From owner-freebsd-current  Thu Jan 16 04:12:49 1997
Return-Path: <owner-current>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id EAA18685
          for current-outgoing; Thu, 16 Jan 1997 04:12:49 -0800 (PST)
Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id EAA18671;
          Thu, 16 Jan 1997 04:12:43 -0800 (PST)
Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.6.12/8.6.12) id OAA14163; Thu, 16 Jan 1997 14:06:36 +0200
From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za>
Message-Id: <199701161206.OAA14163@oskar.nanoteq.co.za>
Subject: Re: ipfw cannot do this...
In-Reply-To: <199701152258.OAA23006@bubba.whistle.com> from Archie Cobbs at "Jan 15, 97 02:58:58 pm"
To: archie@whistle.com (Archie Cobbs)
Date: Thu, 16 Jan 1997 14:06:36 +0200 (SAT)
Cc: ejs@bfd.com, nate@mt.sri.com, phk@freebsd.org, current@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hi ...

> 
> > Actually, what I really want is an ipfw add skip XXX ... where if
> > something matches the rule, skip all other rules below XXX (yes, I always
> > number my rules:-)
> 
> Just use the rule "ipfw accept". The packet is permitted and remaining
> rules are ignored.

Maybe he means just jumping a few rules and then continue enforcing the
rules from XXX onward.

What if the rules are made hierarchical,  example:

First test to see if the source is the subnet - then enforce more
detailed entries


         ipfw add 10 TRUE from 0.0.0.0/24 to any
		 /\
              YES  NO
     rules TRUE+     rules FALSE
      |                  |
     Deny all        Deny all

Or someting to this effect ....

I'll be willing to give some ideas or even to try and implement this :)
because this would make the number of rules tested for one packet
much less , especially for a large subset of rules

Reinier

###################################################################
#							          #
#  R.N. Bezuidenhout                  NetSeq Firewall     	  #
#  rbezuide@oskar.nanoteq.co.za	      http://www.nanoteq.co.za    #  
#								  #
###################################################################