Site Navigation

Date:      Tue, 18 Mar 2003 22:31:32 +0100
From:      "Simon L. Nielsen" <simon@nitro.dk>
To:        "Crist J. Clark" <cjc@freebsd.org>
Cc:        Wiktor Niesiobedzki <w@evip.pl>, freebsd-ipfw@freebsd.org
Subject:   Re: Prioritizing empty TCP ACKs with ipfw?
Message-ID:  <20030318213131.GF377@nitro.dk>
In-Reply-To: <20030318200828.GC74853@blossom.cjclark.org>
References:  <20030314085636.GB64326@galgenberg.net> <el59ycqr.fsf@ID-23066.news.dfncis.de> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--jCrbxBqMcLqd4mOl
Content-Type: multipart/mixed; boundary="kfjH4zxOES6UT95V"
Content-Disposition: inline


--kfjH4zxOES6UT95V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On 2003.03.18 12:08:28 -0800, Crist J. Clark wrote:
> Doing this calculation would be easy enough, but I think your solution
> is probably sufficient. If any change were to be made, I think
> changing the 'iplen' option to do "greater-than" and "less-than"
> checks, rather than just "equals" would be more useful in
> general. That way, you can catch ACKs with no data, but ones that also
> have a timestamp option (<53), or sack options (<53, <61, or <68,
> depending on how many you want to allow).
I actually played around with that a few days ago for this exact
purpose. See the attached patch for -CURRENT.

It adds two options instead of trying to make more complicated parsing
of the iplen option with arguments like '<', '>', '>=3D' and so on.

     iplenmin len
             Matches IP packets whose total length, including header and da=
ta,
             is minimum len bytes (packet length >=3D len).

     iplenmax len
             Matches IP packets whose total length, including header and da=
ta,
             is maximum len bytes (packet length <=3D len).

The code have been tested very little (which is the reason I have not
bothed this list with it before :) ) but in my simple tests it works
fine.

Note that the attached patch had to be untagnled from some other code
i'm working on so it can be got the wrong parts out but I think it is
ok.

--=20
Simon L. Nielsen

--kfjH4zxOES6UT95V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw2-iplen.patch"
Content-Transfer-Encoding: quoted-printable

Index: sbin/ipfw/ipfw.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.122
diff -u -d -r1.122 ipfw.8
--- sbin/ipfw/ipfw.8	15 Mar 2003 01:13:00 -0000	1.122
+++ sbin/ipfw/ipfw.8	18 Mar 2003 20:54:22 -0000
@@ -901,6 +901,18 @@
 Matches IP packets whose total length, including header and data, is
 .Ar len
 bytes.
+.It Cm iplenmin Ar len
+Matches IP packets whose total length, including header and data, is
+minimum
+.Ar len
+bytes (packet length >=3D
+.Ar len ) .
+.It Cm iplenmax Ar len
+Matches IP packets whose total length, including header and data, is
+maximum
+.Ar len
+bytes (packet length <=3D
+.Ar len ) .
 .It Cm ipoptions Ar spec
 Matches packets whose IP header contains the comma separated list of
 options specified in
Index: sbin/ipfw/ipfw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.23
diff -u -d -r1.23 ipfw2.c
--- sbin/ipfw/ipfw2.c	15 Mar 2003 01:12:59 -0000	1.23
+++ sbin/ipfw/ipfw2.c	18 Mar 2003 20:54:22 -0000
@@ -209,6 +209,8 @@
 	TOK_FRAG,
 	TOK_IPOPTS,
 	TOK_IPLEN,
+	TOK_IPLENMIN,
+	TOK_IPLENMAX,
 	TOK_IPID,
 	TOK_IPPRECEDENCE,
 	TOK_IPTOS,
@@ -308,6 +310,8 @@
 	{ "ipoptions",		TOK_IPOPTS },
 	{ "ipopts",		TOK_IPOPTS },
 	{ "iplen",		TOK_IPLEN },
+	{ "iplenmin",		TOK_IPLENMIN },
+	{ "iplenmax",		TOK_IPLENMAX },
 	{ "ipid",		TOK_IPID },
 	{ "ipprecedence",	TOK_IPPRECEDENCE },
 	{ "iptos",		TOK_IPTOS },
@@ -1106,6 +1110,14 @@
 				printf(" iplen %u", cmd->arg1 );
 				break;
=20
+			case O_IPLENMIN:
+				printf(" iplenmin %u", cmd->arg1 );
+				break;
+
+			case O_IPLENMAX:
+				printf(" iplenmax %u", cmd->arg1 );
+				break;
+
 			case O_IPOPT:
 				print_flags("ipoptions", cmd, f_ipopts);
 				break;
@@ -2962,6 +2974,18 @@
 		case TOK_IPLEN:
 			NEED1("iplen requires length");
 			fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
+			ac--; av++;
+			break;
+
+		case TOK_IPLENMIN:
+			NEED1("iplenmin requires length");
+			fill_cmd(cmd, O_IPLENMIN, 0, strtoul(*av, NULL, 0));
+			ac--; av++;
+			break;
+
+		case TOK_IPLENMAX:
+			NEED1("iplenmax requires length");
+			fill_cmd(cmd, O_IPLENMAX, 0, strtoul(*av, NULL, 0));
 			ac--; av++;
 			break;
=20
Index: sys/netinet/ip_fw.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.76
diff -u -d -r1.76 ip_fw.h
--- sys/netinet/ip_fw.h	15 Mar 2003 01:13:00 -0000	1.76
+++ sys/netinet/ip_fw.h	18 Mar 2003 21:00:45 -0000
@@ -72,6 +72,8 @@
=20
 	O_IPOPT,		/* arg1 =3D 2*u8 bitmap		*/
 	O_IPLEN,		/* arg1 =3D len			*/
+	O_IPLENMIN,		/* arg1 =3D len			*/
+	O_IPLENMAX,		/* arg1 =3D len			*/
 	O_IPID,			/* arg1 =3D id			*/
=20
 	O_IPTOS,		/* arg1 =3D id			*/
Index: sys/netinet/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.28
diff -u -d -r1.28 ip_fw2.c
--- sys/netinet/ip_fw2.c	15 Mar 2003 01:13:00 -0000	1.28
+++ sys/netinet/ip_fw2.c	18 Mar 2003 21:00:45 -0000
@@ -1740,6 +1740,14 @@
 				match =3D (hlen > 0 && cmd->arg1 =3D=3D ip_len);
 				break;
=20
+			case O_IPLENMIN:
+				match =3D (hlen > 0 && cmd->arg1 <=3D ip_len);
+				break;
+
+			case O_IPLENMAX:
+				match =3D (hlen > 0 && cmd->arg1 >=3D ip_len);
+				break;
+
 			case O_IPPRECEDENCE:
 				match =3D (hlen > 0 &&
 				    (cmd->arg1 =3D=3D (ip->ip_tos & 0xe0)) );
@@ -2362,6 +2370,8 @@
 		case O_FRAG:
 		case O_IPOPT:
 		case O_IPLEN:
+		case O_IPLENMIN:
+		case O_IPLENMAX:
 		case O_IPID:
 		case O_IPTOS:
 		case O_IPPRECEDENCE:

--kfjH4zxOES6UT95V--

--jCrbxBqMcLqd4mOl
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+d5Az8kocFXgPTRwRAnYSAJsFIrAVEzWx+MzHkQ1MYRm9mIHfXgCeK6Ox
/pkO10FwztzMx3rBreN5A70=
=+Sg+
-----END PGP SIGNATURE-----

--jCrbxBqMcLqd4mOl--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030318213131.GF377>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact