From owner-freebsd-net@FreeBSD.ORG  Mon Sep 19 17:20:58 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C89816A41F
	for <net@freebsd.org>; Mon, 19 Sep 2005 17:20:58 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from lariat.org (lariat.net [65.122.236.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4617743D48
	for <net@freebsd.org>; Mon, 19 Sep 2005 17:20:56 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net
	[65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA06333;
	Mon, 19 Sep 2005 11:20:49 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.2.3.4.2.20050919105218.07f5b0d8@localhost>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Mon, 19 Sep 2005 11:20:46 -0600
To: Luigi Rizzo <rizzo@icir.org>, Jeremie Le Hen <jeremie@le-hen.org>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20050919092003.A69332@xorpc.icir.org>
References: <6.2.3.4.2.20050918205708.08cff430@localhost>
	<20050918235659.B60185@xorpc.icir.org>
	<6.2.3.4.2.20050919010035.07dfc448@localhost>
	<20050919005932.B60737@xorpc.icir.org>
	<6.2.3.4.2.20050919085600.07f783f0@localhost>
	<20050919160853.GA24643@obiwan.tataz.chchile.org>
	<20050919092003.A69332@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: net@freebsd.org
Subject: Re: Efficient use of Dummynet pipes in IPFW
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2005 17:20:58 -0000

At 10:20 AM 9/19/2005, Luigi Rizzo wrote:

>original
>
>        ipfw add 1000 dosomething cond1 cond2 cond3 cond4 cond5 ... condN
>
>negated:
>
>        ipfw add 1000 skipto 1001 cond1 cond2 cond3 cond4 cond5 ... condN
>        ipfw add 1000 dosomething

This doesn't work, because you must transform cond1 && cond2 && cond3...
into multiple rules that implement ~(cond1 || cond2 || cond3...). So,
you'd need do do the following:

ipfw add 1000 skipto 1001 not cond1
ipfw add 1000 skipto 1001 not cond2
... (N rules total)
ipfw add 1000 skipto 1001 not condN
ipfw add 1000 dosomething
ipfw add 1000 skipto 5000 // Where to resume on success
ipfw add 1001 // Jump target; implemented in IPFW as "count ip from any to any"

The other way to do it is via "spaghetti rules:"

ipfw add 1000 skipto 1002 cond1 cond2 cond3 cond4 cond5 ... condN
ipfw add 1001 skipto 1003
ipfw add 1002 dosomething
ipfw add 1002 skipto 5000 // Where to resume on success
ipfw add 1003 // Jump target; implemented inside IPFW as "count ip from any to any"

Or you can do the entire pattern match twice:

ipfw add 1000 dosomething cond1 cond2 cond3 cond4 cond5 ... condN
ipfw add 1000 skipto 5000 cond1 cond2 cond3 cond4 cond5 ... condN

--Brett