From owner-freebsd-net@FreeBSD.ORG Mon Sep 19 07:59:33 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2802E16A41F for ; Mon, 19 Sep 2005 07:59:33 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id E014143D48 for ; Mon, 19 Sep 2005 07:59:32 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j8J7xW1u061187; Mon, 19 Sep 2005 00:59:32 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j8J7xWxt061186; Mon, 19 Sep 2005 00:59:32 -0700 (PDT) (envelope-from rizzo) Date: Mon, 19 Sep 2005 00:59:32 -0700 From: Luigi Rizzo To: Brett Glass Message-ID: <20050919005932.B60737@xorpc.icir.org> References: <6.2.3.4.2.20050918205708.08cff430@localhost> <20050918235659.B60185@xorpc.icir.org> <6.2.3.4.2.20050919010035.07dfc448@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <6.2.3.4.2.20050919010035.07dfc448@localhost>; from brett@lariat.org on Mon, Sep 19, 2005 at 01:32:33AM -0600 Cc: net@freebsd.org Subject: Re: Efficient use of Dummynet pipes in IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 07:59:33 -0000 On Mon, Sep 19, 2005 at 01:32:33AM -0600, Brett Glass wrote: ... > Unfortunately, this requires inverting the sense of rules. And in IPFW's > very simplistic language, you can't invert a single rule with more > than one condition into another single rule because you can only yes i know. you need to make it into two rules. you have to live with what is there. Same for as the 'resume' option. It might be nice to have, however but there is already a two-rule version (the one i suggested, follow the non-terminating action with a skipto rule) so its absence is not blocking you from doing what you want. in terms of implementation, if you want to add it, the best place would be to add the 'skipto' fields to each 'action' opcode. I am not very interested in implementing it, though, because i still see ipfw as a low-level language. > I've looked at the source and it's fragmented and virtually undocumented, are you talking about the userland part or the kernel code ? i agree the userland part is a mess. But the kernel code i believe is reasonably documented (of course it could be documented better - patches welcome). the first 250 or so lines in ip_fw2.h are almost all comments describing the opcode formats. ip_fw2.c tries to describe rule parsing in the body of ipfw_chk() cheers luigi