Date: Wed, 18 Apr 2007 13:58:49 -0700 From: Julian Elischer <julian@elischer.org> To: ipfw@freebsd.org Subject: ipfw changes being contemplated.. Message-ID: <46268689.1080301@elischer.org>
next in thread | raw e-mail | index | archive | help
I'm contemplating the following changes to functionality: I'd like suggestions and comments... 1/ Commit capability In this change you declare a new firewall, and modify/build it, and then you 'commit' it so that the whole change is atomic. I have a current bug at work where automatic changes are made to teh firewall, but sometimes packets can arrive between parts of a change and lead to odd behaviour. For example if I have a reset rule after a skipto, and as part of the change I replace the skipto with something else, then for a moment, teh reset it exposed before the new rule is put in. this leads to a spurious reset being sent out and terminating a perfectly innocent session. I can code around these sorts of things but I'd like to do: ipfw duplicate to 1 # make rule list 1 a copy of the current rules ipfw rules 1 delete 1000 ipfw rules 1 add 1000 skipto 2000 tcp from any to me ... ... (400 other changes) ipfw commit 1 or ipfw new 1 # make rule list 1 a copy of the current rules ipfw rules 1 add 1000 skipto 2000 tcp from any to me ... ... (400 other changes) ipfw commit 1 rules that are unchanged would maintain their statistics. possibly I would not need a rule list number if the ipfw program would automatically write to the existing set if there is no new (or duplicate) rule list, but would manipulate the 'growing' list if it exists. (that way keeping the new behaviour as a superset of the old behaviour). 2/ implements some local registers for each packet run. As each packet traverses the firewall the rules can assign values to some registers, which can be used to make decisions later. e.g. ipfw add 1000 loadregister 1 tablearg ip from any to table (2) ipfw add 2000 skipto 3000 register 1 gt 100 3/ 'computed goto' (fortran name) ipfw add 1000 skipto tablearg tcp from 1.1.1.1 to table (1) 4/ tablearg to get an optional table number.... if a rule has 2 tables we need to be able to specify which. 5/ ability to have multiple firewalls.. (extension of (1)) ipfw new 1 ipfw rules 1 add .... .... ipfw commit 1 bridge "bridge0" different rule sets for different entry points. ethernet layer (Layer2), IP output, bridging, IP input, different input interfaces? 6/ corrolory of 5 ability for one firewall to call into another.. ipfw new 2 ipfw add [IP tests] ipfw new 1 ipfw rules 1 add 1000 check rules 2 mac-type ipv4 commit 2 bridge The syntax is not set on these. This is just to get ideas out there. so I'm up for a discussion.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46268689.1080301>