Date: Wed, 26 Mar 2008 08:49:12 +0000 (UTC) From: Vadim Goncharov <vadim_nuclight@mail.ru> To: freebsd-hackers@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate Message-ID: <slrnfuk3g8.egh.vadim_nuclight@hostel.avtf.net> References: <slrnfud9lu.1rus.vadim_nuclight@hostel.avtf.net> <47E79636.1000909@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Marcelo Araujo! On Mon, 24 Mar 2008 08:53:26 -0300; Marcelo Araujo wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': >> 2.5. Just to mention: modip, counter limits, fragments. >> >> These patches are already currently discussed in ipfw@, but included >> here just to not forget. These are "modip" action, allowing to modify IP >> header (DSCP, ToS, TTL) and corresponding match rule options, and a rule >> option to match when rule counters are less then specified number >> packets or bytes (possibly from dynamic rule's counters), may be >> a tablearg. This is also related with mentioned in section 1.2 ability >> to control rule counters. >> >> Adding a few keywords for O_FRAG more fragment matching (not only >> non-first fragment), e.g. for sending to specialized netgraph(4) >> reassembling module, is also desirable. > For remember to all, I work around of modip action stilly, I stoped my > work during last week, but I work again in it. > Work status: > 1) We have modip action implemented: > island# ipfw add modip > ipfw: need modip [DF|TOS|IPPRE|DSCP]:code arg > 2) Both DF and IPPRE works perfect: > island# ipfw show > 00010 371 36133 modip ippre:immediate ip from any to any > 00011 52 5035 modip df:0 ip from any to any > 3) DSCP: > With the DSCP I've some errors but I believe that I fix it on this week. > 4) ToS: > I start the work on the next week. > The patch: http://people.freebsd.org/~araujo/logs/ipfw-modip20080324.diff= Looked at the patch. Some line are changed e.g. in NAT definitions without any visible changes, strange. Also, you're adding 7 opcode in the kernel, 2 for match and 5 for setting, while having single "modip" action in userland. In the case of significantly changing compilation rulesm, etc., we may need many new opcodes so we should not waste them. For example, your O_IPTOSPRE is redundant because we already have O_IPPRECEDENCE which compiler could utilize while retainig more ABI compatibility. I can correct and extend your patch for DSCP/TTL/any bytes (not forgetting credits, of course), if you're too busy... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnfuk3g8.egh.vadim_nuclight>