From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 19 13:22:29 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28016106567A for ; Tue, 19 Aug 2008 13:22:27 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 279218FC22 for ; Tue, 19 Aug 2008 13:22:25 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id XAA03266; Tue, 19 Aug 2008 23:12:05 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 19 Aug 2008 23:12:04 +1000 (EST) From: Ian Smith To: Julian Elischer In-Reply-To: <48926C02.6030308@elischer.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: ipfw add skipto tablearg.... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2008 13:22:29 -0000 On Thu, 31 Jul 2008, Julian Elischer wrote: > looking int he code I noticed that the following command gave > no error but didn't work.. > > > ipfw add 1000 skipto tablearg ip from any to table(31) Content addressible branching is an elegant and useful idea, thanks for making it work. A simple example in ipfw(8) might promote 'uptake'? > and as I have a use for that, I implemented it.. MFC to 6 possible? likely? I know there's lots of other stuff that hasn't / won't / can't be, but this one looked perhaps stand-alone .. > see attached patch... (hopefully not stripped) > > Of course it is hoped that the rules you are skipping to are nearby > as it iterates through the rules following the skipto to find the > target, Until $someone adds a direct skipto target jump at the virtual machine code level - big recalc hit when adding/deleting rules/sets I suppose - it's still the fastest way to get from a to b, where b > a Speaking of which, should ipfw whinge when asked to skip backwards, which it can't, confirmed on a recent browse re Mike's ipfw-classifyd and a local test months ago. > but.... > if you had a thousand table entries and wanted to sort them into > 20 buckets, it could save you puting them into 20 different > tables and doing 20 table lookups on them. Or even just for quick basic traffic-splitting, bogon lists, whatever .. > here I sort into two categories.. possibly already a win.. > > > julian@trafmon2:cat ipfw-test.sh > #!/bin/sh > ipfw add 100 skipto 10000 ip from any to not 1.1.1.0/24 > ipfw add 1000 skipto tablearg ip from any to "table(31)" > ipfw add 2000 drop ip from any to any > ipfw add 2001 drop ip from any to any > ipfw add 3000 drop ip from any to any > ipfw add 3001 drop ip from any to any > ipfw add 10000 count ip from any to any > ipfw table 31 add 1.1.1.1 2000 > ipfw table 31 add 1.1.1.2 3000 > > julian@trafmon2: ping 1.1.1.1 > [...] (2 packets bounced) > julian@trafmon2: ping 1.1.1.2 > [...] (12 packets bounced) > > julian@trafmon2: ipfw show > 00100 220 19633 skipto 10000 ip from any to not 1.1.1.0/24 > 01000 14 1176 skipto tablearg ip from any to table(31) > 02000 2 168 deny ip from any to any > 02001 0 0 deny ip from any to any > 03000 12 1008 deny ip from any to any > 03001 0 0 deny ip from any to any > 10000 209 18549 count ip from any to any > 65535 1751 153792 allow ip from any to any > > > comments? I like it, FWIW. > + if (tablearg != 0) { > + rulenum = (u_int16_t)tablearg; Should we check that tablearg is < 64K before merrily casting? cheers, Ian