Date: Fri, 12 May 2006 22:18:43 +0700 From: "Vadim Goncharov" <vadimnuclight@tpu.ru> To: "Luigi Rizzo" <rizzo@icir.org> Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging Message-ID: <ops9f15hzc4fjv08@nuclight.avtf.net> In-Reply-To: <20060512065327.B16302@xorpc.icir.org> References: <ops9fwnzbw17d6mn@nuclight.avtf.net> <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
12.05.06 × 20:53 Luigi Rizzo wrote: >> > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: >> > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ >> > >> > Tested on 5.5-PRERELEASE production server with moderate >> > load - rock stable [I've also looked through the code - patch >> > is small, so it simply can't be any bugs there ;)]. >> > >> > Personally I very like the idea from original Andrey's letter >> >> I have tested on 6.1 and works fine too. >> >> Hope it gets commited. Very useful for altq/dummynet flexibility too. > > i would, however, like to have a bit more documentation in the patch, > in particular: > > - a manpage patch describing how to use the thing, and also the > behaviour in in odd situations (e.g. what happens when we try to tag > a packet multiple times ? does the tag survive between the 'input' > and 'output' path of ipfw for routed packets, etc ?). > I can look this up in the code, but the average user cannot, I think it will always survive, but not sure, may be it is better for your to review the code and correct description. > and the patch does not contain a single line of comment, > plus we generally want to have some textual description of the > behaviour (so we can RTFM), not just an implementation > without comments. OK, Andrey currently comments the code and implements untag action, and here is my patch for manpage describing all this stuff: --- ipfw.8.orig Fri May 12 21:09:14 2006 +++ ipfw.8 Fri May 12 22:08:42 2006 @@ -563,6 +563,30 @@ Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.It Cm tag Ar number +When a packet matches a rule with the +.Cm tag +keyword, the numeric tag for the given +.Ar number +in the range 0..65535 will be attached to the packet. +The tag acts as an internal marker (it is not sent out over +the wire) that can be used to identify these packets later on. +This can be used, for example, to provide trust between interfaces +and to start doing policy-based filtering. +A packet can have mutiple tags at the same time. +Tags are "sticky", meaning once a tag is applied to a packet by a +matching rule it exists everywhere while packet is still in kernel +until explicit removal or sending packet out to the network. +To check for previously applied tags, use the +.Cm tagged +rule option. +.It Cm untag Ar number +When a packet matches a rule with the +.Cm untag +keyword, the tag with the number +.Ar number +is searched in the set of tags attached to +this packet and, if found, removed from this set. .It Cm altq Ar queue When a packet matches a rule with the .Cm altq @@ -1257,6 +1281,15 @@ .It Cm src-port Ar ports Matches IP packets whose source port is one of the port(s) specified as argument. +.It Cm tagged Ar number +Match if packet has a tag with number +.Ar number . +Tags can be applied to the packet using +.Cm tag +rule action parameter or set somewhere in another part of the kernel +network subsytem using +.Xr mbuf_tags 9 +facility. .It Cm tcpack Ar ack TCP packets only. Match if the TCP header acknowledgment number field is set to -- WBR, Vadim Goncharov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ops9f15hzc4fjv08>