Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jun 2011 13:14:27 +0200
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        Vadim Goncharov <vadim_nuclight@mail.ru>
Cc:        freebsd-ipfw@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: [PATCH] ipfw call/return rule actions
Message-ID:  <20110621111427.GA24786@onelab2.iet.unipi.it>
In-Reply-To: <slrnj00s7g.2ki3.vadim_nuclight@kernblitz.nuclight.avtf.net>
References:  <slrnj00s7g.2ki3.vadim_nuclight@kernblitz.nuclight.avtf.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 21, 2011 at 10:22:40AM +0000, Vadim Goncharov wrote:
> Hi,
> 
> I have made a patch http://nuclight.avtf.net/vadim/ipfw_call_20110620.diff
> which adds a "call" and "return" rule actions to make it possible to
> organize "subroutines" with rules - "skipto" is like "goto" and only
> allows jumps forward, not backward.
> 
> This could be useful to help doing somewaht like per-interface ACL,
> something similar to pf anchors or iptables chains.
> 
> Please test, hope to see this committed soon and released in 9.0 !

nice function and nice implementation.
It does not affect any existing ruleset etc. so it should really
be an easy addition, even if we don't make it for 9.0 there are
no ABI issues to be worried about.

By chance have you tried to measure the cost of a call/return pair ?

cheers
luigi

> Sample ipfw list:
> 
> 00500 call 2000 ip from 10.0.0.5 to any
> 00600 count log ip from 10.0.0.5 to any
> 00999 allow ip from any to any
> 02000 count ip from any to any // entry of subr
> 02100 count log ip from any to any
> 02999 return log ip from any to any // leave subr
> 03600 count log ip from 10.0.0.5 to any
> 65534 allow ip from any to any
> 65535 deny ip from any to any
> 
> Here after 2999 packet continues from 501, next number after "call".
> 
> Or this could be used to reduce number of rules when previously one
> did many skipto's for each direction/interface and had to repeat the same rules
> again and again, e.g.:
> 
> add 100 call 5000 all from any to any in recv em0
> add 110 deny all from table(10) to any in recv em0
> add 200 call 5000 all from any to any in recv em1
> add 210 deny all from table(20) in recv em1
> ...
> add 5000 deny log all from any to any not antispoof
> add 5010 deny tcp from any to any 135,139,445
> add 5020 deny udp from any to any 137,138
> add 5030 allow tcp from any to any established
> ...
> add 5999 return // end of common block
> 
> -- 
> WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight@mail.ru
> [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
> 
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110621111427.GA24786>