ipfw rewrite - new snapshot available

Trish Lynch · *nix forums beginner Joined: 14 Jun 2002 Posts: 3

On Fri, 14 Jun 2002, 'Luigi Rizzo' wrote:

Luigi Rizzo · *nix forums addict Joined: 07 Apr 2002 Posts: 72

On Fri, Jun 14, 2002 at 11:58:23AM -0400, Trish Lynch wrote:
....

Trish Lynch · *nix forums beginner Joined: 14 Jun 2002 Posts: 3

On Thu, 13 Jun 2002, 'Luigi Rizzo' wrote:

Andrew V. Jemerya · *nix forums beginner Joined: 14 Jun 2002 Posts: 1

Hi!

Can i use this new ipfw snapshot for 4.x?

With best regards

Andrew V. Jemerya

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message

Dag-Erling Smorgrav · *nix forums Guru Wannabe Joined: 23 Mar 2002 Posts: 110

"'Luigi Rizzo'" <rizzo@icir.org> writes:

Julian Elischer · *nix forums Guru Wannabe Joined: 20 Mar 2002 Posts: 279

Hi Luigi.

I haven't had a chance to look at it yet..
Too busy at USENIX..

I'll try look at it after I et back after I do KSE-MIII after..... :-)

On Thu, 13 Jun 2002, 'Luigi Rizzo' wrote:

Luigi Rizzo · *nix forums addict Joined: 07 Apr 2002 Posts: 72

On Fri, Jun 14, 2002 at 08:45:34AM +0200, Poul-Henning Kamp wrote:

Poul-Henning Kamp · *nix forums Guru Joined: 21 Mar 2002 Posts: 436

In message <20020613171319.D93980@iguana.icir.org>, "'Luigi Rizzo'" writes:

Andre Oppermann · *nix forums addict Joined: 21 Mar 2002 Posts: 55

'Luigi Rizzo' wrote:

Luigi Rizzo · *nix forums addict Joined: 07 Apr 2002 Posts: 72

[Bcc to -net]

Hi,
as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
manageable.

The code is now almost ready for commit, so I would appreciate
some feedback if any of you feels like trying it and, even
better, run some performance test. You can fetch the code from

http://info.iet.unipi.it/~luigi/ipfw5.20020613.tgz

This is for a -current after May 15th, and replaces

sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sys/netinet/ip_dummynet.c
sbin/ipfw/ipfw.c

The idea behind this work was to replace the old ipfw rules
(macroinstructions) with a set of microinstructions, each of them
performing a single operation such as matching an address, or a
port range, or a protocol flag, etc. -- much in the spirit of BPF
and derivatives -- and to let the userland front-end compile ipfw( Cool

commands into an appropriate set of microinstructions.

There are several advantages in using this technique: first of all,
instructions are typically shorter and faster, because the old
code had to check for the presence of all the possible options
(there are over 25 of them!) in a rule, whereas the new one can
simply do just the things that are required.

I have implemented all the actions (accept/deny/pipe/divert/forward
....) and almost all the 25+ (ouch!) different options that can be
specified in a rule. The syntax for the userland program is 100%
backward compatible.

I have also implemented a few extensions to demonstrate the flexibility
of the new approach: you can put "or" connectives between fields,
so you can write things like

ipfw add allow ip from host1 or host2 or host3 or not net1/24 to any

and the like, and this greatly simplifies writing rulesets as
you can imagine.

Other extensions (in the form of address sets, multiple rule
chains to be used on layer-2 and layer-3 firewalls, etc. will
be trivial to implement.

cheers
luigi

-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message

Google