Date: Sun, 15 May 2005 05:30:10 GMT From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/80642: IPFW small patch - new RULE OPTION Message-ID: <200505150530.j4F5UAIs044020@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/80642; it has been noted by GNATS.
From: Robert Watson <rwatson@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:
Subject: Re: kern/80642: IPFW small patch - new RULE OPTION
Date: Sun, 15 May 2005 06:30:20 +0100 (BST)
This patch breaks the ABI by inserting a new type into an implicitly
numbered enumeration, renumbering all entries later in the enum.
O_BOUND, if added, should be appended to the end, and/or we should number
the operations explicitly.
Robert N M Watson
On Thu, 5 May 2005, Andrey V. Elsukov wrote:
>
>> Number: 80642
>> Category: kern
>> Synopsis: IPFW small patch - new RULE OPTION
>> Confidential: no
>> Severity: non-critical
>> Priority: low
>> Responsible: freebsd-bugs
>> State: open
>> Quarter:
>> Keywords:
>> Date-Required:
>> Class: change-request
>> Submitter-Id: current-users
>> Arrival-Date: Thu May 05 06:10:02 GMT 2005
>> Closed-Date:
>> Last-Modified:
>> Originator: Andrey V. Elsukov
>> Release: FreeBSD 5.4-STABLE i386
>> Organization:
>> Environment:
> RELENG_5
>> Description:
> This is small patch for IPFW.
> Patch add new rule option - bound value. Rules with this option match while rule bytes counter below specified bound value. Example:
>
> ipfw add 100 allow ip from any to A.B.C.D in recv Ext_Interface bound 1000000
> ipfw add 200 deny ip from any to A.B.C.D
>
> While bytes counter below that 1000000, then rule 100 matchs.
>> How-To-Repeat:
>> Fix:
>
>
> --- ipfw_bound.diff begins here ---
> --- sys/netinet/ip_fw.h.orig Tue Feb 1 02:26:35 2005
> +++ sys/netinet/ip_fw.h Tue May 3 22:38:07 2005
> @@ -78,6 +78,7 @@
> O_RECV, /* none */
> O_XMIT, /* none */
> O_VIA, /* none */
> + O_BOUND, /* u64 = bound in bytes */
>
> O_IPOPT, /* arg1 = 2*u8 bitmap */
> O_IPLEN, /* arg1 = len */
> @@ -198,6 +199,14 @@
> ipfw_insn o;
> u_int32_t d[1]; /* one or more */
> } ipfw_insn_u32;
> +
> +/*
> + * This is used to store 64-bit bound value.
> + */
> +typedef struct _ipfw_insn_u64 {
> + ipfw_insn o;
> + u_int64_t bound;
> +} ipfw_insn_u64;
>
> /*
> * This is used to store IP addr-mask pairs.
>
> --- sys/netinet/ip_fw2.c.orig Sun Feb 6 19:16:20 2005
> +++ sys/netinet/ip_fw2.c Tue May 3 22:22:04 2005
> @@ -2294,6 +2294,9 @@
> /* otherwise no match */
> break;
>
> + case O_BOUND:
> + match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound);
> + break;
> /*
> * The second set of opcodes represents 'actions',
> * i.e. the terminal part of a rule once the packet
> @@ -2939,6 +2942,11 @@
> if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
> goto bad_size;
> break;
> +
> + case O_BOUND:
> + if (cmdlen != F_INSN_SIZE(ipfw_insn_u64))
> + goto bad_size;
> + break;
>
> case O_LIMIT:
> if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
>
> --- sbin/ipfw/ipfw2.c.orig Tue Jan 25 10:23:34 2005
> +++ sbin/ipfw/ipfw2.c Tue May 3 22:56:41 2005
> @@ -236,6 +236,7 @@
> TOK_ANTISPOOF,
> TOK_IPSEC,
> TOK_COMMENT,
> + TOK_BOUND,
>
> TOK_PLR,
> TOK_NOERROR,
> @@ -351,6 +352,7 @@
> { "antispoof", TOK_ANTISPOOF },
> { "ipsec", TOK_IPSEC },
> { "//", TOK_COMMENT },
> + { "bound", TOK_BOUND },
>
> { "not", TOK_NOT }, /* pseudo option */
> { "!", /* escape ? */ TOK_NOT }, /* pseudo option */
> @@ -1198,6 +1200,9 @@
>
> break;
> }
> + case O_BOUND:
> + printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound);
> + break;
> case O_IPID:
> if (F_LEN(cmd) == 1)
> printf(" ipid %u", cmd->arg1 );
> @@ -1917,7 +1922,7 @@
> " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
> " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
> " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
> -" verrevpath | versrcreach | antispoof\n"
> +" bound VALUE | verrevpath | versrcreach | antispoof\n"
> );
> exit(0);
> }
> @@ -3220,6 +3225,14 @@
> cmd->opcode = O_RECV;
> else if (i == TOK_VIA)
> cmd->opcode = O_VIA;
> + break;
> +
> + case TOK_BOUND:
> + NEED1("bound requires numeric value");
> + cmd->opcode = O_BOUND;
> + ((ipfw_insn_u64 *)cmd)->bound = strtoull(*av, NULL, 0);
> + cmd->len |= F_INSN_SIZE(ipfw_insn_u64);
> + ac--; av++;
> break;
>
> case TOK_ICMPTYPES:
>
> --- sbin/ipfw/ipfw.8.orig Wed Mar 2 22:50:11 2005
> +++ sbin/ipfw/ipfw.8 Wed May 4 19:23:13 2005
> @@ -920,6 +920,8 @@
> .It Cm bridged
> Alias for
> .Cm layer2 .
> +.It Cm bound Ar value
> +Matches while bytes counter below bound value.
> .It Cm dst-ip Ar ip-address
> Matches IP packets whose destination IP is one of the address(es)
> specified as argument.
> --- ipfw_bound.diff ends here ---
>
>
>> Release-Note:
>> Audit-Trail:
>> Unformatted:
> _______________________________________________
> freebsd-bugs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505150530.j4F5UAIs044020>