Date: Fri, 1 Aug 2014 00:34:33 +0000 From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: "Alexander V. Chernikov" <melifaro@FreeBSD.org> Cc: svn-src-projects@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r269348 - in projects/ipfw: sbin/ipfw sys/netinet sys/netpfil/ipfw Message-ID: <6499BC58-1C21-4D47-91F8-BF7FC9834169@FreeBSD.org> In-Reply-To: <201407312008.s6VK8J9R083960@svn.freebsd.org> References: <201407312008.s6VK8J9R083960@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 Jul 2014, at 20:08 , Alexander V. Chernikov <melifaro@FreeBSD.org> = wrote: > Author: melifaro > Date: Thu Jul 31 20:08:19 2014 > New Revision: 269348 > URL: http://svnweb.freebsd.org/changeset/base/269348 >=20 > Log: > * Add new "flow" table type to support N=3D1..5-tuple lookups > * Add "flow:hash" algorithm >=20 > Kernel changes: > * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups > * Add IPFW_TABLE_FLOW table type > * Add "struct tflow_entry" as strage for 6-tuple flows > * Add "flow:hash" algorithm. Basically it is auto-growing chained = hash table. > Additionally, we store mask of fields we need to compare in each = instance/ >=20 > * Increase ipfw_obj_tentry size by adding struct tflow_entry > * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info > * Increase algoname length: 32 -> 64 (algo options passed there as = string) > * Assume every table type can be customized by flags, use u8 to store = "tflags" field. > * Simplify ipfw_find_table_entry() by providing @tentry directly to = algo callback. > * Fix bug in cidr:chash resize procedure. >=20 > Userland changes: > * add "flow table(NAME)" syntax to support n-tuple checking tables. > * make fill_flags() separate function to ease working with _s_x = arrays > * change "table info" output to reflect longer "type" fields >=20 > Syntax: > ipfw table fl2 create type = flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] >=20 > Examples: >=20 > 0:02 [2] zfscurr0# ipfw table fl2 create type = flow:src-ip,proto,dst-port algo flow:hash > 0:02 [2] zfscurr0# ipfw table fl2 info > +++ table(fl2), set(0) +++ > kindex: 0, type: flow:src-ip,proto,dst-port > valtype: number, references: 0 > algorithm: flow:hash > items: 0, size: 280 > 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 > 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 > 0:02 [2] zfscurr0# ipfw table fl2 list > +++ table(fl2), set(0) +++ > 2a02:6b8::333,6,443 45000 > 10.0.0.92,6,80 22000 > 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 = flow 'table(fl2)' > 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) > 0:03 [2] zfscurr0# ipfw show > 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow = table(fl2) > 65535 617 59416 allow ip from any to any > 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 > Trying 78.46.89.105... > .. > 0:04 [2] zfscurr0# ipfw show > 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow = table(fl2) > 65535 682 66733 allow ip from any to any >=20 > Modified: > projects/ipfw/sbin/ipfw/ipfw2.c > projects/ipfw/sbin/ipfw/ipfw2.h > projects/ipfw/sbin/ipfw/tables.c > projects/ipfw/sys/netinet/ip_fw.h > projects/ipfw/sys/netpfil/ipfw/ip_fw2.c > projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c > projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c > projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h > projects/ipfw/sys/netpfil/ipfw/ip_fw_table_algo.c Only in case you plan merging this to head (but even if not it might be = a good idea;-) I see no changes to the man page. Please update the documentation; = this is were syntax and example belong and not into the commit message. = Feel free to grab someone from docs@ in case you don=92t want to do it = all yourself; they are always more than willing to assist. =97=20 Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6499BC58-1C21-4D47-91F8-BF7FC9834169>