0.0/8 or 192.168.0.0/24 }
>
> You might want to use perl or s.th. else to build up the list
> if you prefer Cisco config style but that's really a matter
> of the preprocessor then.
Thank you for replying.
It is not a problem to generate rules with help of any text processing
tool. But it will be just like a macros.
The problem is to change lists of address without modifying existing
rule, dynamically.
If I need to change list of addresses I have to kill existing rule and
insert another with the same number.
This is unconvenient.
If I generate list of ipfw rules I need to reload all rules which is
unconvenient also.
The next. Maybe I'm wrong, but as far as I saw sbin/ipfw2.c OR blocks
are generated as list of items to be checked by kernel.
Hash will be more effective if we have a lot of prefixes.
Also I can't see stats by exact prefix in OR blocks, only by whole rule.
--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40A8D1DF.8010605>