Subject: Re: Extending pfil for IPv6
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Darren Reed <>
List: tech-net
Date: 11/02/1999 20:22:56
In some email I received from Jonathan Stone, sie wrote:
> To change the subject slightly:   
> can we go for a more robust syntax?
> Over time, i've gotten to really appreciate the ISC-standard config
> file syntax, as used in dhcpd, dhclient, bind, ....
> Using braces to delimit scope, and semicolons as terminators, really
> helps config-file clarity.  At the original `little-language' spiel
> from Ches at SNDSS '95 where (iirc part) the ipf language was born.
> I've written rules for a couple of new firewalls recently, and I'd be
> *much* happier with {}-based syntax to delimit groups, associate a
> head with a named group, usw. clean scope seems so much more robust
> than tagging each rule with a group number.  Especially if we start
> adding sections for IPv6 (and other protocols?)
> Darren? What d'you think?  Interested in BNF suggestions, or an
> implementation, or what?

You should be able to do that independant of anything I've got in mind.

I had a play with doing that using a program called "flc".  The back end
would output acl's for things such as cisco's, etc.  It was a proof of
concept for myself and I haven't had any interest or desire to take it