From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 27 01:02:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF72916A4CE; Tue, 27 Jan 2004 01:02:26 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FEF043D39; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i0R92OAF011280; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i0R92O2e011279; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo) Date: Tue, 27 Jan 2004 01:02:24 -0800 From: Luigi Rizzo To: Bill Fumerola Message-ID: <20040127010224.B11002@xorpc.icir.org> References: <20040127022307.GP40147@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040127022307.GP40147@elvis.mu.org>; from billf@freebsd.org on Mon, Jan 26, 2004 at 06:23:07PM -0800 cc: freebsd-ipfw@freebsd.org Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 09:02:27 -0000 On Mon, Jan 26, 2004 at 06:23:07PM -0800, Bill Fumerola wrote: > i ran into a situation recently where i could write my ruleset a lot > simpler (and remove some costly, redundant lookups) by requiring that > the previous rule evaluated matched. > > note: this does NOT mean "the previous rule in order" it means "the > previous rule traversed". the former isn't all that useful, but the > latter is nice because it works with both count and skipto rules. i cannot make much sense of this. Can you make an actual example ? It seems to me that the only thing 'prevmatch' tells you is whether or not you got to a rule as a result of a 'count' or 'skipto' action, which is a special case of a more general (and equally simple to implement) mechanism that i am planning to add (and i believe i posted this already some time ago): + add to all non-terminal actions (count, skipto, tee) two bitmasks that specify sets of flags to set and clear, respectively; + add a new opcode that matches arbitrary bit patterns; + flags will be preserved in dummynet so they will be accessible when the packet comes out of a pipe. So you will be able to write 100 count set 0x10 src-ip 1.2.3.4,5.6.7.8,9.10.11.12 // good guys 100 count set 0x20 dst-port 80 110 count set 0x40 src-ip 10.0.0.0/8,192.168.0.0/16 // bad guys ... 500 pipe 1 flags & 0x60 == 0x20 500 deny flags & 0x40 != 0 and so on. I am still a bit uncertain on the syntax for the 'flags' opcode -- this is basically the only think stopping me from implementing the thing. If you want to give it a shot... cheers luigi > not, this will live in the archives for people to apply locally. > > -- > - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org > > > ----- Forwarded message from bill fumerola ----- > > ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content > @@ -225,6 +225,7 @@ > TOK_MACTYPE, > TOK_VERREVPATH, > TOK_IPSEC, > + TOK_PREVMATCH, > TOK_COMMENT, > > TOK_PLR, > @@ -337,6 +338,7 @@ > { "mac-type", TOK_MACTYPE }, > { "verrevpath", TOK_VERREVPATH }, > { "ipsec", TOK_IPSEC }, > + { "prevmatch", TOK_PREVMATCH }, > { "//", TOK_COMMENT }, > > { "not", TOK_NOT }, /* pseudo option */ > @@ -1262,6 +1264,10 @@ > printf(" ipsec"); > break; > > + case O_PREVMATCH: > + printf(" prevmatch"); > + break; > + > case O_NOP: > comment = (char *)(cmd + 1); > break; > @@ -3400,6 +3406,10 @@ > fill_cmd(cmd, O_IPSEC, 0, 0); > break; > > + case TOK_PREVMATCH: > + fill_cmd(cmd, O_PREVMATCH, 0, 0); > + break; > + > case TOK_COMMENT: > fill_comment(cmd, ac, av); > av += ac; > ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content > @@ -1352,6 +1352,7 @@ > int pktlen; > int dyn_dir = MATCH_UNKNOWN; > ipfw_dyn_rule *q = NULL; > + int prevmatch = 0; > > if (m->m_flags & M_SKIP_FIREWALL) > return 0; /* accept */ > @@ -1524,6 +1525,10 @@ > match = 1; > break; > > + case O_PREVMATCH: > + match = prevmatch; > + break; > + > case O_FORWARD_MAC: > printf("ipfw: opcode %d unimplemented\n", > cmd->opcode); > @@ -1948,6 +1953,7 @@ > > case O_COUNT: > case O_SKIPTO: > + prevmatch = 1; > f->pcnt++; /* update stats */ > f->bcnt += pktlen; > f->timestamp = time_second; > @@ -2004,6 +2010,7 @@ > } > > } /* end of inner for, scan opcodes */ > + prevmatch = 0; > > next_rule:; /* try next rule */ > > @@ -2414,6 +2421,7 @@ > case O_ESTAB: > case O_VERREVPATH: > case O_IPSEC: > + case O_PREVMATCH: > if (cmdlen != F_INSN_SIZE(ipfw_insn)) > goto bad_size; > break; > ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content > @@ -96,6 +96,8 @@ > > O_VERREVPATH, /* none */ > > + O_PREVMATCH, /* none (previous rule matched) */ > + > O_PROBE_STATE, /* none */ > O_KEEP_STATE, /* none */ > O_LIMIT, /* ipfw_insn_limit */ > > > ----- End forwarded message ----- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"