Date: Tue, 18 Mar 2003 22:31:32 +0100 From: "Simon L. Nielsen" <simon@nitro.dk> To: "Crist J. Clark" <cjc@freebsd.org> Cc: Wiktor Niesiobedzki <w@evip.pl>, freebsd-ipfw@freebsd.org Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030318213131.GF377@nitro.dk> In-Reply-To: <20030318200828.GC74853@blossom.cjclark.org> References: <20030314085636.GB64326@galgenberg.net> <el59ycqr.fsf@ID-23066.news.dfncis.de> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--jCrbxBqMcLqd4mOl Content-Type: multipart/mixed; boundary="kfjH4zxOES6UT95V" Content-Disposition: inline --kfjH4zxOES6UT95V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.03.18 12:08:28 -0800, Crist J. Clark wrote: > Doing this calculation would be easy enough, but I think your solution > is probably sufficient. If any change were to be made, I think > changing the 'iplen' option to do "greater-than" and "less-than" > checks, rather than just "equals" would be more useful in > general. That way, you can catch ACKs with no data, but ones that also > have a timestamp option (<53), or sack options (<53, <61, or <68, > depending on how many you want to allow). I actually played around with that a few days ago for this exact purpose. See the attached patch for -CURRENT. It adds two options instead of trying to make more complicated parsing of the iplen option with arguments like '<', '>', '>=3D' and so on. iplenmin len Matches IP packets whose total length, including header and da= ta, is minimum len bytes (packet length >=3D len). iplenmax len Matches IP packets whose total length, including header and da= ta, is maximum len bytes (packet length <=3D len). The code have been tested very little (which is the reason I have not bothed this list with it before :) ) but in my simple tests it works fine. Note that the attached patch had to be untagnled from some other code i'm working on so it can be got the wrong parts out but I think it is ok. --=20 Simon L. Nielsen --kfjH4zxOES6UT95V Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw2-iplen.patch" Content-Transfer-Encoding: quoted-printable Index: sbin/ipfw/ipfw.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.122 diff -u -d -r1.122 ipfw.8 --- sbin/ipfw/ipfw.8 15 Mar 2003 01:13:00 -0000 1.122 +++ sbin/ipfw/ipfw.8 18 Mar 2003 20:54:22 -0000 @@ -901,6 +901,18 @@ Matches IP packets whose total length, including header and data, is .Ar len bytes. +.It Cm iplenmin Ar len +Matches IP packets whose total length, including header and data, is +minimum +.Ar len +bytes (packet length >=3D +.Ar len ) . +.It Cm iplenmax Ar len +Matches IP packets whose total length, including header and data, is +maximum +.Ar len +bytes (packet length <=3D +.Ar len ) . .It Cm ipoptions Ar spec Matches packets whose IP header contains the comma separated list of options specified in Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.23 diff -u -d -r1.23 ipfw2.c --- sbin/ipfw/ipfw2.c 15 Mar 2003 01:12:59 -0000 1.23 +++ sbin/ipfw/ipfw2.c 18 Mar 2003 20:54:22 -0000 @@ -209,6 +209,8 @@ TOK_FRAG, TOK_IPOPTS, TOK_IPLEN, + TOK_IPLENMIN, + TOK_IPLENMAX, TOK_IPID, TOK_IPPRECEDENCE, TOK_IPTOS, @@ -308,6 +310,8 @@ { "ipoptions", TOK_IPOPTS }, { "ipopts", TOK_IPOPTS }, { "iplen", TOK_IPLEN }, + { "iplenmin", TOK_IPLENMIN }, + { "iplenmax", TOK_IPLENMAX }, { "ipid", TOK_IPID }, { "ipprecedence", TOK_IPPRECEDENCE }, { "iptos", TOK_IPTOS }, @@ -1106,6 +1110,14 @@ printf(" iplen %u", cmd->arg1 ); break; =20 + case O_IPLENMIN: + printf(" iplenmin %u", cmd->arg1 ); + break; + + case O_IPLENMAX: + printf(" iplenmax %u", cmd->arg1 ); + break; + case O_IPOPT: print_flags("ipoptions", cmd, f_ipopts); break; @@ -2962,6 +2974,18 @@ case TOK_IPLEN: NEED1("iplen requires length"); fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0)); + ac--; av++; + break; + + case TOK_IPLENMIN: + NEED1("iplenmin requires length"); + fill_cmd(cmd, O_IPLENMIN, 0, strtoul(*av, NULL, 0)); + ac--; av++; + break; + + case TOK_IPLENMAX: + NEED1("iplenmax requires length"); + fill_cmd(cmd, O_IPLENMAX, 0, strtoul(*av, NULL, 0)); ac--; av++; break; =20 Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.76 diff -u -d -r1.76 ip_fw.h --- sys/netinet/ip_fw.h 15 Mar 2003 01:13:00 -0000 1.76 +++ sys/netinet/ip_fw.h 18 Mar 2003 21:00:45 -0000 @@ -72,6 +72,8 @@ =20 O_IPOPT, /* arg1 =3D 2*u8 bitmap */ O_IPLEN, /* arg1 =3D len */ + O_IPLENMIN, /* arg1 =3D len */ + O_IPLENMAX, /* arg1 =3D len */ O_IPID, /* arg1 =3D id */ =20 O_IPTOS, /* arg1 =3D id */ Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.28 diff -u -d -r1.28 ip_fw2.c --- sys/netinet/ip_fw2.c 15 Mar 2003 01:13:00 -0000 1.28 +++ sys/netinet/ip_fw2.c 18 Mar 2003 21:00:45 -0000 @@ -1740,6 +1740,14 @@ match =3D (hlen > 0 && cmd->arg1 =3D=3D ip_len); break; =20 + case O_IPLENMIN: + match =3D (hlen > 0 && cmd->arg1 <=3D ip_len); + break; + + case O_IPLENMAX: + match =3D (hlen > 0 && cmd->arg1 >=3D ip_len); + break; + case O_IPPRECEDENCE: match =3D (hlen > 0 && (cmd->arg1 =3D=3D (ip->ip_tos & 0xe0)) ); @@ -2362,6 +2370,8 @@ case O_FRAG: case O_IPOPT: case O_IPLEN: + case O_IPLENMIN: + case O_IPLENMAX: case O_IPID: case O_IPTOS: case O_IPPRECEDENCE: --kfjH4zxOES6UT95V-- --jCrbxBqMcLqd4mOl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+d5Az8kocFXgPTRwRAnYSAJsFIrAVEzWx+MzHkQ1MYRm9mIHfXgCeK6Ox /pkO10FwztzMx3rBreN5A70= =+Sg+ -----END PGP SIGNATURE----- --jCrbxBqMcLqd4mOl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030318213131.GF377>