From owner-freebsd-ipfw@FreeBSD.ORG Mon May 17 07:53:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E21E316A4D2 for ; Mon, 17 May 2004 07:53:22 -0700 (PDT) Received: from bagira.apex.dp.ua (bagira.apex.dp.ua [195.24.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id B483D43D39 for ; Mon, 17 May 2004 07:53:21 -0700 (PDT) (envelope-from trooper+freebsd+ipfw@email.dp.ua) Received: from i100.apex.dp.ua ([192.168.2.100] helo=email.dp.ua) by volcano.apex.dp.ua with esmtp (TLSv1:AES256-SHA:256) (Exim 4.12) id 1BPjUW-0003hU-00; Mon, 17 May 2004 17:53:20 +0300 Message-ID: <40A8D1DF.8010605@email.dp.ua> Date: Mon, 17 May 2004 17:53:19 +0300 From: Dmitry Sergienko Organization: Trifle Co., Ltd. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040510 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <40A8C12D.5040906@email.dp.ua> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1BPjUW-0003hU-00*55umL.1l7WY* cc: ipfw@freebsd.org Subject: Re: ipfw prefix-list support request X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 14:53:23 -0000 Hi! Bjoern A. Zeeb wrote: >>The main advantage is to maintain list of prefixes separately from >>rule, without tweaking the rule. >>Current syntax in ipfw2 doesn't allow to do this (or have I missed >>something?). >> >>Please tell your opinion about this feature, is it really will be useful >>not only for me? If so, we will try to implement this. > > > use ipfw -p > > p.ex. with m4 you can do > > define(`goodcustomers',`{ 10.0.0.0/8 or 192.168.0.0/24 }')dnl > add permit ip from goodcustomers to goodcustomers > > or s.th. like that. Of course you do not need -p /usr/bin/m4 > if you simply want to write > > add permit ip from { 10.0.0.0/8 or 192.168.0.0/24 } to { 10.0.0.0/8 or 192.168.0.0/24 } > > You might want to use perl or s.th. else to build up the list > if you prefer Cisco config style but that's really a matter > of the preprocessor then. Thank you for replying. It is not a problem to generate rules with help of any text processing tool. But it will be just like a macros. The problem is to change lists of address without modifying existing rule, dynamically. If I need to change list of addresses I have to kill existing rule and insert another with the same number. This is unconvenient. If I generate list of ipfw rules I need to reload all rules which is unconvenient also. The next. Maybe I'm wrong, but as far as I saw sbin/ipfw2.c OR blocks are generated as list of items to be checked by kernel. Hash will be more effective if we have a lot of prefixes. Also I can't see stats by exact prefix in OR blocks, only by whole rule. -- Best wishes, Dmitry Sergienko (SDA104-RIPE) Trifle Co., Ltd.