ipfw prefix-list support request
Dmitry Sergienko
trooper+freebsd+ipfw at email.dp.ua
Mon May 17 07:53:23 PDT 2004
Hi!
Bjoern A. Zeeb wrote:
>>The main advantage is to maintain list of prefixes separately from
>>rule, without tweaking the rule.
>>Current syntax in ipfw2 doesn't allow to do this (or have I missed
>>something?).
>>
>>Please tell your opinion about this feature, is it really will be useful
>>not only for me? If so, we will try to implement this.
>
>
> use ipfw -p
>
> p.ex. with m4 you can do
>
> define(`goodcustomers',`{ 10.0.0.0/8 or 192.168.0.0/24 }')dnl
> add permit ip from goodcustomers to goodcustomers
>
> or s.th. like that. Of course you do not need -p /usr/bin/m4
> if you simply want to write
>
> add permit ip from { 10.0.0.0/8 or 192.168.0.0/24 } to { 10.0.0.0/8 or 192.168.0.0/24 }
>
> You might want to use perl or s.th. else to build up the list
> if you prefer Cisco config style but that's really a matter
> of the preprocessor then.
Thank you for replying.
It is not a problem to generate rules with help of any text processing
tool. But it will be just like a macros.
The problem is to change lists of address without modifying existing
rule, dynamically.
If I need to change list of addresses I have to kill existing rule and
insert another with the same number.
This is unconvenient.
If I generate list of ipfw rules I need to reload all rules which is
unconvenient also.
The next. Maybe I'm wrong, but as far as I saw sbin/ipfw2.c OR blocks
are generated as list of items to be checked by kernel.
Hash will be more effective if we have a lot of prefixes.
Also I can't see stats by exact prefix in OR blocks, only by whole rule.
--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.
More information about the freebsd-ipfw
mailing list