From owner-freebsd-net@FreeBSD.ORG Mon Sep 19 15:55:50 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F334716A41F for ; Mon, 19 Sep 2005 15:55:49 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.org (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 681D143D46 for ; Mon, 19 Sep 2005 15:55:49 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA04874; Mon, 19 Sep 2005 09:55:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20050919093314.07f62fd8@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Mon, 19 Sep 2005 09:55:34 -0600 To: Luigi Rizzo From: Brett Glass In-Reply-To: <20050919081626.B67259@xorpc.icir.org> References: <6.2.3.4.2.20050918205708.08cff430@localhost> <20050918235659.B60185@xorpc.icir.org> <6.2.3.4.2.20050919010035.07dfc448@localhost> <20050919005932.B60737@xorpc.icir.org> <6.2.3.4.2.20050919085600.07f783f0@localhost> <20050919081626.B67259@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: net@freebsd.org Subject: Re: Efficient use of Dummynet pipes in IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 15:55:50 -0000 At 09:16 AM 9/19/2005, Luigi Rizzo wrote: >> >Same for as the 'resume' option. It might be nice to have, >> >however but there is already a two-rule version (the one i >> >suggested, follow the non-terminating action with a skipto rule) >> >so its absence is not blocking you from doing what you want. >> >> That option requires repeating ALL of the matching on the packet. > >absolutely not. it is the same as your 'resume' only split on two lines. Please explain how you would render the following as just two lines without doing all of the matching twice. pipe 17 tcp from 0.0.0.1 to any 80 in via tun* established resume 5000 See the problem? (Hint: You can't do it in less than 3 lines -- 4 if you're using a one pass preprocessor because you need to generate a jump target. And jump targets in IPFW have overhead because there really is no such thing as a NOP in IPFW. Every rule, even a jump target, is a counter.) >whatever. feel free to write a high level interpreter, >since i don't see it that way you can't expect me to do that :) I'm certainly not asking for that! I think that the "resume" option is a good way to deal with the problem. --Brett Glass P.S. -- The ability to negate an entire rule (that is, a "short circuit NAND" of all of the conditions) would also come in handy, though I am not sure what syntax would be best for it. Maybe placing the "not" before the action, like this: not skipto 5000 tcp from 0.0.0.1 to any 80 in via tun* established Note that this isn't as efficient as a "resume" in the example I've shown above, but can be very efficient in other situations.