[HEADS UP!] IPFW Ideas: possible SoC 2008 candidate
Vadim Goncharov
vadim_nuclight at mail.ru
Wed Mar 26 01:50:14 PDT 2008
Hi Marcelo Araujo!
On Mon, 24 Mar 2008 08:53:26 -0300; Marcelo Araujo wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate':
>> 2.5. Just to mention: modip, counter limits, fragments.
>>
>> These patches are already currently discussed in ipfw@, but included
>> here just to not forget. These are "modip" action, allowing to modify IP
>> header (DSCP, ToS, TTL) and corresponding match rule options, and a rule
>> option to match when rule counters are less then specified number
>> packets or bytes (possibly from dynamic rule's counters), may be
>> a tablearg. This is also related with mentioned in section 1.2 ability
>> to control rule counters.
>>
>> Adding a few keywords for O_FRAG more fragment matching (not only
>> non-first fragment), e.g. for sending to specialized netgraph(4)
>> reassembling module, is also desirable.
> For remember to all, I work around of modip action stilly, I stoped my
> work during last week, but I work again in it.
> Work status:
> 1) We have modip action implemented:
> island# ipfw add modip
> ipfw: need modip [DF|TOS|IPPRE|DSCP]:code arg
> 2) Both DF and IPPRE works perfect:
> island# ipfw show
> 00010 371 36133 modip ippre:immediate ip from any to any
> 00011 52 5035 modip df:0 ip from any to any
> 3) DSCP:
> With the DSCP I've some errors but I believe that I fix it on this week.
> 4) ToS:
> I start the work on the next week.
> The patch: http://people.freebsd.org/~araujo/logs/ipfw-modip20080324.diff=
Looked at the patch. Some line are changed e.g. in NAT definitions without any
visible changes, strange.
Also, you're adding 7 opcode in the kernel, 2 for match and 5 for setting,
while having single "modip" action in userland. In the case of significantly
changing compilation rulesm, etc., we may need many new opcodes so we should
not waste them. For example, your O_IPTOSPRE is redundant because we already
have O_IPPRECEDENCE which compiler could utilize while retainig more ABI
compatibility.
I can correct and extend your patch for DSCP/TTL/any bytes (not forgetting
credits, of course), if you're too busy...
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
More information about the freebsd-hackers
mailing list