From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 29 22:53:14 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CAB716A4CE for ; Sat, 29 Nov 2003 22:53:14 -0800 (PST) Received: from alo.louko.com (x1.louko.com [195.218.71.106]) by mx1.FreeBSD.org (Postfix) with SMTP id 66C3943F85 for ; Sat, 29 Nov 2003 22:53:12 -0800 (PST) (envelope-from alo@x1.louko.com) Received: (qmail 29352 invoked by uid 406); 30 Nov 2003 06:53:10 -0000 Date: 30 Nov 2003 06:53:10 -0000 Message-ID: <20031130065310.29349.qmail@alo.louko.com> To: freebsd-hackers@freebsd.org From: alo@iki.fi.invalid (Antti Louko) User-Agent: SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?UTF-8?B?VW5lYmlnb3J58m1h?= =?UTF-8?B?ZQ==?=) APEL/10.3 Emacs/21.2 (i386--freebsd) (with unibyte mode) MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII Subject: ipfw/ipf IP filtering thoughts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2003 06:53:14 -0000 Generally, I like the (Free)BSD way of doing things. But the IP filtering modules available for FreeBSD lack one feature when compared to Linux way (ipchains and iptables). In ipchains and iptables you have a sequential list of rules, very much like in ipfw and ipf, but you can have several different lists which have symbolic names and you can make calls from lists to other lists based on normal packet criteria. If the list is exchausted, the scan returns to the previous list. This makes it possible to make filtering decisions much more efficient in complex situation. You can for example scan a certain list only for eg. packets going to for example port 25 and so on. In FreeBSD, you don't have this "subroutine call" feature at all and you are limited to only one sequential list with a "goto". Any ideas how to proceed. I think this would be really needed and widely used if available.