Date: Fri, 30 May 2014 17:00:00 GMT From: "bycn82" <bycn82@gmail.com> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/189720: [ipfw] [patch] pps action for ipfw Message-ID: <201405301700.s4UH00sv031305@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/189720; it has been noted by GNATS. From: "bycn82" <bycn82@gmail.com> To: <bug-followup@FreeBSD.org>, <bycn82@gmail.com> Cc: "Luigi Rizzo" <rizzo@iet.unipi.it> Subject: Re: kern/189720: [ipfw] [patch] pps action for ipfw Date: Sat, 31 May 2014 00:53:56 +0800 This is a multipart message in MIME format. ------=_NextPart_000_0002_01CF7C6A.CF4B9B50 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0003_01CF7C6A.CF4B9B50" ------=_NextPart_001_0003_01CF7C6A.CF4B9B50 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit 1. Add static int to store the value of kern.hz 2. Convert the duration into number of ticks based on kern.hz regards, bycn82 ------=_NextPart_001_0003_01CF7C6A.CF4B9B50 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta = http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta = name=3DGenerator content=3D"Microsoft Word 14 (filtered = medium)"><style><!-- /* Font Definitions */ @font-face {font-family:=E5=AE=8B=E4=BD=93; panose-1:2 1 6 0 3 1 1 1 1 1;} @font-face {font-family:=E5=AE=8B=E4=BD=93; panose-1:2 1 6 0 3 1 1 1 1 1;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:"\@=E5=AE=8B=E4=BD=93"; panose-1:2 1 6 0 3 1 1 1 1 1;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri","sans-serif";} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:633340690; mso-list-type:hybrid; mso-list-template-ids:1182030700 67698703 67698713 67698715 67698703 = 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level2 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level3 {mso-level-number-format:roman-lower; mso-level-tab-stop:none; mso-level-number-position:right; text-indent:-9.0pt;} @list l0:level4 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level5 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level6 {mso-level-number-format:roman-lower; mso-level-tab-stop:none; mso-level-number-position:right; text-indent:-9.0pt;} @list l0:level7 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level8 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level9 {mso-level-number-format:roman-lower; mso-level-tab-stop:none; mso-level-number-position:right; text-indent:-9.0pt;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue = vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoListParagraph = style=3D'text-indent:-.25in;mso-list:l0 level1 lfo1'><![if = !supportLists]><span style=3D'mso-list:Ignore'>1.<span = style=3D'font:7.0pt "Times New = Roman"'> </span></span><![endif]>Add = static int to store the value of kern.hz<o:p></o:p></p><p = class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 level1 = lfo1'><![if !supportLists]><span style=3D'mso-list:Ignore'>2.<span = style=3D'font:7.0pt "Times New = Roman"'> = </span></span><![endif]>Convert the duration into number of ticks based = on =C2=A0kern.hz<o:p></o:p></p><p = class=3DMsoNormal><o:p> </o:p></p><p = class=3DMsoNormal>regards,<o:p></o:p></p><p = class=3DMsoNormal>bycn82<o:p></o:p></p></div></body></html> ------=_NextPart_001_0003_01CF7C6A.CF4B9B50-- ------=_NextPart_000_0002_01CF7C6A.CF4B9B50 Content-Type: application/octet-stream; name="pps.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pps.patch" Index: sbin/ipfw/ipfw.8=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sbin/ipfw/ipfw.8 (revision 266886)=0A= +++ sbin/ipfw/ipfw.8 (working copy)=0A= @@ -602,6 +602,14 @@=0A= Note: logging is done after all other packet matching conditions=0A= have been successfully verified, and before performing the final=0A= action (accept, deny, etc.) on the packet.=0A= +.It Cm pps Ar limit duration=0A= +Rule with the =0A= +.Cm pps=0A= +keyword will allow the first=0A= +.Ar limit=0A= +packets in recent =0A= +.Ar duration =0A= +milliseconds=0A= .It Cm tag Ar number=0A= When a packet matches a rule with the=0A= .Cm tag=0A= Index: sbin/ipfw/ipfw2.c=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sbin/ipfw/ipfw2.c (revision 266886)=0A= +++ sbin/ipfw/ipfw2.c (working copy)=0A= @@ -244,6 +244,7 @@=0A= { "allow", TOK_ACCEPT },=0A= { "permit", TOK_ACCEPT },=0A= { "count", TOK_COUNT },=0A= + { "pps", TOK_PPS },=0A= { "pipe", TOK_PIPE },=0A= { "queue", TOK_QUEUE },=0A= { "divert", TOK_DIVERT },=0A= @@ -1232,6 +1233,13 @@=0A= PRINT_UINT_ARG("skipto ", cmd->arg1);=0A= break;=0A= =0A= + case O_PPS:=0A= + {=0A= + ipfw_insn_pps *pps=3D(ipfw_insn_pps *)cmd;=0A= + printf("pps %d %d",cmd->arg1,pps->duration);=0A= + break; =0A= + }=0A= +=0A= case O_PIPE:=0A= PRINT_UINT_ARG("pipe ", cmd->arg1);=0A= break;=0A= @@ -2985,6 +2993,24 @@=0A= case TOK_COUNT:=0A= action->opcode =3D O_COUNT;=0A= break;=0A= + =0A= + case TOK_PPS:=0A= + action->opcode =3D O_PPS;=0A= + ipfw_insn_pps *p =3D (ipfw_insn_pps *)action;=0A= + action->len =3D F_INSN_SIZE(ipfw_insn_pps);=0A= + if (isdigit(**av)) {=0A= + action->arg1 =3D strtoul(*av, NULL, 10);=0A= + av++;=0A= + }else{=0A= + errx(EX_USAGE, "illegal argument pps `limit` %s", *av);=0A= + }=0A= + if (isdigit(**av)) {=0A= + p->duration =3D strtoul(*av, NULL, 10);=0A= + av++;=0A= + }else{=0A= + errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);=0A= + }=0A= + break; =0A= =0A= case TOK_NAT:=0A= action->opcode =3D O_NAT;=0A= Index: sbin/ipfw/ipfw2.h=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sbin/ipfw/ipfw2.h (revision 266886)=0A= +++ sbin/ipfw/ipfw2.h (working copy)=0A= @@ -92,6 +92,7 @@=0A= TOK_NGTEE,=0A= TOK_FORWARD,=0A= TOK_SKIPTO,=0A= + TOK_PPS,=0A= TOK_DENY,=0A= TOK_REJECT,=0A= TOK_RESET,=0A= Index: sys/netinet/ip_fw.h=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sys/netinet/ip_fw.h (revision 266886)=0A= +++ sys/netinet/ip_fw.h (working copy)=0A= @@ -165,6 +165,7 @@=0A= O_REJECT, /* arg1=3Dicmp arg (same as deny) */=0A= O_COUNT, /* none */=0A= O_SKIPTO, /* arg1=3Dnext rule number */=0A= + O_PPS, /* arg1=3Dlimit, pps->duration */=0A= O_PIPE, /* arg1=3Dpipe number */=0A= O_QUEUE, /* arg1=3Dqueue number */=0A= O_DIVERT, /* arg1=3Dport number */=0A= @@ -378,6 +379,16 @@=0A= } ipfw_insn_log;=0A= =0A= /*=0A= + * This is used for PPS=0A= + */=0A= +typedef struct _ipfw_insn_pps{=0A= + ipfw_insn o;=0A= + uint32_t start_time;=0A= + uint32_t count;=0A= + uint32_t duration;=0A= +} ipfw_insn_pps;=0A= +=0A= +/*=0A= * Data structures required by both ipfw(8) and ipfw(4) but not part of = the=0A= * management API are protected by IPFW_INTERNAL.=0A= */=0A= Index: sys/netpfil/ipfw/ip_fw2.c=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sys/netpfil/ipfw/ip_fw2.c (revision 266886)=0A= +++ sys/netpfil/ipfw/ip_fw2.c (working copy)=0A= @@ -124,6 +124,7 @@=0A= /* Use 128 tables by default */=0A= static unsigned int default_fw_tables =3D IPFW_TABLES_DEFAULT;=0A= =0A= +static unsigned int kern_hz=3D1000;=0A= /*=0A= * Each rule belongs to one of 32 different sets (0..31).=0A= * The variable set_disable contains one bit per set.=0A= @@ -186,6 +187,7 @@=0A= SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count,=0A= CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,=0A= "Number of static rules");=0A= +TUNABLE_INT("kern.hz", (int *)&kern_hz);=0A= =0A= #ifdef INET6=0A= SYSCTL_DECL(_net_inet6_ip6);=0A= @@ -2189,6 +2191,31 @@=0A= continue;=0A= break; /* not reached */=0A= =0A= + case O_PPS:{=0A= + int duration_in_ticks;=0A= + ipfw_insn_pps *pps =3D (ipfw_insn_pps *)cmd;=0A= + if(1000/kern_hz >=3D pps->duration){=0A= + duration_in_ticks=3D1;=0A= + }else{=0A= + duration_in_ticks=3Dpps->duration*kern_hz/1000+1;=0A= + }=0A= + if(pps->start_time+duration_in_ticks>=3D ticks){=0A= + if(pps->count < cmd->arg1){=0A= + retval =3D IP_FW_PASS;=0A= + }else{=0A= + retval =3D IP_FW_DENY;=0A= + }=0A= + pps->count++;=0A= + }else{=0A= + pps->start_time=3Dticks;=0A= + pps->count=3D1;=0A= + retval =3D IP_FW_PASS;=0A= + }=0A= + l =3D 0; =0A= + done =3D 1;=0A= + break; =0A= + }=0A= +=0A= case O_CALLRETURN: {=0A= /*=0A= * Implementation of `subroutine' call/return,=0A= Index: sys/netpfil/ipfw/ip_fw_sockopt.c=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- sys/netpfil/ipfw/ip_fw_sockopt.c (revision 266886)=0A= +++ sys/netpfil/ipfw/ip_fw_sockopt.c (working copy)=0A= @@ -703,6 +703,12 @@=0A= goto bad_size;=0A= break;=0A= =0A= + case O_PPS:=0A= + have_action=3D1;=0A= + if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_pps))=0A= + goto bad_size;=0A= + break;=0A= +=0A= case O_PIPE:=0A= case O_QUEUE:=0A= if (cmdlen !=3D F_INSN_SIZE(ipfw_insn))=0A= ------=_NextPart_000_0002_01CF7C6A.CF4B9B50--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405301700.s4UH00sv031305>