From owner-cvs-src@FreeBSD.ORG Tue Dec 13 12:18:09 2005 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F7516A41F; Tue, 13 Dec 2005 12:18:09 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A4CC43D46; Tue, 13 Dec 2005 12:18:09 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id jBDCI8Y1008946; Tue, 13 Dec 2005 04:18:08 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id jBDCI8YA008945; Tue, 13 Dec 2005 04:18:08 -0800 (PST) (envelope-from rizzo) Date: Tue, 13 Dec 2005 04:18:08 -0800 From: Luigi Rizzo To: Gleb Smirnoff Message-ID: <20051213041808.B8826@xorpc.icir.org> References: <200512131216.jBDCG3FJ042136@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200512131216.jBDCG3FJ042136@repoman.freebsd.org>; from glebius@FreeBSD.org on Tue, Dec 13, 2005 at 12:16:03PM +0000 Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw2.c src/sys/netinet ip_fw.h ip_fw2.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 12:18:09 -0000 interesting feature, thanks luigi On Tue, Dec 13, 2005 at 12:16:03PM +0000, Gleb Smirnoff wrote: > glebius 2005-12-13 12:16:03 UTC > > FreeBSD src repository > > Modified files: > sbin/ipfw ipfw2.c > sys/netinet ip_fw.h ip_fw2.c > Log: > Add a new feature for optimizining ipfw rulesets - substitution of the > action argument with the value obtained from table lookup. The feature > is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" > and "ngtee" rules. > > An example usage: > > ipfw pipe 1000 config bw 1000Kbyte/s > ipfw pipe 4000 config bw 4000Kbyte/s > ipfw table 1 add x.x.x.x 1000 > ipfw table 1 add x.x.x.y 4000 > ipfw pipe tablearg ip from table(1) to any > > In the example above the rule will throw different packets to different pipes. > > TODO: > - Support "skipto" action, but without searching all rules. > - Improve parser, so that it warns about bad rules. These are: > - "tablearg" argument to action, but no "table" in the rule. All > traffic will be blocked. > - "tablearg" argument to action, but "table" searches for entry with > a specific value. All traffic will be blocked. > - "tablearg" argument to action, and two "table" looks - for src and > for dst. The last lookup will match. > > Revision Changes Path > 1.82 +44 -46 src/sbin/ipfw/ipfw2.c > 1.103 +2 -0 src/sys/netinet/ip_fw.h > 1.119 +16 -5 src/sys/netinet/ip_fw2.c