Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Feb 2005 15:01:50 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        Chris Dionissopoulos <dionch@freemail.gr>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Sticky pf(4)-like feature in ipfw?
Message-ID:  <20050208150150.C28282@xorpc.icir.org>
In-Reply-To: <000a01c50df5$4a4435e0$3c00000a@R3B>; from dionch@freemail.gr on Tue, Feb 08, 2005 at 05:45:59PM +0200
References:  <000a01c50df5$4a4435e0$3c00000a@R3B>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
the 'state only based on the 3-tuple' as you describe it
is certainly an interesting feature. It is slightly more expensive
to implement than what i thought at first, because you should
do two hash computations and lookups (one on the 5-tuple, one
on the 3-tuple) on each packet trying to match a dynamic rule.

i just wonder why it is named 'sticky' in pf
which is not really very indicative of what the function does.

	cheers
	luigi

On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote:
> Hi,
> I think of adding a new feature in (my local copy) ipfw (releng5) so that it
> makes also sticky match when forwarding broken protocols like ftp, h.323, 
> sip, etc.
> Its inspired from pf(4) sticky feature as is.The general usage will be for
> "skipto" forwarding rules as shown in example below:
> 
> Network ASCII-ART:
> 
> Gateway1   Gateway2
>    |                |
> ---------------- 192.168.1.0/24
>         |
> [Freebsd-ipfw]
>         |
> ---------------- 192.168.3.0/24
> 
> ipfw.sh:
> ~~~~~~~~~~~~~~~~~~~~~~
> #!/bin/sh
> fwcmd="/sbin/ipfw"
> pass="skipto 65535"
> 
> gateway_mac1 ="00:0e:2e:03:36:23"
> gateway_mac2 ="00:0e:2e:03:37:23"
> gateway1="192.168.1.2"
> gateway2 ="192.168.1.1"
> 
> lan_network = "192.168.3.0/24"
> broken="20,21,1720,6667,4600-4700"
> 
> #CHECK STATES.
> ${fwcmd} add 100 check-state
> 
> # INCOMING TRAFFIC
> ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in 
> recv rl0 keep-state
> ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in 
> recv rl0 keep-state
> 
> #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%]
> ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not 
> ${lan_network} dst-port ${broken} in recv rl1 keep-sticky
> ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not 
> ${lan_network}dst-port ${broken} in recv rl1 keep-sticky
> 
> #OUTGOING  + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%]
> ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not 
> ${lan_network}in recv rl1 keep-state
> ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in 
> recv rl1 keep-state
> 
> #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER
> ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not 
> ${lan_network} in recv rl1
> ${fwcmd} add 10110 ${pass} ip from any to any
> 
> #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER
> ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not 
> ${lan_network} in recv rl1
> ${fwcmd} add 10210 ${pass} ip from any to any
> 
> ~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> "keep-sticky" main difference with "keep-state" is just relaxed state 
> matching
> using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not
> (scr_ip:src_port + dst_ip:dst_port) straight and reversed 
> (=keep-state/limit).
> 
> My question :
> Does anyone has already working on such feature?
> Cause its pretty easy to implement(*) "keep-sticky", does any of
> ipfw developers planning to add such feature in near future?
> 
> 
> Thanks,
> Chris.
> 
> 
> (*)
> 1.  TOK_KEEPSTICKY in  /usr/src/sbin/ipfw/ipfw2.c
>     O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h
>     and copy TOK_KEEPSTATE+O_KEEPSTATE code
>     as a new case of cmd+rule argument.
> 2. Some changes in "lookup_dyn_rule_locked" function of
> /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state
> when "keep-sticky" is enabled.
> 
> 
> 
> 
> 
> 
> 
> ____________________________________________________________________
> http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou.
> http://www.freemail.gr - free email service for the Greek-speaking.
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20050208150150.C28282>