From owner-freebsd-net@FreeBSD.ORG Sun Oct 5 14:43:08 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1A23620F; Sun, 5 Oct 2014 14:43:08 +0000 (UTC) Received: from mail-pd0-x230.google.com (mail-pd0-x230.google.com [IPv6:2607:f8b0:400e:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CDF1AEDD; Sun, 5 Oct 2014 14:43:07 +0000 (UTC) Received: by mail-pd0-f176.google.com with SMTP id fp1so1960611pdb.7 for ; Sun, 05 Oct 2014 07:43:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=nC8aHCvKehL8qJgc9izQpfo4r/Bj1ZWBZChFo/RQfBw=; b=LdyaSPczZQBlHhxNzs+ekAnv1H11GtLVW3M4lLwqgrpIUctfHHkMjNoQFejXIKqVAz 3cTAECW8k/FWU2cD1o+uNksZE47gVYDHaQvtiTbM710yFLxudpxAs3mHVnk2MmT6jvcF klDyH/5sBo493HJc4eFkIRi0QR8ozj6AyID9TTLBYJH9maSoD05SlGlP9NzKB4Xcrsvh Xrci8BBGis7WMJK9/R+Ue9wNgnR4QCffH8BnLMHqOLAYXTvXm2puBoyQZeo+dgCeT9Yk SK4kP/sdIeuEjWzcB78n+fH21pDJKLqaeO7JNSFTMffc/nOUoMsOgPPT4VZ+ClUrTp+l jkAQ== X-Received: by 10.70.36.237 with SMTP id t13mr1609964pdj.134.1412520187414; Sun, 05 Oct 2014 07:43:07 -0700 (PDT) Received: from [192.168.1.100] ([175.156.202.12]) by mx.google.com with ESMTPSA id g6sm8873653pdj.0.2014.10.05.07.43.05 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 Oct 2014 07:43:06 -0700 (PDT) Message-ID: <543158F7.2070505@gmail.com> Date: Sun, 05 Oct 2014 22:43:03 +0800 From: bycn82 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: "Alexander V. Chernikov" , "freebsd-net@freebsd.org" , freebsd-ipfw , freebsd-current@freebsd.org Subject: Re: HEADS UP: Merging projects/ipfw to HEAD References: <542FE9A7.9090208@FreeBSD.org> In-Reply-To: <542FE9A7.9090208@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: Luigi Rizzo X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 14:43:08 -0000 On 10/4/14 20:35, Alexander V. Chernikov wrote: > Hi, > > I'm going to merge projects/ipfw branch to HEAD in the middle of next > week. > > What has changed: > > Main user-visible changes are related to tables: > > * Tables are now identified by names, not numbers. There can be up to > 65k tables with up to 63-byte long names. > * Tables are now set-aware (default off), so you can switch/move them > atomically with rules. > * More functionality is supported (swap, lock, limits, user-level > lookup, batched add/del) by generic table code. > * New table types are added (flow) so you can match multiple packet > fields at once. > * Ability to add different type of lookup algorithms for particular > table type has been added. > * New table algorithms are added (cidr:hash, iface:array, number:array > and flow:hash) to make certain types of lookup more effective. > * Table value are now capable of holding multiple data fields for > different tablearg users > > Some examples (see ipfw(8) manual page for the description): > > 0:02 [2] zfscurr0# ipfw table fl2 create type > flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib > 0:02 [2] zfscurr0# ipfw table fl2 info > +++ table(fl2), set(0) +++ > kindex: 0, type: flow:src-ip,proto,dst-port > valtype: number, references: 0 > algorithm: flow:hash > items: 0, size: 280 > 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 > 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 > 0:02 [2] zfscurr0# ipfw table fl2 list > +++ table(fl2), set(0) +++ > 2a02:6b8::333,6,443 45000 > 10.0.0.92,6,80 22000 > 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 > 80 flow 'table(fl2)' > > ipfw table mi_test create type cidr algo "cidr:hash masks=/30,/64" > ipfw table mi_test add 10.0.0.8/30 > ipfw table mi_test add 2a02:6b8:b010::1/64 25 > > # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 > added: 1.1.1.1/32 1111 > added: 2.2.2.2/32 2222 > # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 > exists: 2.2.2.2/32 2200 > added: 4.4.4.4/32 4444 > ipfw: Adding record failed: record already exists > ^^^^^ Returns error but keeps inserted items > # ipfw table si list > +++ table(si), set(0) +++ > 1.1.1.1/32 1111 > 2.2.2.2/32 2222 > 4.4.4.4/32 4444 > # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 > 5.5.5.5/32 5555 > added(reverted): 3.3.3.3/32 3333 > exists: 4.4.4.4/32 4400 > ignored: 5.5.5.5/32 5555 > ipfw: Adding record failed: record already exists > ^^^^^ Returns error and reverts added records > > Performance changes: > * Main ipfw lock was converted to rmlock > * Rule counters were separated from rule itself and made per-cpu. > * Radix table entries fits into 128 bytes > * struct ip_fw is now more compact so more rules will fit into 64 bytes > * interface tables uses array of existing ifindexes for faster match > > ABI changes: > All functionality supported by old ipfw(8) remains functional. Old & > new binaries can work together with the following restrictions: > * Tables named other than ^\d+$ are shown as table(65535) in ruleset > in old binaries > * I'm a bit unsure about "lookup src-port|dst-port N" case, something > may be broken here. Anyway, this can be fixed for MFC > > Internal changes:. > Changing table ids to numbers resulted in format modification for most > sockopt codes. > Old sopt format was compact, but very hard to extend (no versioning, > inability to add more opcodes), so > * All relevant opcodes were converted to TLV-based versioned > IP_FW3-based codes. > * The remaining opcodes were also converted to be able to eliminate > all older opcodes at once > * All IP_FW3 handlers uses special API instead of calling sooptcopy* > directly to ease adding another communication methods > * struct ip_fw is now different for kernel and userland > * tablearg value has been changed to 0 to ease future extensions > * table "values" are now indexes in special value array which holds > extended data for given index > * Batched add/delete has been added to tables code > * Most changes has been done to permit batched rule addition. > * interface tracking API has been added (started on demand) to permit > effective interface tables operations > * O(1) skipto cache, currently turned off by default at compile-time > (eats 512K). > > * Several steps has been made towards making libipfw: > * most of new functions were separated into "parse/prepare/show and > actuall-do-stuff" pieces (already merged). > * there are separate functions for parsing text string into "struct > ip_fw" and printing "struct ip_fw" to supplied buffer (already merged). > * Probably some more less significant/forgotten features > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Hi, Good job, Waiting for your code :) Regards, Bycn82