From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 26 18:24:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8306116A4DA for ; Mon, 26 Jan 2004 18:24:46 -0800 (PST) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id E751E43D8B for ; Mon, 26 Jan 2004 18:23:22 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 1B3545C7C9; Mon, 26 Jan 2004 18:23:07 -0800 (PST) Date: Mon, 26 Jan 2004 18:23:07 -0800 From: Bill Fumerola To: freebsd-ipfw@freebsd.org Message-ID: <20040127022307.GP40147@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.9-MUORG-20031210 i386 Subject: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: billf@FreeBSD.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 02:24:46 -0000 i ran into a situation recently where i could write my ruleset a lot simpler (and remove some costly, redundant lookups) by requiring that the previous rule evaluated matched. note: this does NOT mean "the previous rule in order" it means "the previous rule traversed". the former isn't all that useful, but the latter is nice because it works with both count and skipto rules. i'm also working on a more complex tagging language, but in the mean time someone may find this useful. if there is interest, i'll clean it up, write up some appropriate mdoc patches as well and commit this. if not, this will live in the archives for people to apply locally. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org ----- Forwarded message from bill fumerola ----- ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content @@ -225,6 +225,7 @@ TOK_MACTYPE, TOK_VERREVPATH, TOK_IPSEC, + TOK_PREVMATCH, TOK_COMMENT, TOK_PLR, @@ -337,6 +338,7 @@ { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, { "ipsec", TOK_IPSEC }, + { "prevmatch", TOK_PREVMATCH }, { "//", TOK_COMMENT }, { "not", TOK_NOT }, /* pseudo option */ @@ -1262,6 +1264,10 @@ printf(" ipsec"); break; + case O_PREVMATCH: + printf(" prevmatch"); + break; + case O_NOP: comment = (char *)(cmd + 1); break; @@ -3400,6 +3406,10 @@ fill_cmd(cmd, O_IPSEC, 0, 0); break; + case TOK_PREVMATCH: + fill_cmd(cmd, O_PREVMATCH, 0, 0); + break; + case TOK_COMMENT: fill_comment(cmd, ac, av); av += ac; ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content @@ -1352,6 +1352,7 @@ int pktlen; int dyn_dir = MATCH_UNKNOWN; ipfw_dyn_rule *q = NULL; + int prevmatch = 0; if (m->m_flags & M_SKIP_FIREWALL) return 0; /* accept */ @@ -1524,6 +1525,10 @@ match = 1; break; + case O_PREVMATCH: + match = prevmatch; + break; + case O_FORWARD_MAC: printf("ipfw: opcode %d unimplemented\n", cmd->opcode); @@ -1948,6 +1953,7 @@ case O_COUNT: case O_SKIPTO: + prevmatch = 1; f->pcnt++; /* update stats */ f->bcnt += pktlen; f->timestamp = time_second; @@ -2004,6 +2010,7 @@ } } /* end of inner for, scan opcodes */ + prevmatch = 0; next_rule:; /* try next rule */ @@ -2414,6 +2421,7 @@ case O_ESTAB: case O_VERREVPATH: case O_IPSEC: + case O_PREVMATCH: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content @@ -96,6 +96,8 @@ O_VERREVPATH, /* none */ + O_PREVMATCH, /* none (previous rule matched) */ + O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ O_LIMIT, /* ipfw_insn_limit */ ----- End forwarded message -----