ipfw prefix-list support request

Kelly Yancey kbyanc at posi.net
Fri May 21 17:23:10 PDT 2004 

On Mon, 17 May 2004, [iso-8859-1] Sten Daniel Sørsdal wrote:

> >
> > Hi!
> >
> > I'm thinking about external prefix-lists in ipfw. This is like
> > prefix-lists in Cisco IOS or tables in OpenBSD pf.
> > In my opinion it will be very convenient to do the following:
> >
> ...
> >
> > Please tell your opinion about this feature, is it really
> > will be useful
> > not only for me? If so, we will try to implement this.
> >
>
> Sounds great to me!
>

  I had implemented something similar to this some time back (before pf grew
tables); the syntax isn't quite as clean, though:

  # ipfw add 50 allow ip from class[10] to any
  # ipfw add 60 allow ip from any to class[10]
  # ipfw -c show
  00050          0          0 allow ip from class[10] to any
  00060          0          0 allow ip from any to class[10]
  ...
  # ipfw class 10 add 00:02:b3:90:6a:31 216.69.69.112
  # ipfw class 10 add 11:22:33:44:55:66 1.2.3.4
  # ipfw class 10
  # ipfw class 10 show
           0          0          0          0 11:22:33:44:55:66 1.2.3.4
           0          0          0          0 00:02:b3:90:6a:31 216.69.69.112
  ... transfer a bunch of files...
  # ipfw show -c
  00050     788079 1119439715 allow ip from class[10] to any
  00060     324895   16913392 allow ip from any to class[10]
  ...
  # ipfw class 10 show
           0          0          0          0 11:22:33:44:55:66 1.2.3.4
      788079 1119439715     324895   16913392 00:02:b3:90:6a:31 216.69.69.112

  In my case, I needed to primarilly match MAC addresses; the IP address
matching is secondary.  As it is, one can specify only a MAC address when the
entry is added to the class and packets are matched against that.  If you
specify both the MAC and IP, both are matched.  I have always intended to make
this more generic so that all (sensible) combinations of IPv4, IPv6, and MAC
addresses are supported as ipfw2 now has support for IPv4 and MAC addresses
(with IPv6 on the horizon).
  Unfortunately, the implementation is against 4.7, so it would take some
updating before it would be useful to anyone else.  As you can see, it does
not support subnet masks, though, whereas pf's table implementation does.  The
entries are stored in a hash table.  If this could be a useful starting point,
I could supply patches to anyone working on it.

  Kelly

  P.S. I use ipfw -p cpp to assign names to the numeric classes in my
       rulesets.

--
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}  -  kelly at nttmcl.com
FreeBSD, The Power To Serve: http://www.freebsd.org/

More information about the freebsd-ipfw mailing list