Date: Mon, 25 Jan 2021 11:29:46 -0300 From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> To: freebsd-ipfw@freebsd.org Subject: Re: Lookup tables with dst-port as argument Message-ID: <C0C69B45-3C23-43A3-8FF5-72A8DB556C04@freebsdbrasil.com.br> In-Reply-To: <2BBD30C7-044F-4846-9845-C7605306CB5B@freebsdbrasil.com.br> References: <2BBD30C7-044F-4846-9845-C7605306CB5B@freebsdbrasil.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello again, Thank you Andrey V. Elsukov, Actually I could do what I wanted using flow lookup. For the archives, = how it was done and tested preliminarily: a) Setup a flow table and a rule to use entries indexed with tabelar 1: # ipfw table idpsflow create type flow:src-ip,dst-port # ipfw add 1 count log all from any to any flow 'table(idpsflow,1)=E2=80=99= in b) Add some flows and args # ipfw table idpsflow add 201.71.251.91,6969 1 # ipfw table idpsflow add 201.71.251.91,22 2 # ipfw table idpsflow add 177.10.156.20,8080 1 c) See what we have # ipfw table idpsflow list 201.71.251.91,6969 1 177.10.156.20,8080 1 201.71.251.91,22 2 # ipfw table idpsflow detail --- table(idpsflow), set(0) --- kindex: 3, type: flow:src-ip,dst-port references: 1, valtype: legacy algorithm: flow:hash items: 3, size: 656 algorithm hash info size: 512 items: 3 itemsize4: 32 itemsize6: 56 d) Check wether it=E2=80=99s matching # ipfw show 1 00001 1189 69888 count log logamount 100 ip from any to any = flow table(idpsflow,1) in The idea behind the 1 and 2 rationale was to abstract the IDS priority = of severity rules adding entries of severity 1, 2, 3, and so on. I did not need the new features of ipfw ever before and know that I just = did, I realized how powerful it became. Actually I have converted over a = couple dozen rules into just 3 rules. This is huge! I don=E2=80=99t know when it those lookup table improvements was = committed and by who, who did it please let me know your ether walled so = I can pay you a beer (for real, distance is no excuse anymore). I don=E2=80=99t know if it=E2=80=99s performance costy but hope someone = could implement table match counters, as we have the bytes and packets = counters per rule, having it per table entry would keep visibility of = what is matching. The only thing I miss converting by 38 rules firewall = into a just 3 is that I only have 3 counters which are almost = meaningless now. Best, Patrick Tracanelli > On 20.01.2021 18:26, Patrick Tracanelli wrote: > > Hello FreeBSD community, > >=20 > > I need to dynamically allocate filtering ports on a tuplet, table > > would do the job, can I lookup the port argument from a table? > > Something like: > >=20 > > ipfw add count all from =E2=80=9Ctable(blist)=E2=80=9D to any = dst-port tablearg in > >=20 > > In the above example table blist was created as =E2=80=9Cipfw table = blist > > create type number=E2=80=9D. > >=20 > > It certainly won=E2=80=99t work as above written since tablearg is = not > > supported for dst-port. > >=20 > > Is there any other approach possible to reach this desired behavior? >=20 > Hi, >=20 > it seems you need to take alook at the 'lookup dst-port tablename' = opcode. >=20 > --=20 > WBR, Andrey V. Elsukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C0C69B45-3C23-43A3-8FF5-72A8DB556C04>