Date: Tue, 19 Aug 2008 23:12:04 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Julian Elischer <julian@elischer.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org Subject: Re: ipfw add skipto tablearg.... Message-ID: <Pine.BSF.3.96.1080819152451.21367A-100000@gaia.nimnet.asn.au> In-Reply-To: <48926C02.6030308@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 31 Jul 2008, Julian Elischer wrote:
> looking int he code I noticed that the following command gave
> no error but didn't work..
>
>
> ipfw add 1000 skipto tablearg ip from any to table(31)
Content addressible branching is an elegant and useful idea, thanks for
making it work. A simple example in ipfw(8) might promote 'uptake'?
> and as I have a use for that, I implemented it..
MFC to 6 possible? likely? I know there's lots of other stuff that
hasn't / won't / can't be, but this one looked perhaps stand-alone ..
> see attached patch... (hopefully not stripped)
>
> Of course it is hoped that the rules you are skipping to are nearby
> as it iterates through the rules following the skipto to find the
> target,
Until $someone adds a direct skipto target jump at the virtual machine
code level - big recalc hit when adding/deleting rules/sets I suppose -
it's still the fastest way to get from a to b, where b > a
Speaking of which, should ipfw whinge when asked to skip backwards,
which it can't, confirmed on a recent browse re Mike's ipfw-classifyd
and a local test months ago.
> but....
> if you had a thousand table entries and wanted to sort them into
> 20 buckets, it could save you puting them into 20 different
> tables and doing 20 table lookups on them.
Or even just for quick basic traffic-splitting, bogon lists, whatever ..
> here I sort into two categories.. possibly already a win..
>
>
> julian@trafmon2:cat ipfw-test.sh
> #!/bin/sh
> ipfw add 100 skipto 10000 ip from any to not 1.1.1.0/24
> ipfw add 1000 skipto tablearg ip from any to "table(31)"
> ipfw add 2000 drop ip from any to any
> ipfw add 2001 drop ip from any to any
> ipfw add 3000 drop ip from any to any
> ipfw add 3001 drop ip from any to any
> ipfw add 10000 count ip from any to any
> ipfw table 31 add 1.1.1.1 2000
> ipfw table 31 add 1.1.1.2 3000
>
> julian@trafmon2: ping 1.1.1.1
> [...] (2 packets bounced)
> julian@trafmon2: ping 1.1.1.2
> [...] (12 packets bounced)
>
> julian@trafmon2: ipfw show
> 00100 220 19633 skipto 10000 ip from any to not 1.1.1.0/24
> 01000 14 1176 skipto tablearg ip from any to table(31)
> 02000 2 168 deny ip from any to any
> 02001 0 0 deny ip from any to any
> 03000 12 1008 deny ip from any to any
> 03001 0 0 deny ip from any to any
> 10000 209 18549 count ip from any to any
> 65535 1751 153792 allow ip from any to any
>
>
> comments?
I like it, FWIW.
> + if (tablearg != 0) {
> + rulenum = (u_int16_t)tablearg;
Should we check that tablearg is < 64K before merrily casting?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080819152451.21367A-100000>