From owner-freebsd-ipfw@freebsd.org Mon Jul 25 17:41:10 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED1B4BA3E08 for ; Mon, 25 Jul 2016 17:41:10 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8D5511197 for ; Mon, 25 Jul 2016 17:41:10 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1469468467; l=1628; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=H3clgvAmKCbwVdqv/uooJasJ4iOAQGEItXcMJPcYeHo=; b=OPsQRTgEwmHiCBjOpCdF1QWtULc/uJRWDctusBBis8Pudp9iT88MTwQrGImTABrP8LN 1pUm41gHrX1BaM0vsL7pdeXcII50LCRmLfL9eQG1tbso47UMOlPz7KrXbG8EfAZOxY6XT v71tv1cbsnMBfZZP9w9RRu8f7D7UyoqFUeM= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2BqdKi+qzhv/Yf+zarg== X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bb02aae1.virtua.com.br [187.2.170.225]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id L0a6f2s6PHf5M45 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Mon, 25 Jul 2016 19:41:05 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 4197F229861E; Mon, 25 Jul 2016 14:41:01 -0300 (BRT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: ipfw divert filter for IPv4 geo-blocking From: "Dr. Rolf Jansen" In-Reply-To: Date: Mon, 25 Jul 2016 14:41:00 -0300 Cc: Michael Sierchio , Jan Bramkamp Content-Transfer-Encoding: quoted-printable Message-Id: <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 17:41:11 -0000 > Am 25.07.2016 um 12:47 schrieb Michael Sierchio : >=20 > Writing a divert daemon is a praiseworthy project, but I think you = could do > this without sending packets to user land. >=20 > You could use tables - =E2=80=A6 > Am 25.07.2016 um 14:01 schrieb Jan Bramkamp : >=20 > I would use a set of IPFW tables with skipto/call tablearg rules = instead =E2=80=A6 Michael and Jan, many thanks for your suggestions. As everybody knows, 'Many roads lead to Rome.', and I am already there. = I don't feel alike going all the way back only for the sake of trying = out other routes. Once a week, the IP ranges are compiled from original sources into a = binary sorted table, containing as of today 83162 consolidated range/cc = pairs. On starting-up, the divert daemon reads the binary file in one = block and stores the ranges into a totally balanced binary search tree. = Looking-up a country code for a given IPv4 address in the BST takes on = average 20 nanoseconds on an AWS-EC2 micro instance. I don't know the = overhead of diverting, though. I guess this may be one or two orders of = magnitudes higher. Even though, I won't see any performance issues. Independent from the actual usage case (geo-blocking), let's talk about = divert filtering in general. The original question which is still = unanswered can be generalized to, whether "dropping/denying" a package = simply means 'forget about it' or whether the divert filter is required = to do something more involved, e.g. communicate the situation somehow to = ipfw. Best regards Rolf=