Date: Tue, 8 Feb 2005 15:01:50 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Chris Dionissopoulos <dionch@freemail.gr> Cc: freebsd-net@freebsd.org Subject: Re: Sticky pf(4)-like feature in ipfw? Message-ID: <20050208150150.C28282@xorpc.icir.org> In-Reply-To: <000a01c50df5$4a4435e0$3c00000a@R3B>; from dionch@freemail.gr on Tue, Feb 08, 2005 at 05:45:59PM %2B0200 References: <000a01c50df5$4a4435e0$3c00000a@R3B>
next in thread | previous in thread | raw e-mail | index | archive | help
the 'state only based on the 3-tuple' as you describe it is certainly an interesting feature. It is slightly more expensive to implement than what i thought at first, because you should do two hash computations and lookups (one on the 5-tuple, one on the 3-tuple) on each packet trying to match a dynamic rule. i just wonder why it is named 'sticky' in pf which is not really very indicative of what the function does. cheers luigi On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote: > Hi, > I think of adding a new feature in (my local copy) ipfw (releng5) so that it > makes also sticky match when forwarding broken protocols like ftp, h.323, > sip, etc. > Its inspired from pf(4) sticky feature as is.The general usage will be for > "skipto" forwarding rules as shown in example below: > > Network ASCII-ART: > > Gateway1 Gateway2 > | | > ---------------- 192.168.1.0/24 > | > [Freebsd-ipfw] > | > ---------------- 192.168.3.0/24 > > ipfw.sh: > ~~~~~~~~~~~~~~~~~~~~~~ > #!/bin/sh > fwcmd="/sbin/ipfw" > pass="skipto 65535" > > gateway_mac1 ="00:0e:2e:03:36:23" > gateway_mac2 ="00:0e:2e:03:37:23" > gateway1="192.168.1.2" > gateway2 ="192.168.1.1" > > lan_network = "192.168.3.0/24" > broken="20,21,1720,6667,4600-4700" > > #CHECK STATES. > ${fwcmd} add 100 check-state > > # INCOMING TRAFFIC > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky > > #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not > ${lan_network}in recv rl1 keep-state > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in > recv rl1 keep-state > > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10110 ${pass} ip from any to any > > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10210 ${pass} ip from any to any > > ~~~~~~~~~~~~~~~~~~~~~~ > > > "keep-sticky" main difference with "keep-state" is just relaxed state > matching > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not > (scr_ip:src_port + dst_ip:dst_port) straight and reversed > (=keep-state/limit). > > My question : > Does anyone has already working on such feature? > Cause its pretty easy to implement(*) "keep-sticky", does any of > ipfw developers planning to add such feature in near future? > > > Thanks, > Chris. > > > (*) > 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c > O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h > and copy TOK_KEEPSTATE+O_KEEPSTATE code > as a new case of cmd+rule argument. > 2. Some changes in "lookup_dyn_rule_locked" function of > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state > when "keep-sticky" is enabled. > > > > > > > > ____________________________________________________________________ > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou. > http://www.freemail.gr - free email service for the Greek-speaking. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208150150.C28282>