Date: Tue, 2 Aug 2016 09:50:53 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: ipfw mailing list <ipfw@freebsd.org> Cc: Julian Elischer <julian@freebsd.org> Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <AE91DE1F-82B5-413C-826C-085231906C5F@obsigna.com> In-Reply-To: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org> References: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 02.08.2016 um 05:08 schrieb Julian Elischer <julian@freebsd.org>: >=20 > looking for thoughts from people who know the new IPFW features well.. >=20 >=20 > A recent addition to our armory is the geoip program that, given an = address can tell you what country it is in and given a country code, can = give an ipfw table that describes all the ip addresses in that country. >=20 > SO I was thinking how to use this, and the obvious way would be to = have a set of rules for each country, and use the "skipto tablearg" = facility to skip to the right rules for each country. But the trouble is = that a tablearg skipto is very inefficient. It's also a hard thing to = set up with a set of rules for each country (how many countries are = there in the internet allocation system?). As of today a total of 236 country codes are in use for IPv4 = delegations. If this helps for anything, a command line switch to the = geoip tool could be added for letting it output the country code (as the = hex encoded CC taken as a plain decimal integer) as the value for the = given table entry. In the moment you can give one value for all entries = generated by geoip, with this switch set, the output of geoip could look = like: $ geoip -t "DE:BR:US" -x ... table 0 add 93.157.48.0/21 4445 table 0 add 93.158.236.0/22 4252 table 0 add 93.159.96.0/19 4445 table 0 add 93.159.248.0/21 4445 table 0 add 93.180.72.0/21 4445 table 0 add 93.180.152.0/21 4445 table 0 add 93.181.0.0/18 4445 table 0 add 93.183.0.0/18 5553 ... Given that ... 0x4445 =3D 'DE' 0x4252 =3D 'BR' 0x5553 =3D 'US' ..., IT people who know by heart the low ASCII table like chemists (are = supposed to) know the periodic table of the elements, this should be not = too hard to remember. > Another way would be to just put 'action numbers' in the tablearg = field and have a few actions, shared by countries, but the trouble comes = when you want to change the action for a country, you need to rewrite = potentially thousands of entries (USA has over 15800 allocations). Two or more geoip commands can be used for populating ipfw tables for = different utilization in ipfw directives: # Europe geoip -t "FR:IT:DE:NL:BE:GB:..." -n 1 -x | ipfw -q > /dev/stdin # North America geoip -t "US:CA" -n 2 -x | ipfw -q > /dev/stdin # South America geoip -t "AR:BR:UR:CL:PY:BO:PE..." -n 3 -x | ipfw -q > /dev/stdin ... > A second way woudl be to somehow map the tablearg of the country, into = a table of actions. effectively doing two levels of lookup. >=20 > The first table converting IP addresses to a country number and a = second lookup converting that to an action. >=20 > the only trouble is that I don't know of a way to do that. If the new = changes allow that, and anyone knows how, please let me know :-). Looking-up a given IP in the totally balanced binary search tree takes = on a decent system on average about 10-20 nanoseconds. So in theory 50 = to 100 million packets per second could be filtered by this algorithm. = In order to come more close to this performance in reality, it might be = an option to move the search algorithm into ipfw. Best regards Rolf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE91DE1F-82B5-413C-826C-085231906C5F>