Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Aug 2016 09:50:53 -0300
From:      "Dr. Rolf Jansen" <rj@obsigna.com>
To:        ipfw mailing list <ipfw@freebsd.org>
Cc:        Julian Elischer <julian@freebsd.org>
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <AE91DE1F-82B5-413C-826C-085231906C5F@obsigna.com>
In-Reply-To: <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org>
References:  <7f573fc4-2820-ebd3-7b15-d8a1cd023372@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> Am 02.08.2016 um 05:08 schrieb Julian Elischer <julian@freebsd.org>:
>=20
> looking for thoughts from people who know the new IPFW features well..
>=20
>=20
> A recent addition to our armory is the geoip program that, given an =
address can tell you what country it is in and given a country code, can =
give an ipfw table that describes all the ip addresses in that country.
>=20
> SO I was thinking how to use this, and the obvious way would be to =
have a set of rules for each country, and use the "skipto tablearg" =
facility to skip to the right rules for each country. But the trouble is =
that a tablearg skipto is very inefficient. It's also a hard thing to =
set up with a set of rules for each country (how many countries are =
there in the internet allocation system?).

As of today a total of 236 country codes are in use for IPv4 =
delegations. If this helps for anything, a command line switch to the =
geoip tool could be added for letting it output the country code (as the =
hex encoded CC taken as a plain decimal integer) as the value for the =
given table entry. In the moment you can give one value for all entries =
generated by geoip, with this switch set, the output of geoip could look =
like:

$ geoip -t "DE:BR:US" -x
...
table 0 add 93.157.48.0/21 4445
table 0 add 93.158.236.0/22 4252
table 0 add 93.159.96.0/19 4445
table 0 add 93.159.248.0/21 4445
table 0 add 93.180.72.0/21 4445
table 0 add 93.180.152.0/21 4445
table 0 add 93.181.0.0/18 4445
table 0 add 93.183.0.0/18 5553
...

Given that ...
0x4445 =3D 'DE'
0x4252 =3D 'BR'
0x5553 =3D 'US'

..., IT people who know by heart the low ASCII table like chemists (are =
supposed to) know the periodic table of the elements, this should be not =
too hard to remember.

> Another way would be to just put 'action numbers' in the tablearg =
field and have a few actions, shared by countries, but the trouble comes =
when you want to  change the action for  a country, you need to rewrite =
potentially thousands of entries (USA has over 15800 allocations).

Two or more geoip commands can be used for populating ipfw tables for =
different utilization in ipfw directives:

# Europe
geoip -t "FR:IT:DE:NL:BE:GB:..." -n 1 -x | ipfw -q > /dev/stdin

# North America
geoip -t "US:CA" -n 2 -x | ipfw -q > /dev/stdin

# South America
geoip -t "AR:BR:UR:CL:PY:BO:PE..." -n 3 -x | ipfw -q > /dev/stdin

...

> A second way woudl be to somehow map the tablearg of the country, into =
a table of actions. effectively doing two levels of lookup.
>=20
> The first table converting IP addresses to a country number and a =
second lookup converting that to an action.
>=20
> the only trouble is that I don't know of a way to do that.  If the new =
changes allow that, and anyone knows how, please let me know :-).

Looking-up a given IP in the totally balanced binary search tree takes =
on a decent system on average about 10-20 nanoseconds. So in theory 50 =
to 100 million packets per second could be filtered by this algorithm. =
In order to come more close to this performance in reality, it might be =
an option to move the search algorithm into ipfw.

Best regards

Rolf




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AE91DE1F-82B5-413C-826C-085231906C5F>