From owner-freebsd-ipfw@FreeBSD.ORG  Fri May 30 17:00:01 2014
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4B1028D4
 for <freebsd-ipfw@smarthost.ysv.freebsd.org>;
 Fri, 30 May 2014 17:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 38EE82A7B
 for <freebsd-ipfw@smarthost.ysv.freebsd.org>;
 Fri, 30 May 2014 17:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4UH016R031306
 for <freebsd-ipfw@freefall.freebsd.org>; Fri, 30 May 2014 17:00:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4UH00sv031305;
 Fri, 30 May 2014 17:00:00 GMT (envelope-from gnats)
Date: Fri, 30 May 2014 17:00:00 GMT
Message-Id: <201405301700.s4UH00sv031305@freefall.freebsd.org>
To: freebsd-ipfw@FreeBSD.org
Cc: 
From: "bycn82" <bycn82@gmail.com>
Subject: Re: kern/189720: [ipfw] [patch] pps action for ipfw
Reply-To: "bycn82" <bycn82@gmail.com>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2014 17:00:01 -0000

The following reply was made to PR kern/189720; it has been noted by GNATS.

From: "bycn82" <bycn82@gmail.com>
To: <bug-followup@FreeBSD.org>,
	<bycn82@gmail.com>
Cc: "Luigi Rizzo" <rizzo@iet.unipi.it>
Subject: Re: kern/189720: [ipfw] [patch] pps action for ipfw
Date: Sat, 31 May 2014 00:53:56 +0800

 This is a multipart message in MIME format.
 
 ------=_NextPart_000_0002_01CF7C6A.CF4B9B50
 Content-Type: multipart/alternative;
 	boundary="----=_NextPart_001_0003_01CF7C6A.CF4B9B50"
 
 
 ------=_NextPart_001_0003_01CF7C6A.CF4B9B50
 Content-Type: text/plain;
 	charset="utf-8"
 Content-Transfer-Encoding: 7bit
 
 1.       Add static int to store the value of kern.hz
 
 2.       Convert the duration into number of ticks based on  kern.hz
 
  
 
 regards,
 
 bycn82
 
 
 ------=_NextPart_001_0003_01CF7C6A.CF4B9B50
 Content-Type: text/html;
 	charset="utf-8"
 Content-Transfer-Encoding: quoted-printable
 
 <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
 xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
 xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
 xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
 xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
 http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
 name=3DGenerator content=3D"Microsoft Word 14 (filtered =
 medium)"><style><!--
 /* Font Definitions */
 @font-face
 	{font-family:=E5=AE=8B=E4=BD=93;
 	panose-1:2 1 6 0 3 1 1 1 1 1;}
 @font-face
 	{font-family:=E5=AE=8B=E4=BD=93;
 	panose-1:2 1 6 0 3 1 1 1 1 1;}
 @font-face
 	{font-family:Calibri;
 	panose-1:2 15 5 2 2 2 4 3 2 4;}
 @font-face
 	{font-family:"\@=E5=AE=8B=E4=BD=93";
 	panose-1:2 1 6 0 3 1 1 1 1 1;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0in;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";}
 a:link, span.MsoHyperlink
 	{mso-style-priority:99;
 	color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{mso-style-priority:99;
 	color:purple;
 	text-decoration:underline;}
 p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
 	{mso-style-priority:34;
 	margin-top:0in;
 	margin-right:0in;
 	margin-bottom:0in;
 	margin-left:.5in;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";}
 span.EmailStyle17
 	{mso-style-type:personal-compose;
 	font-family:"Calibri","sans-serif";
 	color:windowtext;}
 .MsoChpDefault
 	{mso-style-type:export-only;
 	font-family:"Calibri","sans-serif";}
 @page WordSection1
 	{size:8.5in 11.0in;
 	margin:1.0in 1.25in 1.0in 1.25in;}
 div.WordSection1
 	{page:WordSection1;}
 /* List Definitions */
 @list l0
 	{mso-list-id:633340690;
 	mso-list-type:hybrid;
 	mso-list-template-ids:1182030700 67698703 67698713 67698715 67698703 =
 67698713 67698715 67698703 67698713 67698715;}
 @list l0:level1
 	{mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level2
 	{mso-level-number-format:alpha-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level3
 	{mso-level-number-format:roman-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:right;
 	text-indent:-9.0pt;}
 @list l0:level4
 	{mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level5
 	{mso-level-number-format:alpha-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level6
 	{mso-level-number-format:roman-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:right;
 	text-indent:-9.0pt;}
 @list l0:level7
 	{mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level8
 	{mso-level-number-format:alpha-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:left;
 	text-indent:-.25in;}
 @list l0:level9
 	{mso-level-number-format:roman-lower;
 	mso-level-tab-stop:none;
 	mso-level-number-position:right;
 	text-indent:-9.0pt;}
 ol
 	{margin-bottom:0in;}
 ul
 	{margin-bottom:0in;}
 --></style><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
 </xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
 <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
 vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoListParagraph =
 style=3D'text-indent:-.25in;mso-list:l0 level1 lfo1'><![if =
 !supportLists]><span style=3D'mso-list:Ignore'>1.<span =
 style=3D'font:7.0pt "Times New =
 Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>Add =
 static int to store the value of kern.hz<o:p></o:p></p><p =
 class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 level1 =
 lfo1'><![if !supportLists]><span style=3D'mso-list:Ignore'>2.<span =
 style=3D'font:7.0pt "Times New =
 Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 </span></span><![endif]>Convert the duration into number of ticks based =
 on =C2=A0kern.hz<o:p></o:p></p><p =
 class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
 class=3DMsoNormal>regards,<o:p></o:p></p><p =
 class=3DMsoNormal>bycn82<o:p></o:p></p></div></body></html>
 ------=_NextPart_001_0003_01CF7C6A.CF4B9B50--
 
 ------=_NextPart_000_0002_01CF7C6A.CF4B9B50
 Content-Type: application/octet-stream;
 	name="pps.patch"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
 	filename="pps.patch"
 
 Index: sbin/ipfw/ipfw.8=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sbin/ipfw/ipfw.8	(revision 266886)=0A=
 +++ sbin/ipfw/ipfw.8	(working copy)=0A=
 @@ -602,6 +602,14 @@=0A=
  Note: logging is done after all other packet matching conditions=0A=
  have been successfully verified, and before performing the final=0A=
  action (accept, deny, etc.) on the packet.=0A=
 +.It Cm pps Ar limit duration=0A=
 +Rule with the =0A=
 +.Cm pps=0A=
 +keyword will allow the first=0A=
 +.Ar limit=0A=
 +packets in recent =0A=
 +.Ar duration =0A=
 +milliseconds=0A=
  .It Cm tag Ar number=0A=
  When a packet matches a rule with the=0A=
  .Cm tag=0A=
 Index: sbin/ipfw/ipfw2.c=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sbin/ipfw/ipfw2.c	(revision 266886)=0A=
 +++ sbin/ipfw/ipfw2.c	(working copy)=0A=
 @@ -244,6 +244,7 @@=0A=
  	{ "allow",		TOK_ACCEPT },=0A=
  	{ "permit",		TOK_ACCEPT },=0A=
  	{ "count",		TOK_COUNT },=0A=
 +	{ "pps",		TOK_PPS },=0A=
  	{ "pipe",		TOK_PIPE },=0A=
  	{ "queue",		TOK_QUEUE },=0A=
  	{ "divert",		TOK_DIVERT },=0A=
 @@ -1232,6 +1233,13 @@=0A=
  			PRINT_UINT_ARG("skipto ", cmd->arg1);=0A=
  			break;=0A=
  =0A=
 +		case O_PPS:=0A=
 +			{=0A=
 +			ipfw_insn_pps *pps=3D(ipfw_insn_pps *)cmd;=0A=
 +			printf("pps %d %d",cmd->arg1,pps->duration);=0A=
 +			break;			=0A=
 +			}=0A=
 +=0A=
  		case O_PIPE:=0A=
  			PRINT_UINT_ARG("pipe ", cmd->arg1);=0A=
  			break;=0A=
 @@ -2985,6 +2993,24 @@=0A=
  	case TOK_COUNT:=0A=
  		action->opcode =3D O_COUNT;=0A=
  		break;=0A=
 +		=0A=
 +	case TOK_PPS:=0A=
 +		action->opcode =3D O_PPS;=0A=
 +		ipfw_insn_pps *p =3D (ipfw_insn_pps *)action;=0A=
 +		action->len =3D F_INSN_SIZE(ipfw_insn_pps);=0A=
 +		if (isdigit(**av)) {=0A=
 +			action->arg1 =3D strtoul(*av, NULL, 10);=0A=
 +			av++;=0A=
 +		}else{=0A=
 +			errx(EX_USAGE, "illegal argument pps `limit` %s", *av);=0A=
 +		}=0A=
 +		if (isdigit(**av)) {=0A=
 +			p->duration =3D strtoul(*av, NULL, 10);=0A=
 +			av++;=0A=
 +		}else{=0A=
 +			errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);=0A=
 +		}=0A=
 +		break;	=0A=
  =0A=
  	case TOK_NAT:=0A=
  		action->opcode =3D O_NAT;=0A=
 Index: sbin/ipfw/ipfw2.h=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sbin/ipfw/ipfw2.h	(revision 266886)=0A=
 +++ sbin/ipfw/ipfw2.h	(working copy)=0A=
 @@ -92,6 +92,7 @@=0A=
  	TOK_NGTEE,=0A=
  	TOK_FORWARD,=0A=
  	TOK_SKIPTO,=0A=
 +	TOK_PPS,=0A=
  	TOK_DENY,=0A=
  	TOK_REJECT,=0A=
  	TOK_RESET,=0A=
 Index: sys/netinet/ip_fw.h=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sys/netinet/ip_fw.h	(revision 266886)=0A=
 +++ sys/netinet/ip_fw.h	(working copy)=0A=
 @@ -165,6 +165,7 @@=0A=
  	O_REJECT,		/* arg1=3Dicmp arg (same as deny)	*/=0A=
  	O_COUNT,		/* none				*/=0A=
  	O_SKIPTO,		/* arg1=3Dnext rule number	*/=0A=
 +	O_PPS,			/* arg1=3Dlimit, pps->duration */=0A=
  	O_PIPE,			/* arg1=3Dpipe number		*/=0A=
  	O_QUEUE,		/* arg1=3Dqueue number		*/=0A=
  	O_DIVERT,		/* arg1=3Dport number		*/=0A=
 @@ -378,6 +379,16 @@=0A=
  } ipfw_insn_log;=0A=
  =0A=
  /*=0A=
 + *	This is used for PPS=0A=
 + */=0A=
 +typedef struct _ipfw_insn_pps{=0A=
 +	ipfw_insn o;=0A=
 +	uint32_t start_time;=0A=
 +	uint32_t count;=0A=
 +	uint32_t duration;=0A=
 +} ipfw_insn_pps;=0A=
 +=0A=
 +/*=0A=
   * Data structures required by both ipfw(8) and ipfw(4) but not part of =
 the=0A=
   * management API are protected by IPFW_INTERNAL.=0A=
   */=0A=
 Index: sys/netpfil/ipfw/ip_fw2.c=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sys/netpfil/ipfw/ip_fw2.c	(revision 266886)=0A=
 +++ sys/netpfil/ipfw/ip_fw2.c	(working copy)=0A=
 @@ -124,6 +124,7 @@=0A=
  /* Use 128 tables by default */=0A=
  static unsigned int default_fw_tables =3D IPFW_TABLES_DEFAULT;=0A=
  =0A=
 +static unsigned int kern_hz=3D1000;=0A=
  /*=0A=
   * Each rule belongs to one of 32 different sets (0..31).=0A=
   * The variable set_disable contains one bit per set.=0A=
 @@ -186,6 +187,7 @@=0A=
  SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count,=0A=
      CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,=0A=
      "Number of static rules");=0A=
 +TUNABLE_INT("kern.hz", (int *)&kern_hz);=0A=
  =0A=
  #ifdef INET6=0A=
  SYSCTL_DECL(_net_inet6_ip6);=0A=
 @@ -2189,6 +2191,31 @@=0A=
  			    continue;=0A=
  			    break;	/* not reached */=0A=
  =0A=
 +			case O_PPS:{=0A=
 +				int duration_in_ticks;=0A=
 +				ipfw_insn_pps *pps =3D (ipfw_insn_pps *)cmd;=0A=
 +				if(1000/kern_hz >=3D pps->duration){=0A=
 +					duration_in_ticks=3D1;=0A=
 +				}else{=0A=
 +					duration_in_ticks=3Dpps->duration*kern_hz/1000+1;=0A=
 +				}=0A=
 +				if(pps->start_time+duration_in_ticks>=3D ticks){=0A=
 +					if(pps->count < cmd->arg1){=0A=
 +						retval =3D IP_FW_PASS;=0A=
 +					}else{=0A=
 +						retval =3D IP_FW_DENY;=0A=
 +					}=0A=
 +					pps->count++;=0A=
 +				}else{=0A=
 +					pps->start_time=3Dticks;=0A=
 +					pps->count=3D1;=0A=
 +					retval =3D IP_FW_PASS;=0A=
 +				}=0A=
 +				l =3D 0;		=0A=
 +				done =3D 1;=0A=
 +				break;	=0A=
 +			}=0A=
 +=0A=
  			case O_CALLRETURN: {=0A=
  				/*=0A=
  				 * Implementation of `subroutine' call/return,=0A=
 Index: sys/netpfil/ipfw/ip_fw_sockopt.c=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 --- sys/netpfil/ipfw/ip_fw_sockopt.c	(revision 266886)=0A=
 +++ sys/netpfil/ipfw/ip_fw_sockopt.c	(working copy)=0A=
 @@ -703,6 +703,12 @@=0A=
  				goto bad_size;=0A=
  			break;=0A=
  =0A=
 +		case O_PPS:=0A=
 +			have_action=3D1;=0A=
 +			if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_pps))=0A=
 +				goto bad_size;=0A=
 +			break;=0A=
 +=0A=
  		case O_PIPE:=0A=
  		case O_QUEUE:=0A=
  			if (cmdlen !=3D F_INSN_SIZE(ipfw_insn))=0A=
 
 ------=_NextPart_000_0002_01CF7C6A.CF4B9B50--