From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 21 10:37:56 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97D75106566B for ; Tue, 21 Jun 2011 10:37:56 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 29D248FC14 for ; Tue, 21 Jun 2011 10:37:55 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QYy6f-00047O-Um for freebsd-ipfw@freebsd.org; Tue, 21 Jun 2011 12:22:53 +0200 Received: from nuclight.avtf.net ([82.117.70.99]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 21 Jun 2011 12:22:53 +0200 Received: from vadim_nuclight by nuclight.avtf.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 21 Jun 2011 12:22:53 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Vadim Goncharov Date: Tue, 21 Jun 2011 10:22:40 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 45 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: nuclight.avtf.net User-Agent: slrn/0.9.9p1 (FreeBSD) Cc: freebsd-current@freebsd.org Subject: [PATCH] ipfw call/return rule actions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 10:37:56 -0000 Hi, I have made a patch http://nuclight.avtf.net/vadim/ipfw_call_20110620.diff which adds a "call" and "return" rule actions to make it possible to organize "subroutines" with rules - "skipto" is like "goto" and only allows jumps forward, not backward. This could be useful to help doing somewaht like per-interface ACL, something similar to pf anchors or iptables chains. Please test, hope to see this committed soon and released in 9.0 ! Sample ipfw list: 00500 call 2000 ip from 10.0.0.5 to any 00600 count log ip from 10.0.0.5 to any 00999 allow ip from any to any 02000 count ip from any to any // entry of subr 02100 count log ip from any to any 02999 return log ip from any to any // leave subr 03600 count log ip from 10.0.0.5 to any 65534 allow ip from any to any 65535 deny ip from any to any Here after 2999 packet continues from 501, next number after "call". Or this could be used to reduce number of rules when previously one did many skipto's for each direction/interface and had to repeat the same rules again and again, e.g.: add 100 call 5000 all from any to any in recv em0 add 110 deny all from table(10) to any in recv em0 add 200 call 5000 all from any to any in recv em1 add 210 deny all from table(20) in recv em1 ... add 5000 deny log all from any to any not antispoof add 5010 deny tcp from any to any 135,139,445 add 5020 deny udp from any to any 137,138 add 5030 allow tcp from any to any established ... add 5999 return // end of common block -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]