From owner-freebsd-ipfw@FreeBSD.ORG Mon May 17 15:11:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0935B16A4CE for ; Mon, 17 May 2004 15:11:00 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B33243D1D for ; Mon, 17 May 2004 15:10:59 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i4HMApgd065433; Mon, 17 May 2004 15:10:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i4HMAoML065432; Mon, 17 May 2004 15:10:50 -0700 (PDT) (envelope-from rizzo) Date: Mon, 17 May 2004 15:10:50 -0700 From: Luigi Rizzo To: Dmitry Sergienko Message-ID: <20040517151050.B63591@xorpc.icir.org> References: <40A8C12D.5040906@email.dp.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <40A8C12D.5040906@email.dp.ua>;04:42:05PM +0300 cc: ipfw@freebsd.org Subject: Re: ipfw prefix-list support request X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 22:11:00 -0000 On Mon, May 17, 2004 at 04:42:05PM +0300, Dmitry Sergienko wrote: > Hi! > > I'm thinking about external prefix-lists in ipfw. This is like I think everybody agrees that it would be great to have in ipfw2 named objects such as list of ports, prefixes, etc that one can dynamically modify without having to rewrite rules. The issues are: + (minor but important) find a decent syntax -- your example ipfw add 100 allow ip from prefix-list goodcustomers to any is ambiguous as prefix-list could be a hostname and goodcustomers a service name. Given that this is ipfw2, you can use ipfw2 syntax and define a new keyword 'src-prefix-list' to be used as ipfw add 100 allow src-prefix-list goodcustomers ... + define the semantics clearly -- do you want longest prefix match, or just any match (it does make a difference in the management of counters); + implement the list efficiently -- to avoid huge search times, one implement the list as some kind of compressed trie. HOWEVER, if the list is short (some 10 entries) a linear search is probably a lot more efficient, so your code should cover both cases. + remember that ipfw(2) accepts one line at a time -- so there will be times when the configuration is inconsistent e.g. you might have rules pointing to a non-existing list. Make sure the handling of these cases is not terribly expensive. The 'or block' { 10.0.0.0/8 or 192.168.0.0/24 } and the 'address set' 10.0.2.0/24{3,80,118,128-191,224-231} are surrogates that cover simple uses of the prefix list, but certainly not all of them. I think for the code you could try to borrow something from pf. Post patches when you have them. cheers luigi