[PATCH] multiple instances of ipfw(4)
Ermal Luçi
eri at freebsd.org
Mon Jun 10 13:31:06 UTC 2013
Hello,
reviving this old thread since i had time to bring the patch to FreeBSD 10
and unified the whole controlling under ipfw(8) binary.
For reminder, the patch located at [1] provides multiple instances for
ipfw(4).
Basically you can control which interfaces belong to which context/ruleset
to make maintaining easier.
Also it gives more flexibility in general to ipfw(4) for various scenarios.
It works by initializing a context of ipfw(4) and assigning specific
interfaces explicitly by administrator to each instance.
The context is not lost even on interface destruction and recreation, based
on interface name match.
Upon entering ipfw(4) processing the configured context/instance for that
interface is selected if none no filtering is done.
Most of the patch is rather straight forward and only some intrusive
changes to ipfw NAT KPI, in kernel implementation is done
to remove a global variable referring to the active instance and passing it
explicitly.
You can create a instance of ipfw by running:
ipfw zone 1 create
Add a member with
ipfw zone 1 madd em0
ipfw zone 1 madd vlan0
Remove members with
ipfw zone 1 mdel em0
Also destroy an instance by:
ipfw zone 1 destroy
All the other operations on ipfw(4) will be the same as before just require
the -x $context argument added for each of them.
The patch uses all the IP_FW3 option commands to avoid changes in other
areas apart ipfw(4) related sources.
Any objections on pushing this into FreeBSD?
[1]
https://github.com/pfsense/pfsense-tools/blob/master/patches/RELENG_10_0/CP_multi_instance_ipfw.diff
--
Ermal
More information about the freebsd-net
mailing list