Date: Thu, 29 May 2014 21:48:58 +0800 From: "bycn82" <bycn82@gmail.com> To: "'Luigi Rizzo'" <rizzo@iet.unipi.it> Cc: 'FreeBSD Net' <freebsd-net@freebsd.org> Subject: RE: propose a new generic purpose rule option for ipfw Message-ID: <003201cf7b44$bfd6ed40$3f84c7c0$@gmail.com> In-Reply-To: <20140529131015.GA72798@onelab2.iet.unipi.it> References: <CAC%2BJH2x08jGWyaRKoE8PwXcwv555EhDP576-WJd5vZDrF%2Bnsbg@mail.gmail.com> <CA%2BhQ2%2BgQZQXOj8Ga%2Br%2BORMKX-WVXo=aTND-EA0WPF3Z%2BR30j-g@mail.gmail.com> <001b01cf7b3b$dfd1cfb0$9f756f10$@gmail.com> <20140529131015.GA72798@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
=20 -----Original Message----- From: 'Luigi Rizzo' [mailto:rizzo@iet.unipi.it]=20 Sent: 29 May, 2014 21:10 To: bycn82 Cc: 'FreeBSD Net' Subject: Re: propose a new generic purpose rule option for ipfw =20 On Thu, May 29, 2014 at 08:45:26PM +0800, bycn82 wrote: ... >=20 > Sure, that is the reason why developers are providing more and more = rule options. But the my question is do we have enough options to match = all the fixed position values? =20 we do not have an option for fixed position matching. =20 Can I say that =E2=80=9CIt will be useful when a user come up with a = special requirement which cannot be fulfilled by any existing rule = option.=E2=80=9D Since there are so many rule options already. So I = don=E2=80=99t know when that special requirement will appear. L that is = what you said =E2=80=9Cuseless=E2=80=9D, I accept that . =20 As i said, feel free to submit one and i will be happy to import it if = the code is clean (btw i am still waiting for fixes to the other 'rate = limiting' option you sent), but keep in mind that 'fixed position' is = mostly useless. Which `rate limiting`, the `Packet per second`?=20 http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/189720 =20 =20 More useful options would be one where you express the position as =20 '{MAC|VLAN|IP|UDP|TCP|...|PAYLOAD}+offset' =20 It is possible, =20 match <position> <mask> <value> the <mask> can be a pattern , then that means it can match multiple = value at the same time. =20 so at least you can adapt to variant headers, or one where you can look = for a pattern in the entire packet or in a portion of it. =20 cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003201cf7b44$bfd6ed40$3f84c7c0$>