From owner-freebsd-net@FreeBSD.ORG Mon Jun 10 13:31:05 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D16CDD17; Mon, 10 Jun 2013 13:31:05 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f50.google.com (mail-qe0-f50.google.com [209.85.128.50]) by mx1.freebsd.org (Postfix) with ESMTP id 7309B183A; Mon, 10 Jun 2013 13:31:05 +0000 (UTC) Received: by mail-qe0-f50.google.com with SMTP id f6so4013271qej.37 for ; Mon, 10 Jun 2013 06:30:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=/oJm3gqQ/csgqtJU5eaTMX0digT6R92GAdV1pWDVQLA=; b=xX/9KLP4LFmCdTMoJZbxpgrzXSQmpRC4ZsEnMfGsAR6r669TSczBOKbZ4Ay78zE1fi UzEonVP3UPhOgY94RjET45NYxE5vQgtRaSnbN9zlKKi0L6E0oMlsbnyVi7gUJFfiaKs7 8A32Vk9DA5Hamqok9eFJjRVJ0pQCD19M9q/HkbTzY8rNXpoQS/zsvxoU8NuBe+K83uEA oRKd/UtK9gAaJHK7zfg+tZ+AMiGXF3iyAn4OZ33FrVEK2N2aIxgLu5UxV9VlfExk0pvu FNkUgdgrXR9r+6r9re2SeKIMSLt3atIGBrMfQXjwh3dU6C+EI62t5qWG+6qB2WQeG93J OClw== MIME-Version: 1.0 X-Received: by 10.229.234.136 with SMTP id kc8mr4011063qcb.44.1370871059276; Mon, 10 Jun 2013 06:30:59 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.51.8 with HTTP; Mon, 10 Jun 2013 06:30:59 -0700 (PDT) In-Reply-To: <4F344CE4.301@freebsd.org> References: <20120131110204.GA95472@onelab2.iet.unipi.it> <20120208133559.GK13554@FreeBSD.org> <20120208140921.GM13554@glebius.int.ru> <4F344CE4.301@freebsd.org> Date: Mon, 10 Jun 2013 15:30:59 +0200 X-Google-Sender-Auth: 9291DsBy8Kt-LWuiE0SBVyN47Pg Message-ID: Subject: Re: [PATCH] multiple instances of ipfw(4) From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-net , freebsd-hackers@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 13:31:06 -0000 Hello, reviving this old thread since i had time to bring the patch to FreeBSD 10 and unified the whole controlling under ipfw(8) binary. For reminder, the patch located at [1] provides multiple instances for ipfw(4). Basically you can control which interfaces belong to which context/ruleset to make maintaining easier. Also it gives more flexibility in general to ipfw(4) for various scenarios. It works by initializing a context of ipfw(4) and assigning specific interfaces explicitly by administrator to each instance. The context is not lost even on interface destruction and recreation, based on interface name match. Upon entering ipfw(4) processing the configured context/instance for that interface is selected if none no filtering is done. Most of the patch is rather straight forward and only some intrusive changes to ipfw NAT KPI, in kernel implementation is done to remove a global variable referring to the active instance and passing it explicitly. You can create a instance of ipfw by running: ipfw zone 1 create Add a member with ipfw zone 1 madd em0 ipfw zone 1 madd vlan0 Remove members with ipfw zone 1 mdel em0 Also destroy an instance by: ipfw zone 1 destroy All the other operations on ipfw(4) will be the same as before just require the -x $context argument added for each of them. The patch uses all the IP_FW3 option commands to avoid changes in other areas apart ipfw(4) related sources. Any objections on pushing this into FreeBSD? [1] https://github.com/pfsense/pfsense-tools/blob/master/patches/RELENG_10_0/CP_multi_instance_ipfw.diff -- Ermal