cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c

Max Laier max at love2party.net
Thu Jun 10 23:50:24 GMT 2004


On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote:
> On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote:
> > On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote:
> > > ru          2004-06-09 20:10:38 UTC
> > >
> > >   FreeBSD src repository
> > >
> > >   Modified files:
> > >     sbin/ipfw            ipfw.8 ipfw2.c
> > >     sys/netinet          in.h ip_fw.h ip_fw2.c raw_ip.c
> > >   Log:
> > >   Introduce a new feature to IPFW2: lookup tables.  These are
> > > useful for handling large sparse address sets.  Initial
> > > implementation by Vsevolod Lobko <seva at ip.net.ua>, refined by me.
> >
> > Idea from: pf ;)
> > Nice!
>
> I've asked Vsevolod, and yes, the original idea attributes to PF.

I have seen the original thread in ipfw@ and posted some comments, hence 
the mail in the first place.

> Do PF tables allow addr/mask entries as IPFW tables do (I could
> not intuit it from reading the pfctl(8) manpage)?

You might rather want to look at pf.conf(5). Yes, pf tables allow 
addr/mask and IPv6 addresses. pf allows an additional "not" qualifier to 
allow to do something like:
	{ 10/8, !10.10/16, 10.10.10/24 }

> One nice difference (and I don't believe PF or IPFilter can do
> this) is this optional 32-bit tag value with no special meaning.
> For example, we have several thousands of client IPs, and each
> client is allowed (through a Web form) to limit bandwidth to
> some discrete values (0, 64, 128, 256, 512, and "unlimited") in
> Kbps to/from Ukrainian and foreign networks.  We have this all
> implemented using less than ten IPFW tables:

hmmm ... I don't really see the benefit in packing the information into 
one table. You could as well have different tables for that (with pf only 
memory limits the number of tables allowed). But it's cool that we 
inspire eachother and still diverge a bit to find the best solutions for 
our respective users.

Btw, I find it very helpful that pf refers to a table by a name and not a 
number. Why did you choose to use numbers?

[ We might want to transfer this thread to ipfw@ ]

-- 
Best regards,				| mlaier at freebsd.org
Max Laier				| ICQ #67774661
http://pf4freebsd.love2party.net/	| mlaier at EFnet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20040611/06e045f0/attachment.bin


More information about the freebsd-ipfw mailing list