Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 May 2014 15:39:23 GMT
From:      Bill Yuan <bycn82@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/189720: pps action for ipfw
Message-ID:  <201405121539.s4CFdNNT011901@cgiserv.freebsd.org>
Resent-Message-ID: <201405121540.s4CFe04I081708@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         189720
>Category:       kern
>Synopsis:       pps action for ipfw
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 12 15:40:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Bill Yuan
>Release:        FB10Stable
>Organization:
cozilyworks
>Environment:
FreeBSD FB10Stable 10.0-STABLE FreeBSD 10.0-STABLE #0 r265900: Mon May 12 13:41:15 UTC 2014     root@FB10Stable:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
pps action for ipfw
pps: packet for second (millisecond)

usage:
    ipfw add pps 1 50 tcp from any to any


man page

 pps limit duration
             Rule with the pps keyword will allow the first limit packets in
             each duration milliseconds
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: sbin/ipfw/ipfw.8
===================================================================
--- sbin/ipfw/ipfw.8	(revision 265916)
+++ sbin/ipfw/ipfw.8	(working copy)
@@ -603,6 +603,14 @@
 Note: logging is done after all other packet matching conditions
 have been successfully verified, and before performing the final
 action (accept, deny, etc.) on the packet.
+.It Cm pps Ar limit duration
+Rule with the 
+.Cm pps
+keyword will allow the first
+.Ar limit
+packets in each 
+.Ar duration 
+milliseconds
 .It Cm tag Ar number
 When a packet matches a rule with the
 .Cm tag
Index: sbin/ipfw/ipfw2.c
===================================================================
--- sbin/ipfw/ipfw2.c	(revision 265916)
+++ sbin/ipfw/ipfw2.c	(working copy)
@@ -244,6 +244,7 @@
 	{ "allow",		TOK_ACCEPT },
 	{ "permit",		TOK_ACCEPT },
 	{ "count",		TOK_COUNT },
+	{ "pps",		TOK_PPS },
 	{ "pipe",		TOK_PIPE },
 	{ "queue",		TOK_QUEUE },
 	{ "divert",		TOK_DIVERT },
@@ -1231,7 +1232,12 @@
 		case O_SKIPTO:
 			PRINT_UINT_ARG("skipto ", cmd->arg1);
 			break;
-
+		case O_PPS:
+			{
+			ipfw_insn_pps *pps=(ipfw_insn_pps *)cmd;
+			printf("pps %d %d",cmd->arg1,pps->duration);
+			break;
+			}
 		case O_PIPE:
 			PRINT_UINT_ARG("pipe ", cmd->arg1);
 			break;
@@ -2985,7 +2991,23 @@
 	case TOK_COUNT:
 		action->opcode = O_COUNT;
 		break;
-
+	
+	case TOK_PPS:
+		action->opcode = O_PPS;
+		ipfw_insn_pps *p = (ipfw_insn_pps *)action;
+		action->len = F_INSN_SIZE(ipfw_insn_pps);
+		if (isdigit(**av)) {
+			action->arg1 = strtoul(*av, NULL, 10);
+			av++;
+		}else
+			errx(EX_USAGE, "illegal argument pps `limit` %s", *av);
+		if (isdigit(**av)) {
+			p->duration = strtoul(*av, NULL, 10);
+			av++;
+		}else
+			errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);
+		break;
+	
 	case TOK_NAT:
 		action->opcode = O_NAT;
 		action->len = F_INSN_SIZE(ipfw_insn_nat);
Index: sbin/ipfw/ipfw2.h
===================================================================
--- sbin/ipfw/ipfw2.h	(revision 265916)
+++ sbin/ipfw/ipfw2.h	(working copy)
@@ -92,6 +92,7 @@
 	TOK_NGTEE,
 	TOK_FORWARD,
 	TOK_SKIPTO,
+	TOK_PPS,
 	TOK_DENY,
 	TOK_REJECT,
 	TOK_RESET,
Index: sys/netinet/ip_fw.h
===================================================================
--- sys/netinet/ip_fw.h	(revision 265916)
+++ sys/netinet/ip_fw.h	(working copy)
@@ -165,6 +165,7 @@
 	O_REJECT,		/* arg1=icmp arg (same as deny)	*/
 	O_COUNT,		/* none				*/
 	O_SKIPTO,		/* arg1=next rule number	*/
+	O_PPS,			/* arg1=limit, pps->duration */
 	O_PIPE,			/* arg1=pipe number		*/
 	O_QUEUE,		/* arg1=queue number		*/
 	O_DIVERT,		/* arg1=port number		*/
@@ -378,6 +379,15 @@
 } ipfw_insn_log;
 
 /*
+ * This is used for PPS
+ */
+typedef struct _ipfw_insn_pps{
+	ipfw_insn o;
+	uint32_t start_time;
+	uint16_t count;
+	uint16_t duration;
+} ipfw_insn_pps;
+/*
  * Data structures required by both ipfw(8) and ipfw(4) but not part of the
  * management API are protected by IPFW_INTERNAL.
  */
Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c	(revision 265916)
+++ sys/netpfil/ipfw/ip_fw2.c	(working copy)
@@ -2179,7 +2179,24 @@
 			    skip_or = 0;
 			    continue;
 			    break;	/* not reached */
-
+			case O_PPS:{
+				ipfw_insn_pps *pps = (ipfw_insn_pps *)cmd;
+				if(pps->start_time+pps->duration >= ticks){
+					if(pps->count < cmd->arg1){
+						retval = IP_FW_PASS;
+					}else{
+						retval = IP_FW_DENY;
+					}
+					pps->count++;
+				}else{
+					pps->start_time=ticks;
+					pps->count=1;
+					retval = IP_FW_PASS;
+				}
+				l = 0;		
+				done = 1;
+				break;	
+				}
 			case O_CALLRETURN: {
 				/*
 				 * Implementation of `subroutine' call/return,
Index: sys/netpfil/ipfw/ip_fw_sockopt.c
===================================================================
--- sys/netpfil/ipfw/ip_fw_sockopt.c	(revision 265916)
+++ sys/netpfil/ipfw/ip_fw_sockopt.c	(working copy)
@@ -702,6 +702,12 @@
 			if (cmdlen != F_INSN_SIZE(ipfw_insn_altq))
 				goto bad_size;
 			break;
+		
+		case O_PPS:
+			have_action=1;
+			if (cmdlen != F_INSN_SIZE(ipfw_insn_pps))
+				goto bad_size;
+			break;
 
 		case O_PIPE:
 		case O_QUEUE:
@@ -769,6 +775,7 @@
 				return EINVAL;
 			}
 			break;
+
 #ifdef INET6
 		case O_IP6_SRC:
 		case O_IP6_DST:
@@ -776,7 +783,6 @@
 			    F_INSN_SIZE(ipfw_insn))
 				goto bad_size;
 			break;
-
 		case O_FLOW6ID:
 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
 			    ((ipfw_insn_u32 *)cmd)->o.arg1)


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405121539.s4CFdNNT011901>