Date: Thu, 28 Jul 2016 00:54:31 +0800 From: Julian Elischer <julian@freebsd.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: "Dr. Rolf Jansen" <rj@obsigna.com>, Mike Makonnen <mtm@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <64148a94-ff8b-102f-992f-ca2d707ac61a@freebsd.org> In-Reply-To: <20160728004622.T29054@sola.nimnet.asn.au> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <20160728004622.T29054@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
trimming.... On 27/07/2016 11:51 PM, Ian Smith wrote: > On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote: > [...] > > > country without changing everything else. > > (the downside is that dynamic skipto's are not very efficient as they do a > > linear search of the rules, where static skiptos cache the location of the > > rule to skip to. it's not a terrible cost but it needs to be kept in mind. > > (but faster than a divert socket) > > I forget .. is that linear search from the beginning, or from the > position of the rule querying the table? Just thnking about grouping > skipto target rules to minimise traversal. These targets in turn could > use static skiptos that will be cached. it starts searching forwards from the current location, to stop loops. (though it turns out you CAN make loops using some arcane sequences that I will not make public). However divert reinjection searches from the start to get to the place you want to restart processing. (but it's a very small loop) so put the diverts near the front if you can. > > > your application becomes an application for configuring the firewall. > > (which you do by feeding commands down a pipe to ipfw, which is started as > > 'ipfw -q /dev/stdin') > > I went looking though ports for ipfw-classifyd, which attracted my > interest in 2008, but seems never to have made it to ports. Written by > Mike Makonnen <mtm@FreeBSD.Org> (cc'd), it uses divert sockets with the > linux- based 'l7' filters for detecting traffic from a wide array of UDP > and TCP protocols, with the primary intent then of detecting various P2P > traffic and shunting it through dummynet pipes for bandwidth limiting. I vaguely remember it. > > Interesting discussion, and thanks for info on geoip tables etc. > > cheers, Ian >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64148a94-ff8b-102f-992f-ca2d707ac61a>