From owner-freebsd-ipfw Sun Jun 9 3:19:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [217.156.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 66DEA37B436 for ; Sun, 9 Jun 2002 03:19:00 -0700 (PDT) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id NAA45940; Sun, 9 Jun 2002 13:18:17 +0300 (EEST) (envelope-from ady@freebsd.ady.ro) X-RAV-AntiVirus: This e-mail has been scanned for viruses on host: ady.warpnet.ro Date: Sun, 9 Jun 2002 13:18:17 +0300 (EEST) From: Adrian Penisoara X-Sender: ady@ady.warpnet.ro To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG, freebsd-altq list Subject: Re: New ipfw code available In-Reply-To: <20020608201909.A41807@iguana.icir.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Sat, 8 Jun 2002, Luigi Rizzo wrote: > [Bcc to -current because it is relevant there as well -- sorry for the > crosspost] > > > Hi, > over the past 2-3 weeks I have done an extensive rewrite of the > ipfw code (userland + kernel) in an attempt to make it faster and > more flexible. > > The idea (which I discussed a few times on the mailing lists) was > to replace the current ipfw rules (macroinstructions) with a set > of microinstructions, each of them performing a single operation > such as matching an address, or a port range, or a protocol flag, > etc. -- much in the spirit of BPF and derivatives -- and to let > the userland front-end compile ipfw(8) commands into an appropriate > set of microinstructions. This is very good news! I hope you will integrate the MAC address filtering feature too, it will be pretty important for our cable clients who will be able to control the ARP table. From another point of view (more specifically, the integration of ALTQ QoS framework into FreeBSD -current), cold you please think about the possibility of integrating into ipfw a classifier mechanism who will be able to "tag" the packets into specific classes, information which will be used by the ALTQ queueing disciplines to perform their QoS packet scheduling. This will probably imply the addition of a class attribute field to the struct mbuf structure -- so this will probably be a future deveopment direction for -current. However, "there is more than way to do it" (as Perl taught us), so there might be other solutions. References: [1] ALTQ webpage http://www.csl.sony.co.jp/person/kjc/kjc/software.html#ALTQ [2] ALTQ integration in FreeBSD project http://www.rofug.ro/projects/freebsd-altq/ [3] FreeBSD-ALTQ mailing list -- to subscribe send a "subscribe freebsd-altq" command to listar@rofug.ro http://www.rofug.ro/mailarchive/ Adrian Penisoara Ady (@freebsd.ady.ro) FreeBSD-ALTQ project ____________________________________________________________________ | An age is called Dark not because the light fails to shine, but | | because people refuse to see it. | | -- James Michener, "Space" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 3:33:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [217.156.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 79DBE37B40A for ; Sun, 9 Jun 2002 03:33:12 -0700 (PDT) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id NAA46544; Sun, 9 Jun 2002 13:29:11 +0300 (EEST) (envelope-from ady@freebsd.ady.ro) X-RAV-AntiVirus: This e-mail has been scanned for viruses on host: ady.warpnet.ro Date: Sun, 9 Jun 2002 13:29:11 +0300 (EEST) From: Adrian Penisoara X-Sender: ady@ady.warpnet.ro To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: New ipfw code available In-Reply-To: <20020608201909.A41807@iguana.icir.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Sat, 8 Jun 2002, Luigi Rizzo wrote: > NOTE: if people wonder why I did not use BPF and reinvented the wheel: > the keyword is "backward compatiblity" -- i thought it was a bit too > complex to compile the existent ipfw syntax into BPF, especially because > BPF at least as far as i know does not handle UIDs, and GIDs and > interface matches and different "actions" than match or not match, > so i would have had to extend the code anyways, at which point i > thought I could as well write my own microinstruction set... What about unifying BPF and IPFW packet matching microcode, would that be feasible ? That would even benefit for BPF/libpcap -- we will then be able to make tcpdumps (or other libpcap-related stuff) on, say, traffic coming from one user ID or a group ID. Also, ipfw might be able to make some very detailed ipfw packet matching, like 'tcp[13] & 3 = 2' like libpcap can. What do you think ? My $0.05 Ady (@freebsd.ady.ro) ____________________________________________________________________ | An age is called Dark not because the light fails to shine, but | | because people refuse to see it. | | -- James Michener, "Space" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 3:34:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.alexdupre.com (212-41-211-209.adsl.galactica.it [212.41.211.209]) by hub.freebsd.org (Postfix) with ESMTP id E890137B404 for ; Sun, 9 Jun 2002 03:34:39 -0700 (PDT) Received: from thunder ([192.168.0.101]) by mail.alexdupre.com (MERAK 3.10.011) with ESMTP id F05B6CDE; Sun, 09 Jun 2002 12:41:11 +0200 Date: Sun, 9 Jun 2002 12:34:22 +0200 From: Alex Dupre X-Mailer: The Bat! (v1.60m) Personal Reply-To: Alex Dupre X-Priority: 3 (Normal) Message-ID: <952461239.20020609123422@alexdupre.com> To: Adrian Penisoara Cc: ipfw@FreeBSD.ORG Subject: Re[2]: New ipfw code available In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Adrian, Sunday, June 9, 2002, 12:18:17 PM, you wrote: AP> This is very good news! I hope you will integrate the MAC address AP> filtering feature too, it will be pretty important for our cable clients AP> who will be able to control the ARP table. You may give a look to ethfw (ethernet firewall): http://www.bsdshell.net/hut_ethfw.html -- Alex Dupre sysadmin@alexdupre.com http://www.alexdupre.com/ alex@sm.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 4:21:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id CFF0937B409 for ; Sun, 9 Jun 2002 04:21:05 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g59BKoo45071; Sun, 9 Jun 2002 04:20:50 -0700 (PDT) (envelope-from rizzo) Date: Sun, 9 Jun 2002 04:20:50 -0700 From: Luigi Rizzo To: Alex Dupre Cc: Adrian Penisoara , ipfw@FreeBSD.ORG Subject: Re: New ipfw code available Message-ID: <20020609042049.A44655@iguana.icir.org> References: <952461239.20020609123422@alexdupre.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <952461239.20020609123422@alexdupre.com>; from sysadmin@alexdupre.com on Sun, Jun 09, 2002 at 12:34:22PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jun 09, 2002 at 12:34:22PM +0200, Alex Dupre wrote: > Hello Adrian, > > Sunday, June 9, 2002, 12:18:17 PM, you wrote: > > AP> This is very good news! I hope you will integrate the MAC address > AP> filtering feature too, it will be pretty important for our cable clients it is already in -- i committed that into -current a few weeks ago, and actually it was the difficulty in extending the old ipfw which prompted me into doing this rewrite. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 4:33: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id C93F137B405 for ; Sun, 9 Jun 2002 04:32:58 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g59BWtB45194; Sun, 9 Jun 2002 04:32:55 -0700 (PDT) (envelope-from rizzo) Date: Sun, 9 Jun 2002 04:32:55 -0700 From: Luigi Rizzo To: Adrian Penisoara Cc: ipfw@FreeBSD.ORG Subject: Re: New ipfw code available Message-ID: <20020609043255.C44655@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ady@freebsd.ady.ro on Sun, Jun 09, 2002 at 01:29:11PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jun 09, 2002 at 01:29:11PM +0300, Adrian Penisoara wrote: ... > What about unifying BPF and IPFW packet matching microcode, would that > be feasible ? That would even benefit for BPF/libpcap -- we will then be I am actually looking into adding a (maybe simplified) version of the "expr relop expr" feature of BPF into ipfw microinstructions. This would useful to replace some of the dedicated microinstructions we have now (to match tcpseq, tcpack, tcpwin. ip_id, fragments) moving the burden in the "compiler" rather than in the kernel. Other than that, though, some of the ipfw microinstructions are more powerful than BPF ones, e.g. those to match IP and TCP options which are scattered across the header and are not easy to catch with BPF rules. And no, I am not going to touch BPF. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 13:39: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 5744B37B403 for ; Sun, 9 Jun 2002 13:39:04 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g59Kcx050144; Sun, 9 Jun 2002 13:38:59 -0700 (PDT) (envelope-from rizzo) Date: Sun, 9 Jun 2002 13:38:59 -0700 From: Luigi Rizzo To: Adrian Penisoara Cc: ipfw@FreeBSD.ORG, freebsd-altq list Subject: Re: New ipfw code available Message-ID: <20020609133859.A49793@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ady@freebsd.ady.ro on Sun, Jun 09, 2002 at 01:18:17PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jun 09, 2002 at 01:18:17PM +0300, Adrian Penisoara wrote: ... > From another point of view (more specifically, the integration of > ALTQ QoS framework into FreeBSD -current), cold you please think about > the possibility of integrating into ipfw a classifier mechanism who > will be able to "tag" the packets into specific classes, information > which will be used by the ALTQ queueing disciplines to perform their QoS > packet scheduling. This will probably imply the addition of a class this is what ipfw already does. The "pipe" and "queue" actions, among others, just tag a packet with an integer, which is then used by a separate mechanism (dummynet in this case) to perform the scheduling as appropriate. Have a look at ip_input.c and ip_output.c on how these attributes are handled. It would be trivial to add additional actions, e.g. to pass classified packets to ALTQ, assuming they are necessary at all. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 20:24:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id 2845337B400; Sun, 9 Jun 2002 20:24:25 -0700 (PDT) Received: from drweb by mail.nsu.ru with drweb-scanned (Exim 3.20 #1) id 17HFn3-0003Au-00; Mon, 10 Jun 2002 10:24:21 +0700 Received: from uni.land3.nsu.ru ([193.124.213.230] helo=land3.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 17HFn2-0003AR-00; Mon, 10 Jun 2002 10:24:20 +0700 Received: from localhost (lucky@localhost) by land3.nsu.ru (8.11.6/8.11.6) with ESMTP id g5A3OKI17998; Mon, 10 Jun 2002 10:24:20 +0700 (NOVST) (envelope-from lucky@land3.nsu.ru) Date: Mon, 10 Jun 2002 10:24:20 +0700 (NOVST) From: Alexey Privalov To: freebsd-hackers@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: natd & trans proxy Message-ID: <20020610101352.Y47747-100000@land3.nsu.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Envelope-To: freebsd-ipfw@freebsd.org, freebsd-hackers@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi all. i`m running two natd`s on rl3 (external) and rl0 (internal). the first natd is running on 8668 (standart) port and is diverting private ip to ip on interface and have following configuration: interface rl3 unregistered_only yes use_sockets yes same_ports yes the second natd have a following configuration: port 8669 proxy_only proxy_rule port 80 server proxy_addr:8888 interface rl0 and is forwarding to squid. why when interface rl0 receive http packet then it divert ip to external. best regards, Alexey PS: ipfw rule: 40 divert 8669 tcp from to any 80 via rl0 50 divert 8668 ip from any to any via rl3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 21:58:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D807437B401 for ; Sun, 9 Jun 2002 21:58:11 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5A4vjb5089891; Mon, 10 Jun 2002 00:57:45 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 10 Jun 2002 00:57:44 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: New ipfw code available In-Reply-To: <20020608201909.A41807@iguana.icir.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sounds very cool indeed. However, the usual question when hard-coded-ness is traded for flexibility is: what's the performance like? Do you have any performance measurements you could tell us about in the before/after scenarios? You mention 'faster' as well as 'flexible', which bodes well :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Sat, 8 Jun 2002, Luigi Rizzo wrote: > [Bcc to -current because it is relevant there as well -- sorry for the > crosspost] > > > Hi, > over the past 2-3 weeks I have done an extensive rewrite of the > ipfw code (userland + kernel) in an attempt to make it faster and > more flexible. > > The idea (which I discussed a few times on the mailing lists) was > to replace the current ipfw rules (macroinstructions) with a set > of microinstructions, each of them performing a single operation > such as matching an address, or a port range, or a protocol flag, > etc. -- much in the spirit of BPF and derivatives -- and to let > the userland front-end compile ipfw(8) commands into an appropriate > set of microinstructions. > > There are several advantages in using this technique: first of all, > instructions are typically shorter and faster, because the former > code had to check for the presence of all the possible options in > a rule, whereas the new one can simply do just the things that are > required -- e.g. an instruction like > > allow ip from 1.2.3.0/24 to any > > translates to a couple of microinstructions (whose complete > implementation is below the instructions themselves): > > O_IP_DST > if (((ipfw_insn_ip *)cmd)->addr.s_addr == > (dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr)) > goto cmd_match; > goto cmd_fail; > > O_ACCEPT: > retval = 0; /* accept */ > goto accept; > > > But there is a lot more -- the instruction set is easily extensible, > and without backward compatibility problems. Furthermore, you can > build (and I have already implemented them) more complex rules by > assembling microinstructions with OR and NOT operands. I.e. you can write > something like: > > pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25,1024-4095 \ > to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50 > > You get the idea... > > I have a fairly complete version of the above code at the moment, > which is only missing a small set of functionalities > (ip/tcp flags matching, "log" and fixing hooks to the stateful > code). However the glue to implement all the missing pieces is > already there, it is just a matter of adding a few lines of code > and testing things. > Other than that, the code is meant to be fully compatible with the > old syntax so you will not have to rewrite your existing rulesets. > > I have put a preliminary snapshot of this code (for CURRENT) at > > http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz > > It replaces the following files from a recent (2002/05/14) version of -current. > > sys/netinet/ip_dummynet.c > sys/netinet/ip_fw.c > sys/netinet/ip_fw.h > sbin/ipfw/ipfw.c > > I would be very grateful if someone could have a look at the > code, maybe give it a try, and see e.g. how it compiles your > typical ruleset and whether the new extensions can make your > ipfw rulesets simpler. > > Feedback welcome, both on the architecture and on the implementation. > > NOTE: if people wonder why I did not use BPF and reinvented the wheel: > the keyword is "backward compatiblity" -- i thought it was a bit too > complex to compile the existent ipfw syntax into BPF, especially because > BPF at least as far as i know does not handle UIDs, and GIDs and > interface matches and different "actions" than match or not match, > so i would have had to extend the code anyways, at which point i > thought I could as well write my own microinstruction set... > > cheers > luigi > -----------------------------------+------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) > Mobile +39-347-0373137 > -----------------------------------+------------------------------------- > to > > thanks > luigi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 9 23:11:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id C5CE937B445; Sun, 9 Jun 2002 23:09:37 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5A69b153509; Sun, 9 Jun 2002 23:09:37 -0700 (PDT) (envelope-from rizzo) Date: Sun, 9 Jun 2002 23:09:37 -0700 From: Luigi Rizzo To: Robert Watson Cc: ipfw@freebsd.org Subject: Re: New ipfw code available Message-ID: <20020609230937.A53454@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Mon, Jun 10, 2002 at 12:57:44AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 10, 2002 at 12:57:44AM -0400, Robert Watson wrote: > Sounds very cool indeed. However, the usual question when hard-coded-ness > is traded for flexibility is: what's the performance like? Do you have > any performance measurements you could tell us about in the before/after > scenarios? You mention 'faster' as well as 'flexible', which bodes well > :-). i have not run any comparative test yet, that was the point of the posting, find some good soul who was willing to run the new and old code and compare performance :) Anyways in this case (barring stupid bugs in the implementation of course) it is rather obvious that the new architecture must be substantially faster -- the fact is, the old ipfw macroinstruction has to test some 20-25 distinct flags even when there is nothing to be done, all of which is filtered out by the compiler with the new approach. Things would be different if the macroinstructions were executed in hardware, but they were not... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 10 1:47:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from vbook.express.ru (asplinux.ru [195.133.213.194]) by hub.freebsd.org (Postfix) with ESMTP id 15DCF37B407; Mon, 10 Jun 2002 01:47:47 -0700 (PDT) Received: from vova by vbook.express.ru with local (Exim 3.36 #1) id 17HKpx-0000ql-00; Mon, 10 Jun 2002 12:47:41 +0400 Subject: Re: New ipfw code available From: "Vladimir B. " Grebenschikov To: Luigi Rizzo Cc: ipfw@freebsd.org, "current@freebsd.org" In-Reply-To: <20020608201909.A41807@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-Mailer: Ximian Evolution 1.0.5 Date: 10 Jun 2002 12:47:40 +0400 Message-Id: <1023698860.576.29.camel@vbook.express.ru> Mime-Version: 1.0 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG =F7 Sun, 09.06.2002, =D7 07:19, Luigi Rizzo =CE=C1=D0=C9=D3=C1=CC: Hi > over the past 2-3 weeks I have done an extensive rewrite of the > ipfw code (userland + kernel) in an attempt to make it faster and > more flexible. >=20 > The idea (which I discussed a few times on the mailing lists) was > to replace the current ipfw rules (macroinstructions) with a set > of microinstructions, each of them performing a single operation > such as matching an address, or a port range, or a protocol flag, > etc. -- much in the spirit of BPF and derivatives -- and to let > the userland front-end compile ipfw(8) commands into an appropriate > set of microinstructions. Really COOL!=20 And what about radix-tree-based ip-list matching ? like this: ipfw add 1 allow ip from {1.2.3.0/24,1.3.5.0/24,17.2.3.4/45,11.2.3.4/30} or cat mylist | ipfw list add mylist - ipfw add 1 allow ip from @mylist or something like=20 If you deal with large access-lists ipfw becomes not best tool due to linear comparison. > translates to a couple of microinstructions (whose complete > implementation is below the instructions themselves): >=20 > O_IP_DST=20 > if (((ipfw_insn_ip *)cmd)->addr.s_addr =3D=3D > (dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr)) > goto cmd_match; > goto cmd_fail; >=20 > O_ACCEPT: > retval =3D 0; /* accept */ > goto accept; >=20 >=20 > But there is a lot more -- the instruction set is easily extensible, > and without backward compatibility problems. Furthermore, you can > build (and I have already implemented them) more complex rules by > assembling microinstructions with OR and NOT operands. I.e. you can write > something like: >=20 > pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25,1024-4095 \ > to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50 >=20 > You get the idea...=20 >=20 > I have a fairly complete version of the above code at the moment, > which is only missing a small set of functionalities > (ip/tcp flags matching, "log" and fixing hooks to the stateful > code). However the glue to implement all the missing pieces is > already there, it is just a matter of adding a few lines of code > and testing things. > Other than that, the code is meant to be fully compatible with the > old syntax so you will not have to rewrite your existing rulesets. >=20 > I have put a preliminary snapshot of this code (for CURRENT) at >=20 > http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz >=20 > It replaces the following files from a recent (2002/05/14) version of -cu= rrent. >=20 > sys/netinet/ip_dummynet.c > sys/netinet/ip_fw.c > sys/netinet/ip_fw.h > sbin/ipfw/ipfw.c >=20 > I would be very grateful if someone could have a look at the > code, maybe give it a try, and see e.g. how it compiles your > typical ruleset and whether the new extensions can make your > ipfw rulesets simpler. >=20 > Feedback welcome, both on the architecture and on the implementation. >=20 > NOTE: if people wonder why I did not use BPF and reinvented the wheel: > the keyword is "backward compatiblity" -- i thought it was a bit too > complex to compile the existent ipfw syntax into BPF, especially because > BPF at least as far as i know does not handle UIDs, and GIDs and > interface matches and different "actions" than match or not match, > so i would have had to extend the code anyways, at which point i > thought I could as well write my own microinstruction set... >=20 > cheers > luigi > -----------------------------------+------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) > Mobile +39-347-0373137 > -----------------------------------+------------------------------------- > to=20 >=20 > thanks > luigi >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message >=20 --=20 Vladimir B. Grebenschikov vova@sw.ru, SWsoft, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 10 2:47:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id C65CC37B408; Mon, 10 Jun 2002 02:47:30 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5A9lQ455217; Mon, 10 Jun 2002 02:47:26 -0700 (PDT) (envelope-from rizzo) Date: Mon, 10 Jun 2002 02:47:26 -0700 From: Luigi Rizzo To: "Vladimir B. Grebenschikov" Cc: ipfw@freebsd.org, "current@freebsd.org" Subject: Re: New ipfw code available Message-ID: <20020610024726.A54631@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> <1023698860.576.29.camel@vbook.express.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1023698860.576.29.camel@vbook.express.ru>; from vova@sw.ru on Mon, Jun 10, 2002 at 12:47:40PM +0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 10, 2002 at 12:47:40PM +0400, Vladimir B. Grebenschikov wrote: ... > And what about radix-tree-based ip-list matching ? yes, it is planned. cheers luigi > > ipfw add 1 allow ip from {1.2.3.0/24,1.3.5.0/24,17.2.3.4/45,11.2.3.4/30} > or > cat mylist | ipfw list add mylist - > ipfw add 1 allow ip from @mylist > > or something like > > If you deal with large access-lists ipfw becomes not best tool due to > linear comparison. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 10 3:28:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f168.sea1.hotmail.com [207.68.163.168]) by hub.freebsd.org (Postfix) with ESMTP id 377BA37B40A for ; Mon, 10 Jun 2002 03:28:15 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 10 Jun 2002 03:28:14 -0700 Received: from 213.123.123.2 by sea1fd.sea1.hotmail.msn.com with HTTP; Mon, 10 Jun 2002 10:28:14 GMT X-Originating-IP: [213.123.123.2] From: "James O'Rourke" To: freebsd-ipfw@FreeBSD.ORG Date: Mon, 10 Jun 2002 20:28:14 +1000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 10 Jun 2002 10:28:14.0925 (UTC) FILETIME=[876997D0:01C21069] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG auth fb7d6377 unsubscribe freebsd-ipfw jamesworourke@hotmail.com _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 10 13: 7:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from femme.listmistress.org (bgp01560565bgs.gambrl01.md.comcast.net [68.50.32.109]) by hub.freebsd.org (Postfix) with ESMTP id D821437B401; Mon, 10 Jun 2002 13:07:08 -0700 (PDT) Received: from femme.listmistress.org (trish@localhost [127.0.0.1]) by femme.listmistress.org (8.12.3/8.12.1) with ESMTP id g5AK71cC000620; Mon, 10 Jun 2002 16:07:07 -0400 (EDT) Received: from localhost (trish@localhost) by femme.listmistress.org (8.12.3/8.12.3/Submit) with ESMTP id g5AK6wmw000617; Mon, 10 Jun 2002 16:07:00 -0400 (EDT) X-Authentication-Warning: femme.listmistress.org: trish owned process doing -bs Date: Mon, 10 Jun 2002 16:06:53 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Luigi Rizzo Cc: "Vladimir B. Grebenschikov" , , "current@freebsd.org" Subject: Re: New ipfw code available In-Reply-To: <20020610024726.A54631@iguana.icir.org> Message-ID: <20020610160123.B450-100000@femme.listmistress.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 10 Jun 2002, Luigi Rizzo wrote: > On Mon, Jun 10, 2002 at 12:47:40PM +0400, Vladimir B. Grebenschikov wrote: > ... > > And what about radix-tree-based ip-list matching ? > > yes, it is planned. > > cheers > luigi > > > > ipfw add 1 allow ip from {1.2.3.0/24,1.3.5.0/24,17.2.3.4/45,11.2.3.4/30} > > or > > cat mylist | ipfw list add mylist - > > ipfw add 1 allow ip from @mylist > > > > or something like > > > > If you deal with large access-lists ipfw becomes not best tool due to > > linear comparison. Luigi, gave this a try, and dummynet and my current rulesets except for one worked fine... I tried to add a divert rule, and it kept telling me it was an invalid port for divert/tee. I went back to the original code... just because I happen to be using natd :) After this is fixed, I'll install again and play with the new features :) -Trish -- Trish Lynch trish@bsdunix.net FreeBSD The Power to Serve Ecartis Core Team trish@listmistress.org http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 10 20:19:23 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 6AAA337B40D for ; Mon, 10 Jun 2002 20:19:19 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g5B3dPf38331; Mon, 10 Jun 2002 22:39:25 -0500 (CDT) (envelope-from nick@rogness.net) Date: Mon, 10 Jun 2002 22:39:24 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Alexey Privalov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd & trans proxy In-Reply-To: <20020610101352.Y47747-100000@land3.nsu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 10 Jun 2002, Alexey Privalov wrote: > hi all. > > i`m running two natd`s on rl3 (external) and rl0 (internal). > > the first natd is running on 8668 (standart) port and is diverting > private ip to ip on interface and have following configuration: > interface rl3 > unregistered_only yes > use_sockets yes > same_ports yes > OK. > > > the second natd have a following configuration: > port 8669 > proxy_only > proxy_rule port 80 server proxy_addr:8888 > interface rl0 > > and is forwarding to squid. > > why when interface rl0 receive http packet then it divert ip to external. > You should not be using natd to do the forwarding to your proxy server, since you don't want to change header info in the packet. You only want to forward it to your proxy server so use ipfw fwd instead...that will resolve all of your issues. There are several examples online and within the mailing list archives that describe how to do this properly. PS. Please don't cross-post to multiple lists. Besides, this question belongs on freebsd-questions anyway. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 13 1:23:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21]) by hub.freebsd.org (Postfix) with SMTP id 9EA3437B413 for ; Thu, 13 Jun 2002 01:23:51 -0700 (PDT) Received: (qmail 2338 invoked from network); 13 Jun 2002 08:22:43 -0000 Received: from unknown (HELO procreditbank.com) (212.95.171.9) by chicken.orbitel.bg with SMTP; 13 Jun 2002 08:22:43 -0000 Received: from itaush [172.16.248.203] by Proxy+; Thu, 13 Jun 2002 10:37:38 +0300 for From: "Ivailo Tanusheff" To: Subject: IPFW and SQUID Date: Thu, 13 Jun 2002 10:31:34 +0300 Message-ID: <012901c212ac$58442110$cbf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_012A_01C212C5.7D915910" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_012A_01C212C5.7D915910 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear Sirs, I have the following configuration: {Internet} <-> {SQUID1 + Net1} <-64K line-> [SQUID2] <-> {Net2} I have the following problem: In Net1 I have an important server to which there are connecting some clients from Net2 trough http and the squid server. These clients have to be able to use most of the 64K line between the two networks. In Net2 there are many clients useing the squid server as a proxy and are making "bad" traffic. My question is - how may I configure ipfw to shape the traffic for the other users. I'd tried some ways of accomplishing that task, but it seems to me, that when using proxy server, the destination IP address is not in the IP header or I'm wrong. Can you help me? Id tried: su-2.05a# ipfw -a show 00500 0 0 pipe 1 ip from any to not out 00600 0 0 pipe 2 ip from any to not in 65535 397320 84804286 allow ip from any to any As you see - there is no hit of going out of the net1. Thank you in advantage, Ivailo Tanusheff System Administrator and Security Advisor ProCredit Bank ------=_NextPart_000_012A_01C212C5.7D915910 Content-Type: text/x-vcard; name="Ivailo Tanusheff.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Ivailo Tanusheff.vcf" BEGIN:VCARD VERSION:2.1 N:Tanusheff;Ivailo FN:Ivailo Tanusheff ORG:ProCredit Bank TITLE:System administrator and Security advisor TEL;WORK;VOICE:+359 2 9217161 EMAIL;PREF;INTERNET:I.Tanusheff@prokreditbank.com REV:20020510T125145Z END:VCARD ------=_NextPart_000_012A_01C212C5.7D915910-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 15 2:51:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id C886137B40F for ; Sat, 15 Jun 2002 02:51:04 -0700 (PDT) Received: (qmail 56241 invoked by uid 1005); 15 Jun 2002 09:51:20 -0000 Received: from misho@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4206. . Clean. Processed in 0.366374 secs); 15 Jun 2002 09:51:20 -0000 Received: from unknown (HELO misho) (217.9.226.238) by mail.interbgc.com with SMTP; 15 Jun 2002 09:51:19 -0000 Message-ID: <001601c21451$ce2f2d60$eee209d9@interbgc.com> Reply-To: "Mihail Balikov" From: "Mihail Balikov" To: "Luigi Rizzo" Cc: References: <20020608201909.A41807@iguana.icir.org> Subject: Re: New ipfw code available Date: Sat, 15 Jun 2002 12:48:30 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG how about adding simple checksum of rules , something like incrementing counter on every IP_FW_FLUSH, IP_FW_ADD, IP_FW_DEL regards, misho ----- Original Message ----- From: "Luigi Rizzo" To: Sent: Sunday, June 09, 2002 6:19 AM Subject: New ipfw code available > [Bcc to -current because it is relevant there as well -- sorry for the > crosspost] > > > Hi, > over the past 2-3 weeks I have done an extensive rewrite of the > ipfw code (userland + kernel) in an attempt to make it faster and > more flexible. > > The idea (which I discussed a few times on the mailing lists) was > to replace the current ipfw rules (macroinstructions) with a set > of microinstructions, each of them performing a single operation > such as matching an address, or a port range, or a protocol flag, > etc. -- much in the spirit of BPF and derivatives -- and to let > the userland front-end compile ipfw(8) commands into an appropriate > set of microinstructions. > > There are several advantages in using this technique: first of all, > instructions are typically shorter and faster, because the former > code had to check for the presence of all the possible options in > a rule, whereas the new one can simply do just the things that are > required -- e.g. an instruction like > > allow ip from 1.2.3.0/24 to any > > translates to a couple of microinstructions (whose complete > implementation is below the instructions themselves): > > O_IP_DST > if (((ipfw_insn_ip *)cmd)->addr.s_addr == > (dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr)) > goto cmd_match; > goto cmd_fail; > > O_ACCEPT: > retval = 0; /* accept */ > goto accept; > > > But there is a lot more -- the instruction set is easily extensible, > and without backward compatibility problems. Furthermore, you can > build (and I have already implemented them) more complex rules by > assembling microinstructions with OR and NOT operands. I.e. you can write > something like: > > pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25,1024-4095 \ > to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50 > > You get the idea... > > I have a fairly complete version of the above code at the moment, > which is only missing a small set of functionalities > (ip/tcp flags matching, "log" and fixing hooks to the stateful > code). However the glue to implement all the missing pieces is > already there, it is just a matter of adding a few lines of code > and testing things. > Other than that, the code is meant to be fully compatible with the > old syntax so you will not have to rewrite your existing rulesets. > > I have put a preliminary snapshot of this code (for CURRENT) at > > http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz > > It replaces the following files from a recent (2002/05/14) version of -current. > > sys/netinet/ip_dummynet.c > sys/netinet/ip_fw.c > sys/netinet/ip_fw.h > sbin/ipfw/ipfw.c > > I would be very grateful if someone could have a look at the > code, maybe give it a try, and see e.g. how it compiles your > typical ruleset and whether the new extensions can make your > ipfw rulesets simpler. > > Feedback welcome, both on the architecture and on the implementation. > > NOTE: if people wonder why I did not use BPF and reinvented the wheel: > the keyword is "backward compatiblity" -- i thought it was a bit too > complex to compile the existent ipfw syntax into BPF, especially because > BPF at least as far as i know does not handle UIDs, and GIDs and > interface matches and different "actions" than match or not match, > so i would have had to extend the code anyways, at which point i > thought I could as well write my own microinstruction set... > > cheers > luigi > -----------------------------------+------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) > Mobile +39-347-0373137 > -----------------------------------+------------------------------------- > to > > thanks > luigi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 15 11:20:45 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0D0A037B414 for ; Sat, 15 Jun 2002 11:20:43 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5FIKIa15714; Sat, 15 Jun 2002 11:20:18 -0700 (PDT) (envelope-from rizzo) Date: Sat, 15 Jun 2002 11:20:18 -0700 From: Luigi Rizzo To: Mihail Balikov Cc: ipfw@freebsd.org Subject: Re: New ipfw code available Message-ID: <20020615112018.A15684@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> <001601c21451$ce2f2d60$eee209d9@interbgc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001601c21451$ce2f2d60$eee209d9@interbgc.com>; from misho@interbgc.com on Sat, Jun 15, 2002 at 12:48:30PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jun 15, 2002 at 12:48:30PM +0300, Mihail Balikov wrote: > how about adding simple checksum of rules , something like incrementing > counter on every > IP_FW_FLUSH, IP_FW_ADD, IP_FW_DEL what do you mean ? luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 15 14:45:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id 3A2CC37B40E for ; Sat, 15 Jun 2002 14:45:33 -0700 (PDT) Received: (qmail 6240 invoked by uid 1005); 15 Jun 2002 21:43:17 -0000 Received: from misho@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4206. . Clean. Processed in 0.468 secs); 15 Jun 2002 21:43:17 -0000 Received: from unknown (HELO misho) (217.9.226.238) by mail.interbgc.com with SMTP; 15 Jun 2002 21:43:17 -0000 Message-ID: <000d01c214b5$54509b00$eee209d9@interbgc.com> Reply-To: "Mihail Balikov" From: "Mihail Balikov" To: "Luigi Rizzo" Cc: References: <20020608201909.A41807@iguana.icir.org> <001601c21451$ce2f2d60$eee209d9@interbgc.com> <20020615112018.A15684@iguana.icir.org> Subject: Re: New ipfw code available Date: Sun, 16 Jun 2002 00:40:55 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG something like this: sys/netinet/ip_fw.c: static u_int64_t seq_num = 0; SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, seq_num, CTLFLAG_RW, &seq_num, 0, "Sequence number of changes"); static int ip_fw_ctl(struct sockopt *sopt) { [...] case IP_FW_FLUSH: seq_num++; [...] case IP_FW_ADD: seq_num++; [...] case IP_FW_DEL: seq_num++; .... } it's should be useful to have similar counter for dummynet. regards, m. ----- Original Message ----- From: "Luigi Rizzo" To: "Mihail Balikov" Cc: Sent: Saturday, June 15, 2002 9:20 PM Subject: Re: New ipfw code available > On Sat, Jun 15, 2002 at 12:48:30PM +0300, Mihail Balikov wrote: > > how about adding simple checksum of rules , something like incrementing > > counter on every > > IP_FW_FLUSH, IP_FW_ADD, IP_FW_DEL > > what do you mean ? > > luigi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message