Date: Tue, 14 Dec 2004 07:05:20 -0800 From: Bruce M Simpson <bms@spc.org> To: Luigi Rizzo <rizzo@icir.org> Cc: Andre Oppermann <andre@freebsd.org> Subject: Re: per-interface packet filters, design approach Message-ID: <20041214150520.GD684@empiric.icir.org> In-Reply-To: <20041214062010.A77933@xorpc.icir.org> References: <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> <20041214062010.A77933@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ylS2wUBXLOxYXZFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Dec 14, 2004 at 06:20:10AM -0800, Luigi Rizzo wrote: > They do exist, they are called 'set' and you can associate > rules to a specific set, atomically enable/disable/swap/rename > sets, etc. This was designed exactly for this purpose (atomic > updates of firewall configuration with a single syscall). Thanks for this. I'm trying to consider IPFW1 in the picture as well; IPFW2 is something I'm considering as a separate entity. However I am put off by a lot of the limitations in IPFW1. Are there any nicer ways of telling IPFW v1 and v2 apart both at compile time and run-time? Right now I do something like this:- %%% AC_MSG_CHECKING(for an IPFW firewall build environment) AC_LANG_SAVE AC_LANG_C AC_TRY_COMPILE([ #include <stdlib.h> #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <netinet/in.h> #include <netinet/ip_fw.h> ], [ int mysockopt = IP_FW_ADD; #ifdef IPFW2 #error IPFW2 defined (should not be defined for IPFW). Test failed. #endif ], [AC_DEFINE(HAVE_FIREWALL_IPFW, 1, [Define to 1 if you have an IPFW build environment]) AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)]) AC_LANG_RESTORE %%% The above test is for IPFW1. The equivalent test for IPFW2 simply flips the sense of the #ifdef inside. This is not ideal because <netinet/ip_fw.h> can exist in both flavours in the same system (albeit in the case of FreeBSD 4.11, it will include the IPFW2 header instead if IPFW2 is defined). No doubt the present IPFW documentation can be improved. What will soon exist in XORP is something approximating an IPFW API. I may not have time to do anything in this area, but what I'm doing for XORP could certainly be re-used to some extent. Regards, BMS --ylS2wUBXLOxYXZFQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBvwEwueUpAYYNtTsRAlFyAJ9DyvwDfDEyZNZtaoQwy2/tDad0RgCfUZsY UdE39hKtFlXwujCbex4+kUs= =9AHD -----END PGP SIGNATURE----- --ylS2wUBXLOxYXZFQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214150520.GD684>