'prevmatch' patch

Luigi Rizzo rizzo at icir.org
Tue Jan 27 01:02:27 PST 2004 

On Mon, Jan 26, 2004 at 06:23:07PM -0800, Bill Fumerola wrote:
> i ran into a situation recently where i could write my ruleset a lot
> simpler (and remove some costly, redundant lookups) by requiring that
> the previous rule evaluated matched.
> 
> note: this does NOT mean "the previous rule in order" it means "the
> previous rule traversed". the former isn't all that useful, but the
> latter is nice because it works with both count and skipto rules.

i cannot make much sense of this. Can you make an actual example ?
It seems to me that the only thing 'prevmatch' tells you is
whether or not you got to a rule as a result of a 'count' or 'skipto'
action, which is a special case of a more general (and equally
simple to implement) mechanism that i am planning to add (and i
believe i posted this already some time ago):

 + add to all non-terminal actions (count, skipto, tee) two bitmasks
   that specify sets of flags to set and clear, respectively;
 + add a new opcode that matches arbitrary bit patterns;
 + flags will be preserved in dummynet so they will be accessible
   when the packet comes out of a pipe.

So you will be able to write

	100 count set 0x10 src-ip 1.2.3.4,5.6.7.8,9.10.11.12 // good guys
	100 count set 0x20 dst-port 80
	110 count set 0x40 src-ip 10.0.0.0/8,192.168.0.0/16 // bad guys
	...
	500 pipe 1 flags & 0x60 == 0x20
	500 deny flags & 0x40 != 0

and so on. I am still a bit uncertain on the syntax for the 'flags'
opcode -- this is basically the only think stopping me from implementing
the thing. If you want to give it a shot...

	cheers
	luigi
> not, this will live in the archives for people to apply locally.
> 
> -- 
> - bill fumerola / fumerola at yahoo-inc.com / billf at FreeBSD.org
> 
> 
> ----- Forwarded message from bill fumerola <fumerola at yahoo-inc.com> -----
> 
> ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content
> @@ -225,6 +225,7 @@
>  	TOK_MACTYPE,
>  	TOK_VERREVPATH,
>  	TOK_IPSEC,
> +	TOK_PREVMATCH,
>  	TOK_COMMENT,
>  
>  	TOK_PLR,
> @@ -337,6 +338,7 @@
>  	{ "mac-type",		TOK_MACTYPE },
>  	{ "verrevpath",		TOK_VERREVPATH },
>  	{ "ipsec",		TOK_IPSEC },
> +	{ "prevmatch",		TOK_PREVMATCH },
>  	{ "//",			TOK_COMMENT },
>  
>  	{ "not",		TOK_NOT },		/* pseudo option */
> @@ -1262,6 +1264,10 @@
>  				printf(" ipsec");
>  				break;
>  
> +			case O_PREVMATCH:
> +				printf(" prevmatch");
> +				break;
> +
>  			case O_NOP:
>  				comment = (char *)(cmd + 1);
>  				break;
> @@ -3400,6 +3406,10 @@
>  			fill_cmd(cmd, O_IPSEC, 0, 0);
>  			break;
>  
> +		case TOK_PREVMATCH:
> +			fill_cmd(cmd, O_PREVMATCH, 0, 0);
> +			break;
> +
>  		case TOK_COMMENT:
>  			fill_comment(cmd, ac, av);
>  			av += ac;
> ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content
> @@ -1352,6 +1352,7 @@
>  	int pktlen;
>  	int dyn_dir = MATCH_UNKNOWN;
>  	ipfw_dyn_rule *q = NULL;
> +	int prevmatch = 0;
>  
>  	if (m->m_flags & M_SKIP_FIREWALL)
>  		return 0;	/* accept */
> @@ -1524,6 +1525,10 @@
>  				match = 1;
>  				break;
>  
> +			case O_PREVMATCH:
> +				match = prevmatch;
> +				break;
> +
>  			case O_FORWARD_MAC:
>  				printf("ipfw: opcode %d unimplemented\n",
>  				    cmd->opcode);
> @@ -1948,6 +1953,7 @@
>  
>  			case O_COUNT:
>  			case O_SKIPTO:
> +				prevmatch = 1;
>  				f->pcnt++;	/* update stats */
>  				f->bcnt += pktlen;
>  				f->timestamp = time_second;
> @@ -2004,6 +2010,7 @@
>  			}
>  
>  		}	/* end of inner for, scan opcodes */
> +		prevmatch = 0;
>  
>  next_rule:;		/* try next rule		*/
>  
> @@ -2414,6 +2421,7 @@
>  		case O_ESTAB:
>  		case O_VERREVPATH:
>  		case O_IPSEC:
> +		case O_PREVMATCH:
>  			if (cmdlen != F_INSN_SIZE(ipfw_insn))
>  				goto bad_size;
>  			break;
> ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content
> @@ -96,6 +96,8 @@
>  
>  	O_VERREVPATH,		/* none				*/
>  
> +	O_PREVMATCH,		/* none (previous rule matched) */
> +
>  	O_PROBE_STATE,		/* none				*/
>  	O_KEEP_STATE,		/* none				*/
>  	O_LIMIT,		/* ipfw_insn_limit		*/
> 
> 
> ----- End forwarded message -----
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list