Date: Mon, 26 Jan 2004 18:23:07 -0800 From: Bill Fumerola <billf@FreeBSD.org> To: freebsd-ipfw@freebsd.org Subject: 'prevmatch' patch Message-ID: <20040127022307.GP40147@elvis.mu.org>
next in thread | raw e-mail | index | archive | help
i ran into a situation recently where i could write my ruleset a lot
simpler (and remove some costly, redundant lookups) by requiring that
the previous rule evaluated matched.
note: this does NOT mean "the previous rule in order" it means "the
previous rule traversed". the former isn't all that useful, but the
latter is nice because it works with both count and skipto rules.
i'm also working on a more complex tagging language, but in the mean
time someone may find this useful. if there is interest, i'll clean it
up, write up some appropriate mdoc patches as well and commit this. if
not, this will live in the archives for people to apply locally.
--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org
----- Forwarded message from bill fumerola <fumerola@yahoo-inc.com> -----
==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content
@@ -225,6 +225,7 @@
TOK_MACTYPE,
TOK_VERREVPATH,
TOK_IPSEC,
+ TOK_PREVMATCH,
TOK_COMMENT,
TOK_PLR,
@@ -337,6 +338,7 @@
{ "mac-type", TOK_MACTYPE },
{ "verrevpath", TOK_VERREVPATH },
{ "ipsec", TOK_IPSEC },
+ { "prevmatch", TOK_PREVMATCH },
{ "//", TOK_COMMENT },
{ "not", TOK_NOT }, /* pseudo option */
@@ -1262,6 +1264,10 @@
printf(" ipsec");
break;
+ case O_PREVMATCH:
+ printf(" prevmatch");
+ break;
+
case O_NOP:
comment = (char *)(cmd + 1);
break;
@@ -3400,6 +3406,10 @@
fill_cmd(cmd, O_IPSEC, 0, 0);
break;
+ case TOK_PREVMATCH:
+ fill_cmd(cmd, O_PREVMATCH, 0, 0);
+ break;
+
case TOK_COMMENT:
fill_comment(cmd, ac, av);
av += ac;
==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content
@@ -1352,6 +1352,7 @@
int pktlen;
int dyn_dir = MATCH_UNKNOWN;
ipfw_dyn_rule *q = NULL;
+ int prevmatch = 0;
if (m->m_flags & M_SKIP_FIREWALL)
return 0; /* accept */
@@ -1524,6 +1525,10 @@
match = 1;
break;
+ case O_PREVMATCH:
+ match = prevmatch;
+ break;
+
case O_FORWARD_MAC:
printf("ipfw: opcode %d unimplemented\n",
cmd->opcode);
@@ -1948,6 +1953,7 @@
case O_COUNT:
case O_SKIPTO:
+ prevmatch = 1;
f->pcnt++; /* update stats */
f->bcnt += pktlen;
f->timestamp = time_second;
@@ -2004,6 +2010,7 @@
}
} /* end of inner for, scan opcodes */
+ prevmatch = 0;
next_rule:; /* try next rule */
@@ -2414,6 +2421,7 @@
case O_ESTAB:
case O_VERREVPATH:
case O_IPSEC:
+ case O_PREVMATCH:
if (cmdlen != F_INSN_SIZE(ipfw_insn))
goto bad_size;
break;
==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content
@@ -96,6 +96,8 @@
O_VERREVPATH, /* none */
+ O_PREVMATCH, /* none (previous rule matched) */
+
O_PROBE_STATE, /* none */
O_KEEP_STATE, /* none */
O_LIMIT, /* ipfw_insn_limit */
----- End forwarded message -----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040127022307.GP40147>