Date: Thu, 26 Feb 2004 14:40:49 -0800 From: Tim Kientzle <tim@kientzle.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: Steve Kargl <sgk@troutmask.apl.washington.edu> Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.hif_pfsync.c src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <403E75F1.2070302@kientzle.com> In-Reply-To: <Pine.NEB.3.96L.1040226150526.79901Y-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1040226150526.79901Y-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>Choice is good. Three firewalls is maybe pushing the limit, but these
>>>three are Very Important to our community.
Dunno about pf, but neither ipfw nor ipf have one
feature I've been looking for. I'd like to be able
to say something like:
create set BLACKLIST
drop ip in BLACKLIST
where BLACKLIST is a user-defined and easily-modifiable
set of arbitrary addresses. Probably implemented via
a hash-table or search tree.
Then I want to be able to modify the address set
separately, without having to touch the rules per se:
add 1.2.3.4 to BLACKLIST
This would make it feasible to manage large sets
(thousands) of blocked (or permitted) addresses
without the performance degradation of walking a very
long list of rules. It could also greatly simplify
a lot of rulesets.
The ideal mechanism would support arbitrary CIDR blocks:
add 1.2.3.4/29 to BLACKLIST
add 10.0.0.0/8 to BLACKLIST
but the data structures that handle this sort of
thing efficiently are admittedly a bit esoteric.
Just a thought,
Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?403E75F1.2070302>