Date: Fri, 10 Oct 2014 01:02:05 +0400 From: Alexander V. Chernikov <melifaro@ipfw.ru> To: "Alexander V. Chernikov" <melifaro@FreeBSD.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Luigi Rizzo <luigi@freebsd.org>, freebsd-current@freebsd.org, freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: HEADS UP: Merging projects/ipfw to HEAD Message-ID: <02957253-78AC-4CDF-AD48-86D219667F02@ipfw.ru> In-Reply-To: <542FE9A7.9090208@FreeBSD.org> References: <542FE9A7.9090208@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04 Oct 2014, at 16:35, Alexander V. Chernikov <melifaro@FreeBSD.org> = wrote: > Hi, >=20 > I'm going to merge projects/ipfw branch to HEAD in the middle of next = week. Merged in r 272840. >=20 > What has changed: >=20 > Main user-visible changes are related to tables: >=20 > * Tables are now identified by names, not numbers. There can be up to = 65k tables with up to 63-byte long names. > * Tables are now set-aware (default off), so you can switch/move them = atomically with rules. > * More functionality is supported (swap, lock, limits, user-level = lookup, batched add/del) by generic table code. > * New table types are added (flow) so you can match multiple packet = fields at once. > * Ability to add different type of lookup algorithms for particular = table type has been added. > * New table algorithms are added (cidr:hash, iface:array, number:array = and flow:hash) to make certain types of lookup more effective. > * Table value are now capable of holding multiple data fields for = different tablearg users >=20 > Some examples (see ipfw(8) manual page for the description): >=20 > 0:02 [2] zfscurr0# ipfw table fl2 create type = flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib > 0:02 [2] zfscurr0# ipfw table fl2 info > +++ table(fl2), set(0) +++ > kindex: 0, type: flow:src-ip,proto,dst-port > valtype: number, references: 0 > algorithm: flow:hash > items: 0, size: 280 > 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 > 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 > 0:02 [2] zfscurr0# ipfw table fl2 list > +++ table(fl2), set(0) +++ > 2a02:6b8::333,6,443 45000 > 10.0.0.92,6,80 22000 > 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 = flow 'table(fl2)' >=20 > ipfw table mi_test create type cidr algo "cidr:hash masks=3D/30,/64" > ipfw table mi_test add 10.0.0.8/30 > ipfw table mi_test add 2a02:6b8:b010::1/64 25 >=20 > # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 > added: 1.1.1.1/32 1111 > added: 2.2.2.2/32 2222 > # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 > exists: 2.2.2.2/32 2200 > added: 4.4.4.4/32 4444 > ipfw: Adding record failed: record already exists > ^^^^^ Returns error but keeps inserted items > # ipfw table si list > +++ table(si), set(0) +++ > 1.1.1.1/32 1111 > 2.2.2.2/32 2222 > 4.4.4.4/32 4444 > # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 = 5.5.5.5/32 5555 > added(reverted): 3.3.3.3/32 3333 > exists: 4.4.4.4/32 4400 > ignored: 5.5.5.5/32 5555 > ipfw: Adding record failed: record already exists > ^^^^^ Returns error and reverts added records >=20 > Performance changes: > * Main ipfw lock was converted to rmlock > * Rule counters were separated from rule itself and made per-cpu. > * Radix table entries fits into 128 bytes > * struct ip_fw is now more compact so more rules will fit into 64 = bytes > * interface tables uses array of existing ifindexes for faster match >=20 > ABI changes: > All functionality supported by old ipfw(8) remains functional. Old & = new binaries can work together with the following restrictions: > * Tables named other than ^\d+$ are shown as table(65535) in ruleset = in old binaries > * I'm a bit unsure about "lookup src-port|dst-port N" case, something = may be broken here. Anyway, this can be fixed for MFC >=20 > Internal changes:. > Changing table ids to numbers resulted in format modification for most = sockopt codes. > Old sopt format was compact, but very hard to extend (no versioning, = inability to add more opcodes), so > * All relevant opcodes were converted to TLV-based versioned = IP_FW3-based codes. > * The remaining opcodes were also converted to be able to eliminate = all older opcodes at once > * All IP_FW3 handlers uses special API instead of calling sooptcopy* = directly to ease adding another communication methods > * struct ip_fw is now different for kernel and userland > * tablearg value has been changed to 0 to ease future extensions > * table "values" are now indexes in special value array which holds = extended data for given index > * Batched add/delete has been added to tables code > * Most changes has been done to permit batched rule addition. > * interface tracking API has been added (started on demand) to permit = effective interface tables operations > * O(1) skipto cache, currently turned off by default at compile-time = (eats 512K). >=20 > * Several steps has been made towards making libipfw: > * most of new functions were separated into "parse/prepare/show and = actuall-do-stuff" pieces (already merged). > * there are separate functions for parsing text string into "struct = ip_fw" and printing "struct ip_fw" to supplied buffer (already merged). > * Probably some more less significant/forgotten features >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02957253-78AC-4CDF-AD48-86D219667F02>