From nobody Wed Mar 06 16:48:05 2024 X-Original-To: hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tqdnp3tzhz5Cvrx for ; Wed, 6 Mar 2024 16:54:38 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "uucp.dinoex.sub.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tqdnk6jKhz4k0V; Wed, 6 Mar 2024 16:54:34 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pmc@citylink.dinoex.sub.org designates 2a0b:f840::12 as permitted sender) smtp.mailfrom=pmc@citylink.dinoex.sub.org; arc=pass ("uucp.dinoex.org:s=M20221114:i=1") Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840:0:0:0:0:0:12]) by uucp.dinoex.org (8.18.1/8.18.1) with ESMTPS id 426Gs6gk027640 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 6 Mar 2024 17:54:06 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) ARC-Seal: i=1; a=rsa-sha256; d=uucp.dinoex.org; s=M20221114; t=1709744049; cv=none; b=dqRXMpzB+4b/OB/wvPkOG9dCfpwZ1OzSwlTZ5leDkNopAQrvMrZufbdORblJer4gL15lv3oPGokML+AWAoTpcwPtUDlALR2GjJGZSaRG8rmQ8/yKKZhg6UgTIXio9RAK2iU9wSTJWGPd1Zl6/CMSppGg7rXv0cadKRp8OEf2Qmk= ARC-Message-Signature: i=1; a=rsa-sha256; d=uucp.dinoex.org; s=M20221114; t=1709744049; c=relaxed/simple; bh=qlsG44p+M2/2eafle0vF9vq6nfEWy0MIfg8PG3DDPII=; h=Received:Received:Received:Received:X-Authentication-Warning:Date: From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition:In-Reply-To:X-Milter:X-Greylist; b=R4ToFrBDp2PcqNwd69+keXzRsvK+vU3nYprRuRNOTtcu3w+EO+bETyNlWuVNvuIXIIkm+YiHttcivYX8MCghCWzIuIGRUeN3Og9AlTg9tbZArWETKicrsDm6xuJzqeG9FLxQ9iezjfqfbsJuupVZadW4z4TnD0RhyfnNApOCroo= ARC-Authentication-Results: i=1; uucp.dinoex.org Received: (from uucp@localhost) by uucp.dinoex.org (8.18.1/8.18.1/Submit) with UUCP id 426Gs6s6027639; Wed, 6 Mar 2024 17:54:06 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) Received: from disp.intra.daemon.contact (disp-e.intra.daemon.contact [IPv6:fd00:0:0:0:0:0:0:112]) by admn.intra.daemon.contact (8.17.1/8.17.1) with ESMTPS id 426GmWOI002708 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK); Wed, 6 Mar 2024 17:48:33 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) Received: from disp.intra.daemon.contact (localhost [127.0.0.1]) by disp.intra.daemon.contact (8.17.1/8.17.1) with ESMTPS id 426Gm5Os045783 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 6 Mar 2024 17:48:05 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) Received: (from pmc@localhost) by disp.intra.daemon.contact (8.17.1/8.17.1/Submit) id 426Gm5t4045782; Wed, 6 Mar 2024 17:48:05 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) X-Authentication-Warning: disp.intra.daemon.contact: pmc set sender to pmc@citylink.dinoex.sub.org using -f Date: Wed, 6 Mar 2024 17:48:05 +0100 From: "Peter 'PMc' Much" To: hackers@freebsd.org Cc: allezvicki@gmail.com, jrm@freebsd.org, allanjude@freebsd.org Subject: Re: Fwd: GSOC Network Configuration Libraries Message-ID: List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Milter: Spamilter (Reciever: uucp.dinoex.org; Sender-ip: 0:0:2a0b:f840::; Sender-helo: uucp.dinoex.org;) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (uucp.dinoex.org [IPv6:2a0b:f840:0:0:0:0:0:12]); Wed, 06 Mar 2024 17:54:09 +0100 (CET) X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; ARC_ALLOW(-1.00)[uucp.dinoex.org:s=M20221114:i=1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; MISSING_XM_UA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:205376, ipnet:2a0b:f840::/32, country:DE]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org]; RCPT_COUNT_THREE(0.00)[4]; HAS_XAW(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[sub.org]; RCVD_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[hackers@freebsd.org]; MIME_TRACE(0.00)[0:+] X-Rspamd-Queue-Id: 4Tqdnk6jKhz4k0V Hi, I had noticed that project suggestion by Allan Jude. This is an interesting matter, as, in fact, ipfw lacks some kind of higher level interface to configure it. I was confronted with this lack of tooling a few years ago when I moved my jails to VIMAGE, And I noticed that combining NAT functionality with stateful rule behaviour (and possibly other features like packet forwarding) brings along a couple of gotchas - it is not really trivial; and also, many of the examples circling on the net were (are?) kinda sub-optimal. Finally I decided to just write the necessary code. However, I chose the approach that appeared most feasible to me (for my needs, obviousely) which happened to be not a library, but a freestanding web-application. Also I decided to do a full solution that can handle any number of interconnected interfaces and networks, and insert any number of filters into any flow (where filters could be NAT, suricata, NPTv6, or whatever); so this is not (only) for a laptop. Then, I asked around if anybody would be interested in the matter, and found low interest in ipfw in general, and no interest at all in GUI tools (GUI is apparently un-Berkeley). Consequentially I didn't bother to write a documentation, or think about a license to publish the material (because why should I throw stuff after people who aren't interested?) Anyway, you might be interested is issues like this PR 269770, and there is also a few kernel patches I needed, but these are mostly for IPv6 tunneling and hot reloading. cheerio, PMc