Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 May 2004 15:10:50 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Dmitry Sergienko <trooper+freebsd+ipfw@email.dp.ua>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw prefix-list support request
Message-ID:  <20040517151050.B63591@xorpc.icir.org>
In-Reply-To: <40A8C12D.5040906@email.dp.ua>;04:42:05PM %2B0300
References:  <40A8C12D.5040906@email.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, May 17, 2004 at 04:42:05PM +0300, Dmitry Sergienko wrote:
> Hi!
> 
> I'm thinking about external prefix-lists in ipfw. This is like

I think everybody agrees that it would be great to have in ipfw2
named objects such as list of ports, prefixes, etc that one can
dynamically modify without having to rewrite rules.
 
The issues are:
 + (minor but important) find a decent syntax -- your example 

        ipfw add 100 allow ip from prefix-list goodcustomers to any

   is ambiguous as prefix-list could be a hostname and goodcustomers
   a service name. Given that this is ipfw2, you can use ipfw2 syntax
   and define a new keyword 'src-prefix-list' to be used as
 
        ipfw add 100 allow src-prefix-list goodcustomers ...
 
 + define the semantics clearly -- do you want longest prefix match,
   or just any match (it does make a difference in the management of
   counters);
   
 + implement the list efficiently -- to avoid huge search times, one 
   implement the list as some kind of compressed trie. HOWEVER, if the
   list is short (some 10 entries) a linear search is probably a lot
   more efficient, so your code should cover both cases.

 + remember that ipfw(2) accepts one line at a time -- so there will be
   times when the configuration is inconsistent e.g. you might have rules
   pointing to a non-existing list. Make sure the handling of these cases
   is not terribly expensive.

The 'or block' { 10.0.0.0/8 or 192.168.0.0/24 } 
and the 'address set' 10.0.2.0/24{3,80,118,128-191,224-231}
are surrogates that cover simple uses of the prefix list, 
but certainly not all of them.

I think for the code you could try to borrow something from pf.
Post patches when you have them.

cheers
luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040517151050.B63591>