From owner-freebsd-bugs@FreeBSD.ORG Sun May 15 05:30:10 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC6F16A4CE for ; Sun, 15 May 2005 05:30:10 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A1A643DAB for ; Sun, 15 May 2005 05:30:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4F5UAJ5044021 for ; Sun, 15 May 2005 05:30:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4F5UAIs044020; Sun, 15 May 2005 05:30:10 GMT (envelope-from gnats) Date: Sun, 15 May 2005 05:30:10 GMT Message-Id: <200505150530.j4F5UAIs044020@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Robert Watson Subject: Re: kern/80642: IPFW small patch - new RULE OPTION X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Robert Watson List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 May 2005 05:30:10 -0000 The following reply was made to PR kern/80642; it has been noted by GNATS. From: Robert Watson To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/80642: IPFW small patch - new RULE OPTION Date: Sun, 15 May 2005 06:30:20 +0100 (BST) This patch breaks the ABI by inserting a new type into an implicitly numbered enumeration, renumbering all entries later in the enum. O_BOUND, if added, should be appended to the end, and/or we should number the operations explicitly. Robert N M Watson On Thu, 5 May 2005, Andrey V. Elsukov wrote: > >> Number: 80642 >> Category: kern >> Synopsis: IPFW small patch - new RULE OPTION >> Confidential: no >> Severity: non-critical >> Priority: low >> Responsible: freebsd-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: change-request >> Submitter-Id: current-users >> Arrival-Date: Thu May 05 06:10:02 GMT 2005 >> Closed-Date: >> Last-Modified: >> Originator: Andrey V. Elsukov >> Release: FreeBSD 5.4-STABLE i386 >> Organization: >> Environment: > RELENG_5 >> Description: > This is small patch for IPFW. > Patch add new rule option - bound value. Rules with this option match while rule bytes counter below specified bound value. Example: > > ipfw add 100 allow ip from any to A.B.C.D in recv Ext_Interface bound 1000000 > ipfw add 200 deny ip from any to A.B.C.D > > While bytes counter below that 1000000, then rule 100 matchs. >> How-To-Repeat: >> Fix: > > > --- ipfw_bound.diff begins here --- > --- sys/netinet/ip_fw.h.orig Tue Feb 1 02:26:35 2005 > +++ sys/netinet/ip_fw.h Tue May 3 22:38:07 2005 > @@ -78,6 +78,7 @@ > O_RECV, /* none */ > O_XMIT, /* none */ > O_VIA, /* none */ > + O_BOUND, /* u64 = bound in bytes */ > > O_IPOPT, /* arg1 = 2*u8 bitmap */ > O_IPLEN, /* arg1 = len */ > @@ -198,6 +199,14 @@ > ipfw_insn o; > u_int32_t d[1]; /* one or more */ > } ipfw_insn_u32; > + > +/* > + * This is used to store 64-bit bound value. > + */ > +typedef struct _ipfw_insn_u64 { > + ipfw_insn o; > + u_int64_t bound; > +} ipfw_insn_u64; > > /* > * This is used to store IP addr-mask pairs. > > --- sys/netinet/ip_fw2.c.orig Sun Feb 6 19:16:20 2005 > +++ sys/netinet/ip_fw2.c Tue May 3 22:22:04 2005 > @@ -2294,6 +2294,9 @@ > /* otherwise no match */ > break; > > + case O_BOUND: > + match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound); > + break; > /* > * The second set of opcodes represents 'actions', > * i.e. the terminal part of a rule once the packet > @@ -2939,6 +2942,11 @@ > if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) > goto bad_size; > break; > + > + case O_BOUND: > + if (cmdlen != F_INSN_SIZE(ipfw_insn_u64)) > + goto bad_size; > + break; > > case O_LIMIT: > if (cmdlen != F_INSN_SIZE(ipfw_insn_limit)) > > --- sbin/ipfw/ipfw2.c.orig Tue Jan 25 10:23:34 2005 > +++ sbin/ipfw/ipfw2.c Tue May 3 22:56:41 2005 > @@ -236,6 +236,7 @@ > TOK_ANTISPOOF, > TOK_IPSEC, > TOK_COMMENT, > + TOK_BOUND, > > TOK_PLR, > TOK_NOERROR, > @@ -351,6 +352,7 @@ > { "antispoof", TOK_ANTISPOOF }, > { "ipsec", TOK_IPSEC }, > { "//", TOK_COMMENT }, > + { "bound", TOK_BOUND }, > > { "not", TOK_NOT }, /* pseudo option */ > { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ > @@ -1198,6 +1200,9 @@ > > break; > } > + case O_BOUND: > + printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound); > + break; > case O_IPID: > if (F_LEN(cmd) == 1) > printf(" ipid %u", cmd->arg1 ); > @@ -1917,7 +1922,7 @@ > " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" > " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" > " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" > -" verrevpath | versrcreach | antispoof\n" > +" bound VALUE | verrevpath | versrcreach | antispoof\n" > ); > exit(0); > } > @@ -3220,6 +3225,14 @@ > cmd->opcode = O_RECV; > else if (i == TOK_VIA) > cmd->opcode = O_VIA; > + break; > + > + case TOK_BOUND: > + NEED1("bound requires numeric value"); > + cmd->opcode = O_BOUND; > + ((ipfw_insn_u64 *)cmd)->bound = strtoull(*av, NULL, 0); > + cmd->len |= F_INSN_SIZE(ipfw_insn_u64); > + ac--; av++; > break; > > case TOK_ICMPTYPES: > > --- sbin/ipfw/ipfw.8.orig Wed Mar 2 22:50:11 2005 > +++ sbin/ipfw/ipfw.8 Wed May 4 19:23:13 2005 > @@ -920,6 +920,8 @@ > .It Cm bridged > Alias for > .Cm layer2 . > +.It Cm bound Ar value > +Matches while bytes counter below bound value. > .It Cm dst-ip Ar ip-address > Matches IP packets whose destination IP is one of the address(es) > specified as argument. > --- ipfw_bound.diff ends here --- > > >> Release-Note: >> Audit-Trail: >> Unformatted: > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" >