From owner-freebsd-ipfw@freebsd.org Wed Jul 27 16:54:52 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA2ABBA656D for ; Wed, 27 Jul 2016 16:54:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 85F721A22; Wed, 27 Jul 2016 16:54:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-233-115.lns20.per1.internode.on.net [121.45.233.115]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u6RGsbpP072456 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 27 Jul 2016 09:54:42 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: ipfw divert filter for IPv4 geo-blocking To: Ian Smith References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <20160728004622.T29054@sola.nimnet.asn.au> Cc: "Dr. Rolf Jansen" , Mike Makonnen , freebsd-ipfw@freebsd.org From: Julian Elischer Message-ID: <64148a94-ff8b-102f-992f-ca2d707ac61a@freebsd.org> Date: Thu, 28 Jul 2016 00:54:31 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160728004622.T29054@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 16:54:52 -0000 trimming.... On 27/07/2016 11:51 PM, Ian Smith wrote: > On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote: > [...] > > > country without changing everything else. > > (the downside is that dynamic skipto's are not very efficient as they do a > > linear search of the rules, where static skiptos cache the location of the > > rule to skip to. it's not a terrible cost but it needs to be kept in mind. > > (but faster than a divert socket) > > I forget .. is that linear search from the beginning, or from the > position of the rule querying the table? Just thnking about grouping > skipto target rules to minimise traversal. These targets in turn could > use static skiptos that will be cached. it starts searching forwards from the current location, to stop loops. (though it turns out you CAN make loops using some arcane sequences that I will not make public). However divert reinjection searches from the start to get to the place you want to restart processing. (but it's a very small loop) so put the diverts near the front if you can. > > > your application becomes an application for configuring the firewall. > > (which you do by feeding commands down a pipe to ipfw, which is started as > > 'ipfw -q /dev/stdin') > > I went looking though ports for ipfw-classifyd, which attracted my > interest in 2008, but seems never to have made it to ports. Written by > Mike Makonnen (cc'd), it uses divert sockets with the > linux- based 'l7' filters for detecting traffic from a wide array of UDP > and TCP protocols, with the primary intent then of detecting various P2P > traffic and shunting it through dummynet pipes for bandwidth limiting. I vaguely remember it. > > Interesting discussion, and thanks for info on geoip tables etc. > > cheers, Ian >