De heer Luigi Rizzo heeft zijn nieuwe ipfw (firewall) code aan FreeBSD stable toegevoegt. Volgens zijn metingen is de nieuwe code 2 keer zo snel in verwerken van individuele firewall regels. Handig is dat de ruleset syntax backwards compatible is.
De volledige annoucement
[quote]
FYI….
(please read the commit log below before complaining).
cheers
luigi
—– Forwarded message from Luigi Rizzo
Date: Tue‚ 23 Jul 2002 20:21:24 -0700 (PDT)
From: Luigi Rizzo
Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files
options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile
alias_db.c
To: cvs-committers@FreeBSD.ORG‚ cvs-all@FreeBSD.ORG
luigi 2002/07/23 20:21:24 PDT
Modified files: (Branch: RELENG_4)
sys/conf options files
sbin/ipfw Makefile
lib/libalias Makefile alias_db.c
Added files: (Branch: RELENG_4)
sys/netinet ip_fw2.h ip_fw2.c
sbin/ipfw ipfw2.c
Log:
Bring ipfw2 into the -stable tree. This will give more people a
chance to test it‚ and hopefully accelerate the transition from the
old to the new ipfw code.
NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE‚
NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES.
YOU WILL KEEP USING YOUR OLD “ipfw” UNLESS YOU:
+ add “options IPFW2” (undocumented) to your kernel config file;
+ compile and install sbin/ipfw and lib/libalias with
make -DIPFW2
in other words‚ you must really want it.
On the other hand‚ i believe you do really want to use this new
code. In addition to being twice as fast in processing individual
rules‚ you can use more powerful match patterns such as
… ip from 1.2.3.0/24{50‚6‚27‚158} to …
… ip from { 1.2.3.4/26 or 5.6.7.8/22 } to …
… ip from any 5-7‚9-66‚1020-3000‚4000-5000 to …
i.e. match sparse sets of IP addresses in constant time; use “or”
connectives between match patterns; have multiple port ranges; etc.
which I believe will dramatically reduce your ruleset size.
As an additional bonus‚ “keep-state” rules will now send keepalives
when the rule is about to expire‚ so you will not have your remote
login sessions die while you are idle.
The syntax is backward compatible with the old ipfw.
A manual page documenting the extensions has yet to be completed.
Revision Changes Path
1.13.2.5 +4 -1 src/lib/libalias/Makefile
1.21.2.14 +151 -36 src/lib/libalias/alias_db.c
1.6.6.3 +5 -1 src/sbin/ipfw/Makefile
1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new)
1.340.2.107 +1 -0 src/sys/conf/files
1.191.2.41 +1 -0 src/sys/conf/options
1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new)
1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new)
[/quote]
Die Luigi is goed bezig eerst die scheduler en nu nog IPFW2