per-interface packet filters, design approach
Luigi Rizzo
rizzo at icir.org
Tue Dec 14 07:51:03 PST 2004
On Tue, Dec 14, 2004 at 07:05:20AM -0800, Bruce M Simpson wrote:
...
> Are there any nicer ways of telling IPFW v1 and v2 apart both at compile
> time and run-time? Right now I do something like this:-
With very high accuracy, at compile time you can say that ipfw2 is
available from 4.7 and higher, and ipfw1 is _not_ available in 5.0
and above.
At runtime, the easiest way is try issue an ipfw2 command and see
if it returns an error or not.
Note however that ipfw2 features increase over time. Atomic 'set'
support was introduced in 4.9/5.2, and opcodes of minor importance
came later.
cheers
luigi
> %%%
> AC_MSG_CHECKING(for an IPFW firewall build environment)
> AC_LANG_SAVE
> AC_LANG_C
> AC_TRY_COMPILE([
> #include <stdlib.h>
> #include <errno.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <net/if.h>
> #include <netinet/in.h>
> #include <netinet/ip_fw.h>
> ],
> [
> int mysockopt = IP_FW_ADD;
> #ifdef IPFW2
> #error IPFW2 defined (should not be defined for IPFW). Test failed.
> #endif
> ],
> [AC_DEFINE(HAVE_FIREWALL_IPFW, 1,
> [Define to 1 if you have an IPFW build environment])
> AC_MSG_RESULT(yes)],
> [AC_MSG_RESULT(no)])
> AC_LANG_RESTORE
> %%%
>
> The above test is for IPFW1. The equivalent test for IPFW2 simply flips
> the sense of the #ifdef inside. This is not ideal because
> <netinet/ip_fw.h> can exist in both flavours in the same system (albeit in
> the case of FreeBSD 4.11, it will include the IPFW2 header instead if
> IPFW2 is defined).
>
> No doubt the present IPFW documentation can be improved. What will soon
> exist in XORP is something approximating an IPFW API. I may not have time
> to do anything in this area, but what I'm doing for XORP could certainly
> be re-used to some extent.
>
> Regards,
> BMS
More information about the freebsd-net
mailing list