We (Michael Neuling and I) have finally released our patch for
more sophisticated IP firewalling; it's different enough from the
current ip_fw.c/ip_fw.h that it is in its own two files
(ip_fwtrees.c/ip_fwtrees.h). You can grab it from
http://www.camtech.net.au/~rustcorp in the ipfwchains/ subdirectory.
The patch is against 2.1.47, but applies clean to 2.1.48, and should
apply to fairly flawlessly to any more recent kernel. You need an
associated replacement ipfwadm (called "ipchains" to avoid confusion)
to match, available from the same place.
The idea is that rules can now specify a policy (accept, deny,
etc) OR a new chain to traverse, OR do nothing (ie. accounting rules).
Users can define their own chains in addition to the builtin ones, and
place rules in them. This makes the separate IP accounting obsolete.
You can use it to emulate the BSD `one chain per interface'
firewall rules. You can use it to atomically switch between differing
firewall configurations (say, allowing or not allowing DNS to pass, by
putting the DNS rules in one chain, and then inserting/deleting a rule
calling it from the input chain). You can organise things the way you
want; you can even share user chains between the input/output/forward
traversal.
It also features a few cleanups, such as 64-bit packet and
byte counters. I have two questions for those in the know:
1) Why is the dev_get() call in ip_fw.c's insert_in_chain inside a
cli()? Can a device go down or up on an interrupt?
2) Does anyone actually use TOS setting? Why is it that ip_fw.c
mangles the TOS rules so that "minimise cost" can never be effected?
(Shouldn't this be enforced in ipfwadm, not silently in the kernel?)
Enjoy,
Paul & Michael.
PS. Thanks for Alan Cox for answering my initial questions on ip_fw.c.
-- .sig lost in the mail.