From owner-freebsd-bugs@FreeBSD.ORG Tue Feb 26 14:40:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76DD41065675 for ; Tue, 26 Feb 2008 14:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 591CA13C468 for ; Tue, 26 Feb 2008 14:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1QEe1uW002347 for ; Tue, 26 Feb 2008 14:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1QEe140002346; Tue, 26 Feb 2008 14:40:01 GMT (envelope-from gnats) Resent-Date: Tue, 26 Feb 2008 14:40:01 GMT Resent-Message-Id: <200802261440.m1QEe140002346@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Marcelo Araujo" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB8661065671 for ; Tue, 26 Feb 2008 14:39:50 +0000 (UTC) (envelope-from araujo@FreeBSD.org) Received: from mail.intelbras.com.br (mail.intelbras.com.br [201.24.77.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3939913C45E for ; Tue, 26 Feb 2008 14:39:49 +0000 (UTC) (envelope-from araujo@FreeBSD.org) Received: from localhost (localhost.intelbras.com.br [127.0.0.1]) by mail.intelbras.com.br (Postfix) with ESMTP id D9DF72DA503 for ; Tue, 26 Feb 2008 11:39:43 -0300 (BRT) Received: from mail.intelbras.com.br ([127.0.0.1]) by localhost (copernicus.intelbras.com.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pn6SW3NI3WQb for ; Tue, 26 Feb 2008 11:39:43 -0300 (BRT) Received: from island.freebsd.org (unknown [192.168.130.1]) by mail.intelbras.com.br (Postfix) with ESMTP id 7F8122DA4F5 for ; Tue, 26 Feb 2008 11:39:43 -0300 (BRT) Message-Id: <1204036783.38664@island.freebsd.org> Date: Tue, 26 Feb 2008 11:39:43 -0300 From: "Marcelo Araujo" To: "FreeBSD gnats submit" X-Send-Pr-Version: gtk-send-pr 0.4.8 Cc: Subject: kern/121122: [ipfw] [patch] add support to ToS IP PRECEDENCE fields X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2008 14:40:01 -0000 >Number: 121122 >Category: kern >Synopsis: [ipfw] [patch] add support to ToS IP PRECEDENCE fields >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Feb 26 14:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Marcelo Araujo >Release: FreeBSD 7.0-PRERELEASE i386 >Organization: FreeBSD >Environment: System: FreeBSD 7.0-PRERELEASE #10: Mon Feb 25 08:41:00 BRT 2008 araujo@island.freebsd.org:/usr/obj/usr/src/sys/ISLAND >Description: The patch add some features described in: - RFC 0791 - RFC 1122 - RFC 1349 - http://www3.tools.ietf.org/html/draft-xiao-tcp-prec-01 You can change the IP PRECEDENCE fields within ToS header, you can also check packages that have this mark within your network, some benefits are relevant, you can classifies many type of packages and prioritize it in your network. 1 - Set some type of IP PRECEDENCE inside a package: ipfw add 10 iptospre flashover ip from any to any 2 - You can check packages within your network that have the IP PRECEDENCE fields: ipfw add 11 count ip from any to any iptospre flashover The patch is based in PR kern/102471, novel@ thanks for your help. References: http://code.google.com/p/exports/wiki/ToSWorkAround >How-To-Repeat: >Fix: --- ipfw-ToS8bits.diff begins here --- Index: sbin/ipfw/ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.117 diff -u -r1.117 ipfw2.c --- sbin/ipfw/ipfw2.c 24 Feb 2008 15:37:45 -0000 1.117 +++ sbin/ipfw/ipfw2.c 26 Feb 2008 14:37:20 -0000 @@ -177,6 +177,18 @@ { NULL, 0 } }; +static struct _s_x f_iptospre[] = { + { "netcontrol", IPTOSPRE_NETCONTROL}, + { "intercontrol", IPTOSPRE_INTERCONTROL}, + { "criticecp", IPTOSPRE_CRITICECP}, + { "flashover", IPTOSPRE_FLASHOVER}, + { "flash", IPTOSPRE_FLASH}, + { "immediate", IPTOSPRE_IMMEDIATE}, + { "priority", IPTOSPRE_PRIORITY}, + { "routine", IPTOSPRE_ROUTINE}, + { NULL, 0} +}; + static struct _s_x f_iptos[] = { { "lowdelay", IPTOS_LOWDELAY}, { "throughput", IPTOS_THROUGHPUT}, @@ -282,6 +294,7 @@ TOK_IPLEN, TOK_IPID, TOK_IPPRECEDENCE, + TOK_IPTOSPRE, TOK_IPTOS, TOK_IPTTL, TOK_IPVER, @@ -317,6 +330,7 @@ TOK_GRED, TOK_DROPTAIL, TOK_PROTO, + TOK_SETIPTOSPRE, TOK_WEIGHT, TOK_IP, TOK_IF, @@ -411,6 +425,7 @@ { "unreach6", TOK_UNREACH6 }, { "unreach", TOK_UNREACH }, { "check-state", TOK_CHECKSTATE }, + { "iptospre", TOK_SETIPTOSPRE }, { "//", TOK_COMMENT }, { "nat", TOK_NAT }, { NULL, 0 } /* terminator */ @@ -449,6 +464,7 @@ { "ipid", TOK_IPID }, { "ipprecedence", TOK_IPPRECEDENCE }, { "iptos", TOK_IPTOS }, + { "iptospre", TOK_IPTOSPRE }, { "ipttl", TOK_IPTTL }, { "ipversion", TOK_IPVER }, { "ipver", TOK_IPVER }, @@ -1599,6 +1615,10 @@ } break; + case O_SETIPTOSPRE: + printf("iptospre %s", match_value(f_iptospre, cmd->arg1)); + break; + case O_LOG: /* O_LOG is printed last */ logptr = (ipfw_insn_log *)cmd; break; @@ -1910,6 +1930,10 @@ printf(" established"); break; + case O_IPTOSPRE: + printf(" iptospre %s", match_value(f_iptospre, cmd->arg1)); + break; + case O_TCPDATALEN: if (F_LEN(cmd) == 1) printf(" tcpdatalen %u", cmd->arg1 ); @@ -2712,7 +2736,7 @@ "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" "ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n" " skipto N | {divert|tee} PORT | forward ADDR |\n" -" pipe N | queue N | nat N\n" +" pipe N | queue N | iptospre CODE | nat N\n" "PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n" "ADDR: [ MAC dst src ether_type ] \n" " [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" @@ -2725,6 +2749,7 @@ "OPTION: bridged | diverted | diverted-loopback | diverted-output |\n" " {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" " {dst-port|src-port} LIST |\n" +" iptospre CODE | {dst-ip|src-ip} IPADDR |\n" " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n" " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n" " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" @@ -4848,6 +4873,12 @@ action->opcode = O_COUNT; break; + case TOK_SETIPTOSPRE: + NEED1("need iptospre arg\n"); + fill_flags(action, O_SETIPTOSPRE, f_iptospre, *av); + ac--; av++; + break; + case TOK_NAT: action->opcode = O_NAT; action->len = F_INSN_SIZE(ipfw_insn_nat); @@ -5334,6 +5365,12 @@ ac--; av++; break; + case TOK_IPTOSPRE: + NEED1("missing argument for iptospre"); + fill_flags(cmd, O_IPTOSPRE, f_iptospre, *av); + ac--; av++; + break; + case TOK_IPTOS: NEED1("missing argument for iptos"); fill_flags(cmd, O_IPTOS, f_iptos, *av); Index: sys/netinet/ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.111 diff -u -r1.111 ip_fw.h --- sys/netinet/ip_fw.h 25 Jan 2008 14:38:27 -0000 1.111 +++ sys/netinet/ip_fw.h 26 Feb 2008 14:37:21 -0000 @@ -161,6 +161,9 @@ O_TAG, /* arg1=tag number */ O_TAGGED, /* arg1=tag number */ + O_SETIPTOSPRE, /* Add ToS PRECEDENCE support. */ + O_IPTOSPRE, /* Add ToS PRECEDENCE support. */ + O_LAST_OPCODE /* not an opcode! */ }; @@ -510,6 +513,16 @@ #define IP_FW_IPOPT_RR 0x04 #define IP_FW_IPOPT_TS 0x08 +/* Definitions for IP ToS PRECEDENCE. */ +#define IPTOSPRE_NETCONTROL 224 /* bin = 111 dec = 224 hex = 0xe0 */ +#define IPTOSPRE_INTERCONTROL 192 /* bin = 110 dec = 192 hex = 0xc0 */ +#define IPTOSPRE_CRITICECP 160 /* bin = 101 dec = 160 hex = 0xa0 */ +#define IPTOSPRE_FLASHOVER 128 /* bin = 100 dec = 128 hex = 0x80 */ +#define IPTOSPRE_FLASH 96 /* bin = 011 dec = 96 hex = 0x60 */ +#define IPTOSPRE_IMMEDIATE 64 /* bin = 010 dec = 64 hex = 0x40 */ +#define IPTOSPRE_PRIORITY 32 /* bin = 001 dec = 32 hex = 0x20 */ +#define IPTOSPRE_ROUTINE 0 /* bin = 000 dec = 0 hex = 0x00 */ + /* * Definitions for TCP option names. */ @@ -626,5 +639,22 @@ extern ip_fw_chk_t *ip_fw_chk_ptr; #define IPFW_LOADED (ip_fw_chk_ptr != NULL) +/* Some novel@ code. */ +#define ADJUST_CHECKSUM(acc, cksum) \ + do { \ + acc += cksum; \ + if (acc < 0) { \ + acc = -acc; \ + acc = (acc >> 16) + (acc & 0xffff); \ + acc += acc >> 16; \ + cksum = (u_short) ~acc; \ + } else { \ + acc = (acc >> 16) + (acc & 0xffff); \ + acc += acc >> 16; \ + cksum = (u_short) acc; \ + } \ + } while (0) +/* Some novel@ code. */ + #endif /* _KERNEL */ #endif /* _IPFW2_H */ Index: sys/netinet/ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.181 diff -u -r1.181 ip_fw2.c --- sys/netinet/ip_fw2.c 24 Feb 2008 15:37:45 -0000 1.181 +++ sys/netinet/ip_fw2.c 26 Feb 2008 14:37:25 -0000 @@ -177,6 +177,21 @@ extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); +/* some @novel code. */ +static __inline int +twowords(void *p) { + uint8_t *c = p; +#if BYTE_ORDER == LITTLE_ENDIAN + uint16_t s1 = ((uint16_t)c[1] << 8) + (uint16_t)c[0]; + uint16_t s2 = ((uint16_t)c[3] << 8) + (uint16_t)c[2]; +#else + uint16_t s1 = ((uint16_t)c[0] << 8) + (uint16_t)c[1]; + uint16_t s2 = ((uint16_t)c[2] << 8) + (uint16_t)c[3]; +#endif + return (s1 + s2); +} +/* some @novel code. */ + #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, @@ -2700,6 +2715,7 @@ for (; f; f = f->next) { ipfw_insn *cmd; uint32_t tablearg = 0; + int accumulate; /* Novel@ code. */ int l, cmdlen, skip_or; /* skip rest of OR block */ again: @@ -3006,6 +3022,11 @@ flags_match(cmd, ip->ip_tos)); break; + case O_IPTOSPRE: + match = (is_ipv4 && + flags_match(cmd, ip->ip_tos)); + break; + case O_TCPDATALEN: if (proto == IPPROTO_TCP && offset == 0) { struct tcphdr *tcp; @@ -3322,6 +3343,18 @@ match = 1; break; + /* Insert within IP ToS PRECEDENCE field. */ + case O_SETIPTOSPRE: + accumulate = twowords(&ip->ip_tos); + ip->ip_tos= cmd->arg1; + accumulate -= twowords(&ip->ip_tos); + ADJUST_CHECKSUM(accumulate, ip->ip_sum); + f->pcnt++; /* update stats */ + f->bcnt += pktlen; + f->timestamp = time_second; + goto next_rule; + /* Insert within IP ToS PRECEDENCE field. */ + case O_PROBE_STATE: case O_CHECK_STATE: /* @@ -4119,6 +4152,7 @@ case O_FRAG: case O_DIVERTED: case O_IPOPT: + case O_IPTOSPRE: case O_IPTOS: case O_IPPRECEDENCE: case O_IPVER: @@ -4142,6 +4176,10 @@ goto bad_size; break; + case O_SETIPTOSPRE: + have_action = 1; + break; + case O_UID: case O_GID: case O_JAIL: --- ipfw-ToS8bits.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: