cvs commit: src/sys/contrib/pf/net if_pflog.c
if_pflog.hif_pfsync.c src/sys/contrib/pf/netinet in4_cksum.c
Tim Kientzle
tim at kientzle.com
Thu Feb 26 14:40:51 PST 2004
>>>Choice is good. Three firewalls is maybe pushing the limit, but these
>>>three are Very Important to our community.
Dunno about pf, but neither ipfw nor ipf have one
feature I've been looking for. I'd like to be able
to say something like:
create set BLACKLIST
drop ip in BLACKLIST
where BLACKLIST is a user-defined and easily-modifiable
set of arbitrary addresses. Probably implemented via
a hash-table or search tree.
Then I want to be able to modify the address set
separately, without having to touch the rules per se:
add 1.2.3.4 to BLACKLIST
This would make it feasible to manage large sets
(thousands) of blocked (or permitted) addresses
without the performance degradation of walking a very
long list of rules. It could also greatly simplify
a lot of rulesets.
The ideal mechanism would support arbitrary CIDR blocks:
add 1.2.3.4/29 to BLACKLIST
add 10.0.0.0/8 to BLACKLIST
but the data structures that handle this sort of
thing efficiently are admittedly a bit esoteric.
Just a thought,
Tim Kientzle
More information about the cvs-src
mailing list