Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Jun 2011 10:22:40 +0000 (UTC)
From:      Vadim Goncharov <vadim_nuclight@mail.ru>
To:        freebsd-ipfw@freebsd.org
Cc:        freebsd-current@freebsd.org
Subject:   [PATCH] ipfw call/return rule actions
Message-ID:  <slrnj00s7g.2ki3.vadim_nuclight@kernblitz.nuclight.avtf.net>
next in thread | raw e-mail | index | archive | help 
Hi,

I have made a patch http://nuclight.avtf.net/vadim/ipfw_call_20110620.diff
which adds a "call" and "return" rule actions to make it possible to
organize "subroutines" with rules - "skipto" is like "goto" and only
allows jumps forward, not backward.

This could be useful to help doing somewaht like per-interface ACL,
something similar to pf anchors or iptables chains.

Please test, hope to see this committed soon and released in 9.0 !

Sample ipfw list:

00500 call 2000 ip from 10.0.0.5 to any
00600 count log ip from 10.0.0.5 to any
00999 allow ip from any to any
02000 count ip from any to any // entry of subr
02100 count log ip from any to any
02999 return log ip from any to any // leave subr
03600 count log ip from 10.0.0.5 to any
65534 allow ip from any to any
65535 deny ip from any to any

Here after 2999 packet continues from 501, next number after "call".

Or this could be used to reduce number of rules when previously one
did many skipto's for each direction/interface and had to repeat the same rules
again and again, e.g.:

add 100 call 5000 all from any to any in recv em0
add 110 deny all from table(10) to any in recv em0
add 200 call 5000 all from any to any in recv em1
add 210 deny all from table(20) in recv em1
...
add 5000 deny log all from any to any not antispoof
add 5010 deny tcp from any to any 135,139,445
add 5020 deny udp from any to any 137,138
add 5030 allow tcp from any to any established
...
add 5999 return // end of common block

-- 
WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight@mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnj00s7g.2ki3.vadim_nuclight>