ipfw prefix-list support request
Luigi Rizzo
rizzo at icir.org
Mon May 17 15:11:00 PDT 2004
On Mon, May 17, 2004 at 04:42:05PM +0300, Dmitry Sergienko wrote:
> Hi!
>
> I'm thinking about external prefix-lists in ipfw. This is like
I think everybody agrees that it would be great to have in ipfw2
named objects such as list of ports, prefixes, etc that one can
dynamically modify without having to rewrite rules.
The issues are:
+ (minor but important) find a decent syntax -- your example
ipfw add 100 allow ip from prefix-list goodcustomers to any
is ambiguous as prefix-list could be a hostname and goodcustomers
a service name. Given that this is ipfw2, you can use ipfw2 syntax
and define a new keyword 'src-prefix-list' to be used as
ipfw add 100 allow src-prefix-list goodcustomers ...
+ define the semantics clearly -- do you want longest prefix match,
or just any match (it does make a difference in the management of
counters);
+ implement the list efficiently -- to avoid huge search times, one
implement the list as some kind of compressed trie. HOWEVER, if the
list is short (some 10 entries) a linear search is probably a lot
more efficient, so your code should cover both cases.
+ remember that ipfw(2) accepts one line at a time -- so there will be
times when the configuration is inconsistent e.g. you might have rules
pointing to a non-existing list. Make sure the handling of these cases
is not terribly expensive.
The 'or block' { 10.0.0.0/8 or 192.168.0.0/24 }
and the 'address set' 10.0.2.0/24{3,80,118,128-191,224-231}
are surrogates that cover simple uses of the prefix list,
but certainly not all of them.
I think for the code you could try to borrow something from pf.
Post patches when you have them.
cheers
luigi
More information about the freebsd-ipfw
mailing list