propose a new generic purpose rule option for ipfw

Bill Yuan bycn82 at gmail.com
Thu May 29 07:25:22 UTC 2014


hi

the rule of ipfw is kind of semantic, and it is powerful. so it means good
for normal users. but not for developers of it, because simplicity actually
is hidden complexity.that is the reason developers fulfilled so many rule
options to match the traffic. and the man page of ipfw becomes long long.
(maybe the manpage for ipfw should be spitted into multiple pages)

Yesterday I was thinking, "a firewall is ... when the traffic comes, it
will be filtered based on the rule, and the action will be executed when
the rule matched". so actually the job is quite simple.

So I was thinking whether there is a generic method to handle the
filtering?  And the "U32" module of iptables came into my mind
immediately.I think the feature is cool. and I am going to introduce this
feature into ipfw, if have people like this feature, since i am free
recently :).

So i am proposing a new rule option `u32` and the usage will be "u32
<position> <hex value>"

e.g.

>ipfw add 1 allow all from any to any u32 0 0x112233445566 layer2

It means if part of the traffic(start from position 0) is equal to the
0x112233445566, then it means matched.

Or maybe the usage will be more complex that the above. maybe "u32
<position> <mask> <value>"

e.g

>ipfw add 1 allow all from any to any u32 0 0xFFFFFF000000FFFFFF000000 0x111111000000222222000000
layer2
the traffic will be AND the <mask> before comparing the <value>.


It sounds like "nothing impossible" with this feature!.

It is a really powerful thing in my opinion. but it has requirement, to
master it requires the knowledge of the structure of the
packet/frame/whatever.

Anyone like this feature? Like it ? please voice out.

Best Regards,
bycn82


More information about the freebsd-net mailing list