From owner-freebsd-net@FreeBSD.ORG  Wed Jul  2 02:48:37 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A038D5C4
 for <freebsd-net@freebsd.org>; Wed,  2 Jul 2014 02:48:37 +0000 (UTC)
Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com
 [IPv6:2607:f8b0:400e:c02::22a])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 742A52B07
 for <freebsd-net@freebsd.org>; Wed,  2 Jul 2014 02:48:37 +0000 (UTC)
Received: by mail-pd0-f170.google.com with SMTP id z10so11200233pdj.29
 for <freebsd-net@freebsd.org>; Tue, 01 Jul 2014 19:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=4BEL3uv/w/SCNQZtMRDHhYvcBXRBbSWPp5oUfKoioX8=;
 b=V6AuPkHePG4Ke7URQpiKUAw4CzhoXKLH2Ik09uIkQ7Pr2Y+GzWx4d8aMwaducoGzah
 tuwrotrrGNhhiUQwEO+KdZOLRwDotN3DjtmXcibgpcLbIjpVVmbxWU+Fs+tSKPg53M1l
 CefYrbSzeoWMOO4i8+k2i++DP76Qfjf8Metm+Nfix2kL5xG6Gl2UOShyBHofI/glbyDQ
 WdihE3SxQp9T9uEt2aCo1BxOhLvbRoH7dJiuPtTwl/UcIU7Bp+7T7PnoXXydxGJXrYGL
 eh+T94UQoIV108MujDVbq7QRU14GgrDoQOwQ6epQiUOR7ySnL1axmsJxdoJC9xjc6P7m
 XtvA==
MIME-Version: 1.0
X-Received: by 10.70.91.129 with SMTP id ce1mr450921pdb.68.1404269317063; Tue,
 01 Jul 2014 19:48:37 -0700 (PDT)
Received: by 10.70.109.225 with HTTP; Tue, 1 Jul 2014 19:48:37 -0700 (PDT)
In-Reply-To: <20140529141559.GC74344@onelab2.iet.unipi.it>
References: <CAC+JH2x08jGWyaRKoE8PwXcwv555EhDP576-WJd5vZDrF+nsbg@mail.gmail.com>
 <CA+hQ2+gQZQXOj8Ga+r+ORMKX-WVXo=aTND-EA0WPF3Z+R30j-g@mail.gmail.com>
 <001b01cf7b3b$dfd1cfb0$9f756f10$@gmail.com>
 <20140529131015.GA72798@onelab2.iet.unipi.it>
 <003201cf7b44$bfd6ed40$3f84c7c0$@gmail.com>
 <20140529141559.GC74344@onelab2.iet.unipi.it>
Date: Wed, 2 Jul 2014 10:48:37 +0800
Message-ID: <CAC+JH2wV4RsFVg7kNCK7fuLCHEvpifyr5PNM+iEnE55ieHPSPQ@mail.gmail.com>
Subject: Re: propose a new generic purpose rule option for ipfw
From: bycn82 <bycn82@gmail.com>
To: Luigi Rizzo <rizzo@iet.unipi.it>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18
Cc: FreeBSD Net <freebsd-net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2014 02:48:37 -0000

Hi,
Back from the world cup,Let's talk about the topic of U32,

You guys are right, It is almost useless if it can only filter by the 5
tuples.

But in my opinion, It can do "regex match" based on the pattern. So it can
do something "layer7 filtering".

Sure the performance is biggest issue.

Any comments?



On Thu, May 29, 2014 at 10:15 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:

> On Thu, May 29, 2014 at 09:48:58PM +0800, bycn82 wrote:
> >
> >
> > -----Original Message-----
> > From: 'Luigi Rizzo' [mailto:rizzo@iet.unipi.it]
> > Sent: 29 May, 2014 21:10
> > To: bycn82
> > Cc: 'FreeBSD Net'
> > Subject: Re: propose a new generic purpose rule option for ipfw
> >
> >
> >
> > On Thu, May 29, 2014 at 08:45:26PM +0800, bycn82 wrote:
> >
> > ...
> >
> > >
> >
> > > Sure, that is the reason why developers are providing more and more
> rule options. But the my question is do we have enough options to match all
> the fixed position values?
> >
> >
> >
> > we do not have an option for fixed position matching.
> >
> >
> >
> > Can I say that ???It will be useful when a user come up with a special
> requirement which cannot be fulfilled by any existing rule option.??? Since
> there are so many rule options already. So I don???t know when that special
> requirement will appear. L  that is what you said ???useless???, I accept
> that .
>
> please re-read what i said below. 'mostly useless' != 'useless',
> and i am ok importing a clean implementation.
>
> > As i said, feel free to submit one and i will be happy to import it if
> the code is clean (btw i am still waiting for fixes to the other 'rate
> limiting' option you sent), but keep in mind that 'fixed position' is
> mostly useless.
> >
> > Which `rate limiting`, the `Packet per second`?
> >
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/189720
>
> ok commented the remaining problems with a separate email.
>
> > More useful options would be one where you express the position as
> >
> >
> >
> >                 '{MAC|VLAN|IP|UDP|TCP|...|PAYLOAD}+offset'
> >
> >
> >
> > It is possible,
> >
> > match <position> <mask> <value>
> >
> > the <mask> can be a pattern , then that means it can match multiple
> value at the same time.
>
> what i wrote is a completely different thing. Never mind.
>
> cheers
> luigi
>
> >
> >
> >
> > so at least you can adapt to variant headers, or one where you can look
> for a pattern in the entire packet or in a portion of it.
>
> >
> >
> > cheers
> >
> > luigi
> >
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>