= ipfw ruleset optimization and highlevel rule definition language =


ipfw has very flexible internal structure due to representing rules as a series
of opcodes.  But complex ipfw rulesets tend to become a maze of goto's (skipto
opcode) and hard to administrate.

I propose to add support for highlevel domain specific language for specifying
ipfw rules. Most of the highlevel firewall definition languages aim at
simplifying rule definition or solving particular set of tasks, making
impossible to use large set of available firewall options. In contrast to it I
propose to implement translator from highlevel language into generic ipfw rules
which allows to use all ipfw options (opcodes). Such translator is going to be
of great use (consider success of pf.conf syntax and new nftables firewall)

As rules generated by such translator are going to contain excessive checks I
propose to implement ruleset optimization: do not check opcodes already checked
in previous rules. Optimizer doesn't depend on highlevel parser and would
be useful on its own.

== Milestones ==

* May 23 - May 30. Support rule aliases (useful for debugging and configuration in general)

* June 1 - June 21. Implement ruleset processing optimization.  It should work by not checking
predicates (opcodes) checked in previous rules.

* June 23 - July 4. Test optimizer correctness, fix bugs.

* July 13 - July 25. Implement a parser that would translate highlevel definitions into generic
ipfw rules.

* July 27 - August 10. Connect highlevel language parser to ipfw