From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 8 23:01:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4EE016A4CE; Tue, 8 Feb 2005 23:01:51 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41A6D43D31; Tue, 8 Feb 2005 23:01:51 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id j18N1oOg028464; Tue, 8 Feb 2005 15:01:50 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j18N1ohb028463; Tue, 8 Feb 2005 15:01:50 -0800 (PST) (envelope-from rizzo) Date: Tue, 8 Feb 2005 15:01:50 -0800 From: Luigi Rizzo To: Chris Dionissopoulos Message-ID: <20050208150150.C28282@xorpc.icir.org> References: <000a01c50df5$4a4435e0$3c00000a@R3B> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <000a01c50df5$4a4435e0$3c00000a@R3B>; from dionch@freemail.gr on Tue, Feb 08, 2005 at 05:45:59PM +0200 cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 23:01:51 -0000 the 'state only based on the 3-tuple' as you describe it is certainly an interesting feature. It is slightly more expensive to implement than what i thought at first, because you should do two hash computations and lookups (one on the 5-tuple, one on the 3-tuple) on each packet trying to match a dynamic rule. i just wonder why it is named 'sticky' in pf which is not really very indicative of what the function does. cheers luigi On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote: > Hi, > I think of adding a new feature in (my local copy) ipfw (releng5) so that it > makes also sticky match when forwarding broken protocols like ftp, h.323, > sip, etc. > Its inspired from pf(4) sticky feature as is.The general usage will be for > "skipto" forwarding rules as shown in example below: > > Network ASCII-ART: > > Gateway1 Gateway2 > | | > ---------------- 192.168.1.0/24 > | > [Freebsd-ipfw] > | > ---------------- 192.168.3.0/24 > > ipfw.sh: > ~~~~~~~~~~~~~~~~~~~~~~ > #!/bin/sh > fwcmd="/sbin/ipfw" > pass="skipto 65535" > > gateway_mac1 ="00:0e:2e:03:36:23" > gateway_mac2 ="00:0e:2e:03:37:23" > gateway1="192.168.1.2" > gateway2 ="192.168.1.1" > > lan_network = "192.168.3.0/24" > broken="20,21,1720,6667,4600-4700" > > #CHECK STATES. > ${fwcmd} add 100 check-state > > # INCOMING TRAFFIC > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky > > #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not > ${lan_network}in recv rl1 keep-state > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in > recv rl1 keep-state > > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10110 ${pass} ip from any to any > > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10210 ${pass} ip from any to any > > ~~~~~~~~~~~~~~~~~~~~~~ > > > "keep-sticky" main difference with "keep-state" is just relaxed state > matching > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not > (scr_ip:src_port + dst_ip:dst_port) straight and reversed > (=keep-state/limit). > > My question : > Does anyone has already working on such feature? > Cause its pretty easy to implement(*) "keep-sticky", does any of > ipfw developers planning to add such feature in near future? > > > Thanks, > Chris. > > > (*) > 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c > O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h > and copy TOK_KEEPSTATE+O_KEEPSTATE code > as a new case of cmd+rule argument. > 2. Some changes in "lookup_dyn_rule_locked" function of > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state > when "keep-sticky" is enabled. > > > > > > > > ____________________________________________________________________ > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou. > http://www.freemail.gr - free email service for the Greek-speaking. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"