From owner-cvs-src@FreeBSD.ORG  Thu Feb 26 14:40:51 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6153D16A4D2; Thu, 26 Feb 2004 14:40:51 -0800 (PST)
Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net
	[66.166.149.50])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 148C043D1F; Thu, 26 Feb 2004 14:40:51 -0800 (PST)
	(envelope-from tim@kientzle.com)
Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged))
	by kientzle.com (8.12.9/8.12.9) with ESMTP id i1QMeo7g017177;
	Thu, 26 Feb 2004 14:40:50 -0800 (PST)
	(envelope-from tim@kientzle.com)
Message-ID: <403E75F1.2070302@kientzle.com>
Date: Thu, 26 Feb 2004 14:40:49 -0800
From: Tim Kientzle <tim@kientzle.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.org>
References: <Pine.NEB.3.96L.1040226150526.79901Y-100000@fledge.watson.org>
In-Reply-To: <Pine.NEB.3.96L.1040226150526.79901Y-100000@fledge.watson.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: Max Laier <mlaier@FreeBSD.org>
cc: "Jacques A. Vidrine" <nectar@FreeBSD.org>
cc: cvs-src@FreeBSD.org
cc: cvs-all@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: Steve Kargl <sgk@troutmask.apl.washington.edu>
Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c
	if_pflog.hif_pfsync.c src/sys/contrib/pf/netinet in4_cksum.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: kientzle@acm.org
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2004 22:40:51 -0000

>>>Choice is good.  Three firewalls is maybe pushing the limit, but these
>>>three are Very Important to our community.

Dunno about pf, but neither ipfw nor ipf have one
feature I've been looking for.  I'd like to be able
to say something like:

   create set BLACKLIST
   drop ip in BLACKLIST

where BLACKLIST is a user-defined and easily-modifiable
set of arbitrary addresses.  Probably implemented via
a hash-table or search tree.

Then I want to be able to modify the address set
separately, without having to touch the rules per se:

    add 1.2.3.4 to BLACKLIST

This would make it feasible to manage large sets
(thousands) of blocked (or permitted) addresses
without the performance degradation of walking a very
long list of rules.  It could also greatly simplify
a lot of rulesets.

The ideal mechanism would support arbitrary CIDR blocks:
    add 1.2.3.4/29 to BLACKLIST
    add 10.0.0.0/8 to BLACKLIST
but the data structures that handle this sort of
thing efficiently are admittedly a bit esoteric.

Just a thought,

Tim Kientzle