From owner-freebsd-bugs@FreeBSD.ORG Thu May 5 06:10:02 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E022416A4CE for ; Thu, 5 May 2005 06:10:02 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9686343D58 for ; Thu, 5 May 2005 06:10:02 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j456A2hW057274 for ; Thu, 5 May 2005 06:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j456A2WS057273; Thu, 5 May 2005 06:10:02 GMT (envelope-from gnats) Resent-Date: Thu, 5 May 2005 06:10:02 GMT Resent-Message-Id: <200505050610.j456A2WS057273@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Andrey V. Elsukov" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B3DC16A4CE for ; Thu, 5 May 2005 06:02:55 +0000 (GMT) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE44543D94 for ; Thu, 5 May 2005 06:02:53 +0000 (GMT) (envelope-from elsukov@rdu.kirov.ru) Received: from rdu.kirov.ru (localhost [127.0.0.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 1702CFDDE for ; Thu, 5 May 2005 10:02:52 +0400 (MSD) Received: (from elsukov@localhost) by rdu.kirov.ru (8.12.10/8.12.9/Submit) id j4562qgC052950; Thu, 5 May 2005 10:02:52 +0400 (MSD) Message-Id: <200505050602.j4562qgC052950@rdu.kirov.ru> Date: Thu, 5 May 2005 10:02:52 +0400 (MSD) From: "Andrey V. Elsukov" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/80642: IPFW small patch - new RULE OPTION X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2005 06:10:03 -0000 >Number: 80642 >Category: kern >Synopsis: IPFW small patch - new RULE OPTION >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu May 05 06:10:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Andrey V. Elsukov >Release: FreeBSD 5.4-STABLE i386 >Organization: >Environment: RELENG_5 >Description: This is small patch for IPFW. Patch add new rule option - bound value. Rules with this option match while rule bytes counter below specified bound value. Example: ipfw add 100 allow ip from any to A.B.C.D in recv Ext_Interface bound 1000000 ipfw add 200 deny ip from any to A.B.C.D While bytes counter below that 1000000, then rule 100 matchs. >How-To-Repeat: >Fix: --- ipfw_bound.diff begins here --- --- sys/netinet/ip_fw.h.orig Tue Feb 1 02:26:35 2005 +++ sys/netinet/ip_fw.h Tue May 3 22:38:07 2005 @@ -78,6 +78,7 @@ O_RECV, /* none */ O_XMIT, /* none */ O_VIA, /* none */ + O_BOUND, /* u64 = bound in bytes */ O_IPOPT, /* arg1 = 2*u8 bitmap */ O_IPLEN, /* arg1 = len */ @@ -198,6 +199,14 @@ ipfw_insn o; u_int32_t d[1]; /* one or more */ } ipfw_insn_u32; + +/* + * This is used to store 64-bit bound value. + */ +typedef struct _ipfw_insn_u64 { + ipfw_insn o; + u_int64_t bound; +} ipfw_insn_u64; /* * This is used to store IP addr-mask pairs. --- sys/netinet/ip_fw2.c.orig Sun Feb 6 19:16:20 2005 +++ sys/netinet/ip_fw2.c Tue May 3 22:22:04 2005 @@ -2294,6 +2294,9 @@ /* otherwise no match */ break; + case O_BOUND: + match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound); + break; /* * The second set of opcodes represents 'actions', * i.e. the terminal part of a rule once the packet @@ -2939,6 +2942,11 @@ if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) goto bad_size; break; + + case O_BOUND: + if (cmdlen != F_INSN_SIZE(ipfw_insn_u64)) + goto bad_size; + break; case O_LIMIT: if (cmdlen != F_INSN_SIZE(ipfw_insn_limit)) --- sbin/ipfw/ipfw2.c.orig Tue Jan 25 10:23:34 2005 +++ sbin/ipfw/ipfw2.c Tue May 3 22:56:41 2005 @@ -236,6 +236,7 @@ TOK_ANTISPOOF, TOK_IPSEC, TOK_COMMENT, + TOK_BOUND, TOK_PLR, TOK_NOERROR, @@ -351,6 +352,7 @@ { "antispoof", TOK_ANTISPOOF }, { "ipsec", TOK_IPSEC }, { "//", TOK_COMMENT }, + { "bound", TOK_BOUND }, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1198,6 +1200,9 @@ break; } + case O_BOUND: + printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound); + break; case O_IPID: if (F_LEN(cmd) == 1) printf(" ipid %u", cmd->arg1 ); @@ -1917,7 +1922,7 @@ " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" verrevpath | versrcreach | antispoof\n" +" bound VALUE | verrevpath | versrcreach | antispoof\n" ); exit(0); } @@ -3220,6 +3225,14 @@ cmd->opcode = O_RECV; else if (i == TOK_VIA) cmd->opcode = O_VIA; + break; + + case TOK_BOUND: + NEED1("bound requires numeric value"); + cmd->opcode = O_BOUND; + ((ipfw_insn_u64 *)cmd)->bound = strtoull(*av, NULL, 0); + cmd->len |= F_INSN_SIZE(ipfw_insn_u64); + ac--; av++; break; case TOK_ICMPTYPES: --- sbin/ipfw/ipfw.8.orig Wed Mar 2 22:50:11 2005 +++ sbin/ipfw/ipfw.8 Wed May 4 19:23:13 2005 @@ -920,6 +920,8 @@ .It Cm bridged Alias for .Cm layer2 . +.It Cm bound Ar value +Matches while bytes counter below bound value. .It Cm dst-ip Ar ip-address Matches IP packets whose destination IP is one of the address(es) specified as argument. --- ipfw_bound.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: