From owner-freebsd-ipfw@freebsd.org Tue Aug 2 12:51:01 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 831D7BAC470 for ; Tue, 2 Aug 2016 12:51:01 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 685DE17D1 for ; Tue, 2 Aug 2016 12:51:01 +0000 (UTC) (envelope-from rj@obsigna.com) Received: by mailman.ysv.freebsd.org (Postfix) id 67B8DBAC46F; Tue, 2 Aug 2016 12:51:01 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 675ADBAC46E for ; Tue, 2 Aug 2016 12:51:01 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D33B617D0; Tue, 2 Aug 2016 12:51:00 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470142257; l=3224; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=yOoeA+aicni22KY1PVJDpATxDEc65rjsKiQj5zDkQwA=; b=vq1xSGZNNiMLkoPaIGwktQdaUYjBkScS8WakAPogdj2kRzKZ2bOGBnNwiV9eUzlvUb/ RePwf2NO1qsc56mNwN3eMLz2Wb30U/xoZzHiJFVOw0xbna6syNGt1tQzFeq4cytzpi4xr sU7r3eKvLca/YbLDJ8BsYZADqGEkslwIhts= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2BqlKi/2sgPrEGJh3cdM= X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bd1d98a1.virtua.com.br [189.29.152.161]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id K03e26s72CovaQo (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Tue, 2 Aug 2016 14:50:57 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 37AFC229861E; Tue, 2 Aug 2016 09:50:54 -0300 (BRT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org> Date: Tue, 2 Aug 2016 09:50:53 -0300 Cc: Julian Elischer Content-Transfer-Encoding: quoted-printable Message-Id: References: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org> To: ipfw mailing list X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2016 12:51:01 -0000 > Am 02.08.2016 um 05:08 schrieb Julian Elischer : >=20 > looking for thoughts from people who know the new IPFW features well.. >=20 >=20 > A recent addition to our armory is the geoip program that, given an = address can tell you what country it is in and given a country code, can = give an ipfw table that describes all the ip addresses in that country. >=20 > SO I was thinking how to use this, and the obvious way would be to = have a set of rules for each country, and use the "skipto tablearg" = facility to skip to the right rules for each country. But the trouble is = that a tablearg skipto is very inefficient. It's also a hard thing to = set up with a set of rules for each country (how many countries are = there in the internet allocation system?). As of today a total of 236 country codes are in use for IPv4 = delegations. If this helps for anything, a command line switch to the = geoip tool could be added for letting it output the country code (as the = hex encoded CC taken as a plain decimal integer) as the value for the = given table entry. In the moment you can give one value for all entries = generated by geoip, with this switch set, the output of geoip could look = like: $ geoip -t "DE:BR:US" -x ... table 0 add 93.157.48.0/21 4445 table 0 add 93.158.236.0/22 4252 table 0 add 93.159.96.0/19 4445 table 0 add 93.159.248.0/21 4445 table 0 add 93.180.72.0/21 4445 table 0 add 93.180.152.0/21 4445 table 0 add 93.181.0.0/18 4445 table 0 add 93.183.0.0/18 5553 ... Given that ... 0x4445 =3D 'DE' 0x4252 =3D 'BR' 0x5553 =3D 'US' ..., IT people who know by heart the low ASCII table like chemists (are = supposed to) know the periodic table of the elements, this should be not = too hard to remember. > Another way would be to just put 'action numbers' in the tablearg = field and have a few actions, shared by countries, but the trouble comes = when you want to change the action for a country, you need to rewrite = potentially thousands of entries (USA has over 15800 allocations). Two or more geoip commands can be used for populating ipfw tables for = different utilization in ipfw directives: # Europe geoip -t "FR:IT:DE:NL:BE:GB:..." -n 1 -x | ipfw -q > /dev/stdin # North America geoip -t "US:CA" -n 2 -x | ipfw -q > /dev/stdin # South America geoip -t "AR:BR:UR:CL:PY:BO:PE..." -n 3 -x | ipfw -q > /dev/stdin ... > A second way woudl be to somehow map the tablearg of the country, into = a table of actions. effectively doing two levels of lookup. >=20 > The first table converting IP addresses to a country number and a = second lookup converting that to an action. >=20 > the only trouble is that I don't know of a way to do that. If the new = changes allow that, and anyone knows how, please let me know :-). Looking-up a given IP in the totally balanced binary search tree takes = on a decent system on average about 10-20 nanoseconds. So in theory 50 = to 100 million packets per second could be filtered by this algorithm. = In order to come more close to this performance in reality, it might be = an option to move the search algorithm into ipfw. Best regards Rolf