From owner-freebsd-net@FreeBSD.ORG Sun Oct 5 10:15:44 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2BF8C19 for ; Sun, 5 Oct 2014 10:15:44 +0000 (UTC) Received: from mail.ipfw.ru (mail.ipfw.ru [IPv6:2a01:4f8:120:6141::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C56E1A0 for ; Sun, 5 Oct 2014 10:15:44 +0000 (UTC) Received: from [2a02:6b8:0:401:222:4dff:fe50:cd2f] (helo=ptichko.yndx.net) by mail.ipfw.ru with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XaerU-000Fdv-2B; Sun, 05 Oct 2014 10:00:04 +0400 Message-ID: <54311A05.8050200@FreeBSD.org> Date: Sun, 05 Oct 2014 14:14:29 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Marcelo Gondim , freebsd-net@freebsd.org Subject: Re: HEADS UP: Merging projects/ipfw to HEAD References: <542FE9A7.9090208@FreeBSD.org> <542FFD95.5050200@bsdinfo.com.br> In-Reply-To: <542FFD95.5050200@bsdinfo.com.br> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 10:15:44 -0000 On 04.10.2014 18:00, Marcelo Gondim wrote: > Excellent work! :) > I really enjoyed the news. This new ipfwcome with FreeBSD 10.1 release? Unfortunately, no. The plan is to commit it to HEAD and merge to 9/ and 10/ after 1 month. > > Cheers, > Gondim > > On 04/10/2014 09:35, Alexander V. Chernikov wrote: >> Hi, >> >> I'm going to merge projects/ipfw branch to HEAD in the middle of next >> week. >> >> What has changed: >> >> Main user-visible changes are related to tables: >> >> * Tables are now identified by names, not numbers. There can be up to >> 65k tables with up to 63-byte long names. >> * Tables are now set-aware (default off), so you can switch/move them >> atomically with rules. >> * More functionality is supported (swap, lock, limits, user-level >> lookup, batched add/del) by generic table code. >> * New table types are added (flow) so you can match multiple packet >> fields at once. >> * Ability to add different type of lookup algorithms for particular >> table type has been added. >> * New table algorithms are added (cidr:hash, iface:array, >> number:array and flow:hash) to make certain types of lookup more >> effective. >> * Table value are now capable of holding multiple data fields for >> different tablearg users >> >> Some examples (see ipfw(8) manual page for the description): >> >> 0:02 [2] zfscurr0# ipfw table fl2 create type >> flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib >> 0:02 [2] zfscurr0# ipfw table fl2 info >> +++ table(fl2), set(0) +++ >> kindex: 0, type: flow:src-ip,proto,dst-port >> valtype: number, references: 0 >> algorithm: flow:hash >> items: 0, size: 280 >> 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 >> 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 >> 0:02 [2] zfscurr0# ipfw table fl2 list >> +++ table(fl2), set(0) +++ >> 2a02:6b8::333,6,443 45000 >> 10.0.0.92,6,80 22000 >> 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 >> 80 flow 'table(fl2)' >> >> ipfw table mi_test create type cidr algo "cidr:hash masks=/30,/64" >> ipfw table mi_test add 10.0.0.8/30 >> ipfw table mi_test add 2a02:6b8:b010::1/64 25 >> >> # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 >> added: 1.1.1.1/32 1111 >> added: 2.2.2.2/32 2222 >> # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 >> exists: 2.2.2.2/32 2200 >> added: 4.4.4.4/32 4444 >> ipfw: Adding record failed: record already exists >> ^^^^^ Returns error but keeps inserted items >> # ipfw table si list >> +++ table(si), set(0) +++ >> 1.1.1.1/32 1111 >> 2.2.2.2/32 2222 >> 4.4.4.4/32 4444 >> # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 >> 5.5.5.5/32 5555 >> added(reverted): 3.3.3.3/32 3333 >> exists: 4.4.4.4/32 4400 >> ignored: 5.5.5.5/32 5555 >> ipfw: Adding record failed: record already exists >> ^^^^^ Returns error and reverts added records >> >> Performance changes: >> * Main ipfw lock was converted to rmlock >> * Rule counters were separated from rule itself and made per-cpu. >> * Radix table entries fits into 128 bytes >> * struct ip_fw is now more compact so more rules will fit into 64 bytes >> * interface tables uses array of existing ifindexes for faster match >> >> ABI changes: >> All functionality supported by old ipfw(8) remains functional. Old & >> new binaries can work together with the following restrictions: >> * Tables named other than ^\d+$ are shown as table(65535) in ruleset >> in old binaries >> * I'm a bit unsure about "lookup src-port|dst-port N" case, something >> may be broken here. Anyway, this can be fixed for MFC >> >> Internal changes:. >> Changing table ids to numbers resulted in format modification for >> most sockopt codes. >> Old sopt format was compact, but very hard to extend (no versioning, >> inability to add more opcodes), so >> * All relevant opcodes were converted to TLV-based versioned >> IP_FW3-based codes. >> * The remaining opcodes were also converted to be able to eliminate >> all older opcodes at once >> * All IP_FW3 handlers uses special API instead of calling sooptcopy* >> directly to ease adding another communication methods >> * struct ip_fw is now different for kernel and userland >> * tablearg value has been changed to 0 to ease future extensions >> * table "values" are now indexes in special value array which holds >> extended data for given index >> * Batched add/delete has been added to tables code >> * Most changes has been done to permit batched rule addition. >> * interface tracking API has been added (started on demand) to permit >> effective interface tables operations >> * O(1) skipto cache, currently turned off by default at compile-time >> (eats 512K). >> >> * Several steps has been made towards making libipfw: >> * most of new functions were separated into "parse/prepare/show and >> actuall-do-stuff" pieces (already merged). >> * there are separate functions for parsing text string into "struct >> ip_fw" and printing "struct ip_fw" to supplied buffer (already merged). >> * Probably some more less significant/forgotten features > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >