From owner-freebsd-net@FreeBSD.ORG Thu May 22 15:43:22 2014 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C933D8A3; Thu, 22 May 2014 15:43:22 +0000 (UTC) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 8A6902F06; Thu, 22 May 2014 15:43:21 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id B73967300A; Thu, 22 May 2014 17:47:40 +0200 (CEST) Date: Thu, 22 May 2014 17:47:40 +0200 From: Luigi Rizzo To: "Alexander V. Chernikov" Subject: Re: [CFT]: ipfw named tables / different tabletypes Message-ID: <20140522154740.GA76448@onelab2.iet.unipi.it> References: <5379FE3C.6060501@FreeBSD.org> <20140521111002.GB62462@onelab2.iet.unipi.it> <537CEC12.8050404@FreeBSD.org> <20140521204826.GA67124@onelab2.iet.unipi.it> <537E1029.70007@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <537E1029.70007@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Luigi Rizzo , FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 15:43:22 -0000 On Thu, May 22, 2014 at 06:56:41PM +0400, Alexander V. Chernikov wrote: > On 22.05.2014 00:48, Luigi Rizzo wrote: > > On Wed, May 21, 2014 at 10:10:26PM +0400, Alexander V. Chernikov wrote: ... > > we can solve this by using 'low' numbers for the numeric tables > > (these were limited anyways) and allocate the fake entries in > > another range. > Currently we have u16 space available in base opcode. yes but the standard range for tables is much more limited: net.inet.ip.fw.tables_max: 128 so one can just (say) use 32k for "old" tables and the rest for tables with non numeric names. Does not seem to be a problem in practice. > > maybe i am missing some detail but it seems reasonably easy to implement > > the atomic swap -- and the use case is when you want to move from > > one configuration to a new one: > > ipfw table foo-new flush // clear initial content > > ipfw table foo-new add ... > > ipfw table swap foo-current foo-new // swap the content of the table objects > > > > so you preserve the semantic of the name very easily. > Yes. We can easily add atomic table swap that way. However, I'm talking > about different use scenario: > Atomically swap entire ruleset which has some tables depency: > > > e.g. we have: > > " > 100 allow ip from table(TABLE1) to me > 200 allow ip from table(TABLE2) to (TABLE3) 80 > > table TABLE1 1.1.1.1/32 > table TABLE1 1.0.0.0/16 > > table TABLE2 2.2.2.2/32 > > table TABLE3 3.3.3.3/32 > " > and we want to _atomically_ change this to > > " > 100 allow ip from table(TABLE1) to me > +200 allow ip from table(TABLE4) to any > 300 allow ip from table(TABLE2) to (TABLE3) 80 > > table TABLE1 1.1.1.1/32 > -table TABLE1 1.0.0.0/16 > > -table TABLE2 2.2.2.2/32 > +table TABLE2 77.77.77.0/24 > > table TABLE3 3.3.3.3/32 > > +table TABLE4 4.4.4.4/32 > " aargh, that's too much -- because between changing one table and all tables there are infinite intermediate points that all make sense. For those cases i think the way to go could be to insert a 'disabled' new ruleset (however complex it is, so it covers all possible cases), and then do the set swap, or disable/enable. cheers luigi