Date: Wed, 19 Mar 2003 00:41:38 -0800 From: Luigi Rizzo <rizzo@icir.org> To: "Simon L. Nielsen" <simon@nitro.dk> Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, Wiktor Niesiobedzki <w@evip.pl>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030319004138.A68034@xorpc.icir.org> In-Reply-To: <20030318213131.GF377@nitro.dk>; from simon@nitro.dk on Tue, Mar 18, 2003 at 10:31:32PM %2B0100 References: <20030314085636.GB64326@galgenberg.net> <el59ycqr.fsf@ID-23066.news.dfncis.de> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org> <20030318213131.GF377@nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 18, 2003 at 10:31:32PM +0100, Simon L. Nielsen wrote:
...
> It adds two options instead of trying to make more complicated parsing
> of the iplen option with arguments like '<', '>', '>=' and so on.
actually, because other instructions already handle ranges
(e.g. those matching port numbers) one could simply recycle
that code in the user interface (for parsing/printing).
Changing the "iplen" opcode to check numbers within a
range is trivial (given that the size is upper bounded,
we do not need < > and the like but just say iplen 0-90 or
iplen 128-65535.
This would be my preference, also for ipttl and similar
instructions.
cheers
luigi
> iplenmin len
> Matches IP packets whose total length, including header and data,
> is minimum len bytes (packet length >= len).
>
> iplenmax len
> Matches IP packets whose total length, including header and data,
> is maximum len bytes (packet length <= len).
>
> The code have been tested very little (which is the reason I have not
> bothed this list with it before :) ) but in my simple tests it works
> fine.
>
> Note that the attached patch had to be untagnled from some other code
> i'm working on so it can be got the wrong parts out but I think it is
> ok.
>
> --
> Simon L. Nielsen
> Index: sbin/ipfw/ipfw.8
> ===================================================================
> RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v
> retrieving revision 1.122
> diff -u -d -r1.122 ipfw.8
> --- sbin/ipfw/ipfw.8 15 Mar 2003 01:13:00 -0000 1.122
> +++ sbin/ipfw/ipfw.8 18 Mar 2003 20:54:22 -0000
> @@ -901,6 +901,18 @@
> Matches IP packets whose total length, including header and data, is
> .Ar len
> bytes.
> +.It Cm iplenmin Ar len
> +Matches IP packets whose total length, including header and data, is
> +minimum
> +.Ar len
> +bytes (packet length >=
> +.Ar len ) .
> +.It Cm iplenmax Ar len
> +Matches IP packets whose total length, including header and data, is
> +maximum
> +.Ar len
> +bytes (packet length <=
> +.Ar len ) .
> .It Cm ipoptions Ar spec
> Matches packets whose IP header contains the comma separated list of
> options specified in
> Index: sbin/ipfw/ipfw2.c
> ===================================================================
> RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
> retrieving revision 1.23
> diff -u -d -r1.23 ipfw2.c
> --- sbin/ipfw/ipfw2.c 15 Mar 2003 01:12:59 -0000 1.23
> +++ sbin/ipfw/ipfw2.c 18 Mar 2003 20:54:22 -0000
> @@ -209,6 +209,8 @@
> TOK_FRAG,
> TOK_IPOPTS,
> TOK_IPLEN,
> + TOK_IPLENMIN,
> + TOK_IPLENMAX,
> TOK_IPID,
> TOK_IPPRECEDENCE,
> TOK_IPTOS,
> @@ -308,6 +310,8 @@
> { "ipoptions", TOK_IPOPTS },
> { "ipopts", TOK_IPOPTS },
> { "iplen", TOK_IPLEN },
> + { "iplenmin", TOK_IPLENMIN },
> + { "iplenmax", TOK_IPLENMAX },
> { "ipid", TOK_IPID },
> { "ipprecedence", TOK_IPPRECEDENCE },
> { "iptos", TOK_IPTOS },
> @@ -1106,6 +1110,14 @@
> printf(" iplen %u", cmd->arg1 );
> break;
>
> + case O_IPLENMIN:
> + printf(" iplenmin %u", cmd->arg1 );
> + break;
> +
> + case O_IPLENMAX:
> + printf(" iplenmax %u", cmd->arg1 );
> + break;
> +
> case O_IPOPT:
> print_flags("ipoptions", cmd, f_ipopts);
> break;
> @@ -2962,6 +2974,18 @@
> case TOK_IPLEN:
> NEED1("iplen requires length");
> fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
> + ac--; av++;
> + break;
> +
> + case TOK_IPLENMIN:
> + NEED1("iplenmin requires length");
> + fill_cmd(cmd, O_IPLENMIN, 0, strtoul(*av, NULL, 0));
> + ac--; av++;
> + break;
> +
> + case TOK_IPLENMAX:
> + NEED1("iplenmax requires length");
> + fill_cmd(cmd, O_IPLENMAX, 0, strtoul(*av, NULL, 0));
> ac--; av++;
> break;
>
> Index: sys/netinet/ip_fw.h
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
> retrieving revision 1.76
> diff -u -d -r1.76 ip_fw.h
> --- sys/netinet/ip_fw.h 15 Mar 2003 01:13:00 -0000 1.76
> +++ sys/netinet/ip_fw.h 18 Mar 2003 21:00:45 -0000
> @@ -72,6 +72,8 @@
>
> O_IPOPT, /* arg1 = 2*u8 bitmap */
> O_IPLEN, /* arg1 = len */
> + O_IPLENMIN, /* arg1 = len */
> + O_IPLENMAX, /* arg1 = len */
> O_IPID, /* arg1 = id */
>
> O_IPTOS, /* arg1 = id */
> Index: sys/netinet/ip_fw2.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
> retrieving revision 1.28
> diff -u -d -r1.28 ip_fw2.c
> --- sys/netinet/ip_fw2.c 15 Mar 2003 01:13:00 -0000 1.28
> +++ sys/netinet/ip_fw2.c 18 Mar 2003 21:00:45 -0000
> @@ -1740,6 +1740,14 @@
> match = (hlen > 0 && cmd->arg1 == ip_len);
> break;
>
> + case O_IPLENMIN:
> + match = (hlen > 0 && cmd->arg1 <= ip_len);
> + break;
> +
> + case O_IPLENMAX:
> + match = (hlen > 0 && cmd->arg1 >= ip_len);
> + break;
> +
> case O_IPPRECEDENCE:
> match = (hlen > 0 &&
> (cmd->arg1 == (ip->ip_tos & 0xe0)) );
> @@ -2362,6 +2370,8 @@
> case O_FRAG:
> case O_IPOPT:
> case O_IPLEN:
> + case O_IPLENMIN:
> + case O_IPLENMAX:
> case O_IPID:
> case O_IPTOS:
> case O_IPPRECEDENCE:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030319004138.A68034>