ipfw ruleset optimization and highlevel rule definition language

ipfw has very flexible internal structure due to representing rules as a series of opcodes. But complex ipfw rulesets tend to become a maze of goto's (skipto opcode) and hard to administrate.

I propose to add support for highlevel domain specific language for specifying ipfw rules. Most of the highlevel firewall definition languages aim at simplifying rule definition or solving particular set of tasks, making impossible to use large set of available firewall options. In contrast to it I propose to implement translator from highlevel language into generic ipfw rules which allows to use all ipfw options (opcodes). Such translator is going to be of great use (consider success of pf.conf syntax and new nftables firewall)

As rules generated by such translator are going to contain excessive checks I propose to implement ruleset optimization: do not check opcodes already checked in previous rules. Optimizer doesn't depend on highlevel parser and would be useful on its own.

Milestones

* May 23 - May 30. Support rule aliases (useful for debugging and configuration in general)

* June 1 - June 21. Implement ruleset processing optimization. It should work by not checking predicates (opcodes) checked in previous rules.

* June 23 - July 4. Test optimizer correctness, fix bugs.

* July 13 - July 25. Implement a parser that would translate highlevel definitions into generic ipfw rules.

* July 27 - August 10. Connect highlevel language parser to ipfw

SOC2009TatsianaElavaya (last edited 2009-08-19T13:58:33+0000 by TatsianaElavaya)