[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

important pf changes



Hi guys,
After much discussion we made a hard decision: we will change pf syntax from
English to German.
Let me explain.
Most of the pf developers are native german speakers. It's very hard for us
to dream up new keywords in a foreign language. In fact, I have a few new 
features in mind I would really like to have, but cannot implement because I
can't think of a reasonable English keyword.
And, of course, we do not want to support a regime attacking poor Afghan and
Iraqi farmers by using the english language.
We realize this change is radical, and that it will cause some management
issues for you, but it's really worth it, the new syntax is so much more
clear and simple, you won't regret it. Look at this example:
ext_if="dc0"
mach isnich-Gesetz Schiesszurueck
mach limit { states 10000, frags 5000 }
mach erzwinge-Reihenfolge noe
AndereSchlangen auf $ext_if Bandbreite 10Mb Klassen-basiertes-anstellen \
	Schlange { ssh, http, allet }
Schlange allet Bandbreite 1Mb Klassen-basiertes-anstellen(default)
Schlange ssh Bandbreite 1Mb Klassen-basiertes-anstellen(leihen) \
	{ ssh_bulk, ssh_prio }
Schlange  ssh_bulk Prioritaet 0
Schlange  ssh_prio Prioritaet 7
Schlange http Bandbreite 9Mb
Tabelle <Spinnennetzservierer> { 10.0.0.1, 10.0.0.7, 10.0.0.9 }
scrub rein von wurscht nach 10/8 zufalls-id
ueberzetze auf $ext_if dasAlteProtokoll von 10/8 nach wurscht -> $ext_if
umleite auf $ext_if von wurscht nach $ext_if -> 10.0.0.1
nixschummeln SchnellSchnellSchnell fuer $ext_if
isnich lassfallen SchnellSchnellSchnell auf $ext_if von 192.168/16
lass rein SchnellSchnellSchnell auf $ext_if Protokoll tcp nach \
	 <Spinnennetzservierer> Hafen 80 Flaggen S/SA halte Status \
	 Schild "wodieSeitenherkommen" Schlange http 
lass raus SchnellSchnellSchnell auf $ext_if Protokoll tcp nach wurscht \
	 Hafen 22 Flaggen S/SA halte Status Schild "ssh-raus" \
	 Schlange (ssh_bulk, ssh_prio)
it's obviously so much better than what we have now, and we get rid of the
last remnants of IPF. Rest in Peace.
below is an early diff - the print-functions need to be updated, for example.
have fun!
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.343
diff -u -r1.343 parse.y
--- parse.y	19 Mar 2003 15:51:40 -0000	1.343
+++ parse.y	1 Apr 2003 01:20:48 -0000
@@ -3418,93 +3418,93 @@
 {
 	/* this has to be sorted always */
 	static const struct keywords keywords[] = {
-		{ "all",		ALL},
-		{ "allow-opts",		ALLOWOPTS},
-		{ "altq",		ALTQ},
-		{ "anchor",		ANCHOR},
-		{ "antispoof",		ANTISPOOF},
-		{ "any",		ANY},
-		{ "bandwidth",		BANDWIDTH},
-		{ "binat",		BINAT},
-		{ "binat-anchor",	BINATANCHOR},
-		{ "bitmask",		BITMASK},
-		{ "block",		BLOCK},
-		{ "block-policy",	BLOCKPOLICY},
-		{ "borrow",		BORROW},
-		{ "cbq",		CBQ},
-		{ "code",		CODE},
-		{ "crop",		FRAGCROP},
-		{ "default",		DEFAULT},
-		{ "drop",		DROP},
-		{ "drop-ovl",		FRAGDROP},
-		{ "dup-to",		DUPTO},
-		{ "ecn",		ECN},
-		{ "fastroute",		FASTROUTE},
-		{ "file",		FILENAME},
-		{ "flags",		FLAGS},
-		{ "for",		FOR},
-		{ "fragment",		FRAGMENT},
-		{ "from",		FROM},
-		{ "group",		GROUP},
-		{ "icmp-type",		ICMPTYPE},
-		{ "icmp6-type",		ICMP6TYPE},
-		{ "in",			IN},
-		{ "inet",		INET},
-		{ "inet6",		INET6},
-		{ "keep",		KEEP},
-		{ "label",		LABEL},
-		{ "limit",		LIMIT},
-		{ "log",		LOG},
-		{ "log-all",		LOGALL},
-		{ "loginterface",	LOGINTERFACE},
-		{ "max",		MAXIMUM},
-		{ "max-mss",		MAXMSS},
-		{ "min-ttl",		MINTTL},
-		{ "modulate",		MODULATE},
-		{ "nat",		NAT},
-		{ "nat-anchor",		NATANCHOR},
-		{ "no",			NO},
-		{ "no-df",		NODF},
-		{ "no-route",		NOROUTE},
-		{ "on",			ON},
-		{ "optimization",	OPTIMIZATION},
-		{ "out",		OUT},
-		{ "pass",		PASS},
-		{ "port",		PORT},
-		{ "priority",		PRIORITY},
-		{ "priq",		PRIQ},
-		{ "proto",		PROTO},
-		{ "qlimit",		QLIMIT},
-		{ "queue",		QUEUE},
-		{ "quick",		QUICK},
-		{ "random",		RANDOM},
-		{ "random-id",		RANDOMID},
-		{ "rdr",		RDR},
-		{ "rdr-anchor",		RDRANCHOR},
-		{ "reassemble",		FRAGNORM},
-		{ "red",		RED},
-		{ "reply-to",		REPLYTO},
-		{ "require-order",	REQUIREORDER},
-		{ "return",		RETURN},
-		{ "return-icmp",	RETURNICMP},
-		{ "return-icmp6",	RETURNICMP6},
-		{ "return-rst",		RETURNRST},
-		{ "rio",		RIO},
-		{ "round-robin",	ROUNDROBIN},
-		{ "route-to",		ROUTETO},
-		{ "scrub",		SCRUB},
-		{ "set",		SET},
-		{ "source-hash",	SOURCEHASH},
-		{ "state",		STATE},
-		{ "static-port",	STATICPORT},
-		{ "table",		TABLE},
-		{ "tbrsize",		TBRSIZE},
-		{ "timeout",		TIMEOUT},
-		{ "to",			TO},
-		{ "tos",		TOS},
-		{ "ttl",		TTL},
-		{ "user",		USER},
-		{ "yes",		YES},
+		{ "AndereSchlangen",		ALTQ},
+		{ "Anker",			ANCHOR},
+		{ "Bandbreite",			BANDWIDTH},
+		{ "Benutzer",			USER},
+		{ "Datei",			FILENAME},
+		{ "Flaggen",			FLAGS},
+		{ "Gruppe",			GROUP},
+		{ "Hafen",			PORT},
+		{ "Klassen-basiertes-anstellen",	CBQ},
+		{ "Kode",			CODE},
+		{ "Optimierung",		OPTIMIZATION},
+		{ "Prioritaet",			PRIORITY},
+		{ "Protokoll",			PROTO},
+		{ "Schiesszurueck",		RETURN},
+		{ "Schiesszurueck-icmp",	RETURNICMP},
+		{ "Schiesszurueck-icmp6",	RETURNICMP6},
+		{ "Schiesszurueck-rst",		RETURNRST},
+		{ "Schild",			LABEL},
+		{ "Schlange",			QUEUE},
+		{ "SchnellSchnellSchnell",	QUICK},
+		{ "Schnellrouten",		FASTROUTE},
+		{ "Status",			STATE},
+		{ "Tabelle",			TABLE},
+		{ "alles",			ALL},
+		{ "antworte-nach",		REPLYTO},
+		{ "auf",			ON},
+		{ "bitmaske",			BITMASK},
+		{ "biuebersetzen",		BINAT},
+		{ "biuebersetzen-anker",	BINATANCHOR},
+		{ "crop",			FRAGCROP},
+		{ "dasAlteProtokoll",		INET},
+		{ "dasNeueProtokoll",		INET6},
+		{ "default",			DEFAULT},
+		{ "drop-ovl",			FRAGDROP},
+		{ "dup-to",			DUPTO},
+		{ "ecn",			ECN},
+		{ "erlaube-optionen",		ALLOWOPTS},
+		{ "erzwinge-Reihenfolge",	REQUIREORDER},
+		{ "fragment",			FRAGMENT},
+		{ "fuer",			FOR},
+		{ "halte",			KEEP},
+		{ "icmp-typ",			ICMPTYPE},
+		{ "icmp6-typ",			ICMP6TYPE},
+		{ "isnich",			BLOCK},
+		{ "isnich-Gesetz",		BLOCKPOLICY},
+		{ "ja",				YES},
+		{ "kein-df",			NODF},
+		{ "kein-weg",			NOROUTE},
+		{ "lass",			PASS},
+		{ "lassfallen",			DROP},
+		{ "leihen",			BORROW},
+		{ "limit",			LIMIT},
+		{ "log",			LOG},
+		{ "log-all",			LOGALL},
+		{ "loginterface",		LOGINTERFACE},
+		{ "mach",			SET},
+		{ "max",			MAXIMUM},
+		{ "max-mss",			MAXMSS},
+		{ "min-ttl",			MINTTL},
+		{ "moduliere",			MODULATE},
+		{ "nach",			TO},
+		{ "nixschummeln",		ANTISPOOF},
+		{ "noe",			NO},
+		{ "priq",			PRIQ},
+		{ "qlimit",			QLIMIT},
+		{ "raus",			OUT},
+		{ "reassemble",			FRAGNORM},
+		{ "rein",			IN},
+		{ "rio",			RIO},
+		{ "rot",			RED},
+		{ "runder-rudi",		ROUNDROBIN},
+		{ "scrub",			SCRUB},
+		{ "source-hash",		SOURCEHASH},
+		{ "static-port",		STATICPORT},
+		{ "tbrsize",			TBRSIZE},
+		{ "timeout",			TIMEOUT},
+		{ "tos",			TOS},
+		{ "ttl",			TTL},
+		{ "ueberzetz-anker",		NATANCHOR},
+		{ "ueberzetze",			NAT},
+		{ "umleite",			RDR},
+		{ "umleite-anker",		RDRANCHOR},
+		{ "von",			FROM},
+		{ "weg-nach",			ROUTETO},
+		{ "wurscht",			ANY},
+		{ "zufall",			RANDOM},
+		{ "zufalls-id",			RANDOMID},
 	};
 	const struct keywords	*p;