Date: Tue, 13 May 2014 03:00:01 GMT From: bycn82 <bycn82@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/189720: pps action for ipfw Message-ID: <201405130300.s4D301le059008@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR kern/189720; it has been noted by GNATS.
From: bycn82 <bycn82@gmail.com>
To: bug-followup@FreeBSD.org, bycn82@gmail.com
Cc:
Subject: Re: kern/189720: pps action for ipfw
Date: Tue, 13 May 2014 10:54:47 +0800
This is a multi-part message in MIME format.
--------------060500040406000407020409
Content-Type: multipart/alternative;
boundary="------------070308050506000908020500"
--------------070308050506000908020500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
1.Clean some gratuitous white-space.
2.Increase `count` and `duration` to uint32.
--------------070308050506000908020500
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Calibri">1.Clean some gratuitous white-space.<br>
2.Increase `count` and `duration` to uint32. <br>
</font>
</body>
</html>
--------------070308050506000908020500--
--------------060500040406000407020409
Content-Type: text/plain;
name="pps.patch2.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="pps.patch2.txt"
Index: sbin/ipfw/ipfw.8
===================================================================
--- sbin/ipfw/ipfw.8 (revision 265941)
+++ sbin/ipfw/ipfw.8 (working copy)
@@ -603,6 +603,14 @@
Note: logging is done after all other packet matching conditions
have been successfully verified, and before performing the final
action (accept, deny, etc.) on the packet.
+.It Cm pps Ar limit duration
+Rule with the
+.Cm pps
+keyword will allow the first
+.Ar limit
+packets in recent
+.Ar duration
+milliseconds
.It Cm tag Ar number
When a packet matches a rule with the
.Cm tag
Index: sbin/ipfw/ipfw2.c
===================================================================
--- sbin/ipfw/ipfw2.c (revision 265941)
+++ sbin/ipfw/ipfw2.c (working copy)
@@ -244,6 +244,7 @@
{ "allow", TOK_ACCEPT },
{ "permit", TOK_ACCEPT },
{ "count", TOK_COUNT },
+ { "pps", TOK_PPS },
{ "pipe", TOK_PIPE },
{ "queue", TOK_QUEUE },
{ "divert", TOK_DIVERT },
@@ -1232,6 +1233,13 @@
PRINT_UINT_ARG("skipto ", cmd->arg1);
break;
+ case O_PPS:
+ {
+ ipfw_insn_pps *pps=(ipfw_insn_pps *)cmd;
+ printf("pps %d %d",cmd->arg1,pps->duration);
+ break;
+ }
+
case O_PIPE:
PRINT_UINT_ARG("pipe ", cmd->arg1);
break;
@@ -2986,6 +2994,24 @@
action->opcode = O_COUNT;
break;
+ case TOK_PPS:
+ action->opcode = O_PPS;
+ ipfw_insn_pps *p = (ipfw_insn_pps *)action;
+ action->len = F_INSN_SIZE(ipfw_insn_pps);
+ if (isdigit(**av)) {
+ action->arg1 = strtoul(*av, NULL, 10);
+ av++;
+ }else{
+ errx(EX_USAGE, "illegal argument pps `limit` %s", *av);
+ }
+ if (isdigit(**av)) {
+ p->duration = strtoul(*av, NULL, 10);
+ av++;
+ }else{
+ errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);
+ }
+ break;
+
case TOK_NAT:
action->opcode = O_NAT;
action->len = F_INSN_SIZE(ipfw_insn_nat);
Index: sbin/ipfw/ipfw2.h
===================================================================
--- sbin/ipfw/ipfw2.h (revision 265941)
+++ sbin/ipfw/ipfw2.h (working copy)
@@ -92,6 +92,7 @@
TOK_NGTEE,
TOK_FORWARD,
TOK_SKIPTO,
+ TOK_PPS,
TOK_DENY,
TOK_REJECT,
TOK_RESET,
Index: sys/netinet/ip_fw.h
===================================================================
--- sys/netinet/ip_fw.h (revision 265941)
+++ sys/netinet/ip_fw.h (working copy)
@@ -165,6 +165,7 @@
O_REJECT, /* arg1=icmp arg (same as deny) */
O_COUNT, /* none */
O_SKIPTO, /* arg1=next rule number */
+ O_PPS, /* arg1=limit, pps->duration */
O_PIPE, /* arg1=pipe number */
O_QUEUE, /* arg1=queue number */
O_DIVERT, /* arg1=port number */
@@ -378,6 +379,16 @@
} ipfw_insn_log;
/*
+ * This is used for PPS
+ */
+typedef struct _ipfw_insn_pps{
+ ipfw_insn o;
+ uint32_t start_time;
+ uint32_t count;
+ uint32_t duration;
+} ipfw_insn_pps;
+
+/*
* Data structures required by both ipfw(8) and ipfw(4) but not part of the
* management API are protected by IPFW_INTERNAL.
*/
Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c (revision 265941)
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
@@ -2180,6 +2180,24 @@
continue;
break; /* not reached */
+ case O_PPS:{
+ ipfw_insn_pps *pps = (ipfw_insn_pps *)cmd;
+ if(pps->start_time+pps->duration >= ticks){
+ if(pps->count < cmd->arg1){
+ retval = IP_FW_PASS;
+ }else{
+ retval = IP_FW_DENY;
+ }
+ pps->count++;
+ }else{
+ pps->start_time=ticks;
+ pps->count=1;
+ retval = IP_FW_PASS;
+ }
+ l = 0;
+ done = 1;
+ break;
+ }
case O_CALLRETURN: {
/*
* Implementation of `subroutine' call/return,
Index: sys/netpfil/ipfw/ip_fw_sockopt.c
===================================================================
--- sys/netpfil/ipfw/ip_fw_sockopt.c (revision 265941)
+++ sys/netpfil/ipfw/ip_fw_sockopt.c (working copy)
@@ -703,6 +703,12 @@
goto bad_size;
break;
+ case O_PPS:
+ have_action=1;
+ if (cmdlen != F_INSN_SIZE(ipfw_insn_pps))
+ goto bad_size;
+ break;
+
case O_PIPE:
case O_QUEUE:
if (cmdlen != F_INSN_SIZE(ipfw_insn))
--------------060500040406000407020409--
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405130300.s4D301le059008>