From owner-svn-src-projects@FreeBSD.ORG Fri Aug 1 05:56:01 2014 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D68B165D; Fri, 1 Aug 2014 05:56:01 +0000 (UTC) Received: from mail.ipfw.ru (mail.ipfw.ru [IPv6:2a01:4f8:120:6141::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 994612900; Fri, 1 Aug 2014 05:56:01 +0000 (UTC) Received: from v6.mpls.in ([2a02:978:2::5] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XD1ru-000B64-OI; Fri, 01 Aug 2014 05:42:50 +0400 Message-ID: <53DB2BC8.90706@FreeBSD.org> Date: Fri, 01 Aug 2014 09:55:20 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" Subject: Re: svn commit: r269348 - in projects/ipfw: sbin/ipfw sys/netinet sys/netpfil/ipfw References: <201407312008.s6VK8J9R083960@svn.freebsd.org> <6499BC58-1C21-4D47-91F8-BF7FC9834169@FreeBSD.org> In-Reply-To: <6499BC58-1C21-4D47-91F8-BF7FC9834169@FreeBSD.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: svn-src-projects@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 05:56:02 -0000 On 01.08.2014 04:34, Bjoern A. Zeeb wrote: > > On 31 Jul 2014, at 20:08 , Alexander V. Chernikov wrote: > >> Author: melifaro >> Date: Thu Jul 31 20:08:19 2014 >> New Revision: 269348 >> URL: http://svnweb.freebsd.org/changeset/base/269348 >> >> Log: >> * Add new "flow" table type to support N=1..5-tuple lookups >> * Add "flow:hash" algorithm >> >> Kernel changes: >> * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups >> * Add IPFW_TABLE_FLOW table type >> * Add "struct tflow_entry" as strage for 6-tuple flows >> * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. >> Additionally, we store mask of fields we need to compare in each instance/ >> >> * Increase ipfw_obj_tentry size by adding struct tflow_entry >> * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info >> * Increase algoname length: 32 -> 64 (algo options passed there as string) >> * Assume every table type can be customized by flags, use u8 to store "tflags" field. >> * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. >> * Fix bug in cidr:chash resize procedure. >> >> Userland changes: >> * add "flow table(NAME)" syntax to support n-tuple checking tables. >> * make fill_flags() separate function to ease working with _s_x arrays >> * change "table info" output to reflect longer "type" fields >> >> Syntax: >> ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] >> >> Examples: >> >> 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash >> 0:02 [2] zfscurr0# ipfw table fl2 info >> +++ table(fl2), set(0) +++ >> kindex: 0, type: flow:src-ip,proto,dst-port >> valtype: number, references: 0 >> algorithm: flow:hash >> items: 0, size: 280 >> 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 >> 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 >> 0:02 [2] zfscurr0# ipfw table fl2 list >> +++ table(fl2), set(0) +++ >> 2a02:6b8::333,6,443 45000 >> 10.0.0.92,6,80 22000 >> 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' >> 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) >> 0:03 [2] zfscurr0# ipfw show >> 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) >> 65535 617 59416 allow ip from any to any >> 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 >> Trying 78.46.89.105... >> .. >> 0:04 [2] zfscurr0# ipfw show >> 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) >> 65535 682 66733 allow ip from any to any >> >> Modified: >> projects/ipfw/sbin/ipfw/ipfw2.c >> projects/ipfw/sbin/ipfw/ipfw2.h >> projects/ipfw/sbin/ipfw/tables.c >> projects/ipfw/sys/netinet/ip_fw.h >> projects/ipfw/sys/netpfil/ipfw/ip_fw2.c >> projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c >> projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c >> projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h >> projects/ipfw/sys/netpfil/ipfw/ip_fw_table_algo.c > > Only in case you plan merging this to head (but even if not it might be a good idea;-) > Yes, I'm going to merge this sooner or later :) > I see no changes to the man page. Please update the documentation; this is were syntax and example belong and not into the commit message. Feel free to grab someone from docs@ in case you don’t want to do it all yourself; they are always more than willing to assist. Of course. I'm currently concentrated on making this work in general. I'm not going to commit all these without a single docs change :) > > > — > Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983 > >