'prevmatch' patch
Luigi Rizzo
rizzo at icir.org
Tue Jan 27 01:02:27 PST 2004
On Mon, Jan 26, 2004 at 06:23:07PM -0800, Bill Fumerola wrote:
> i ran into a situation recently where i could write my ruleset a lot
> simpler (and remove some costly, redundant lookups) by requiring that
> the previous rule evaluated matched.
>
> note: this does NOT mean "the previous rule in order" it means "the
> previous rule traversed". the former isn't all that useful, but the
> latter is nice because it works with both count and skipto rules.
i cannot make much sense of this. Can you make an actual example ?
It seems to me that the only thing 'prevmatch' tells you is
whether or not you got to a rule as a result of a 'count' or 'skipto'
action, which is a special case of a more general (and equally
simple to implement) mechanism that i am planning to add (and i
believe i posted this already some time ago):
+ add to all non-terminal actions (count, skipto, tee) two bitmasks
that specify sets of flags to set and clear, respectively;
+ add a new opcode that matches arbitrary bit patterns;
+ flags will be preserved in dummynet so they will be accessible
when the packet comes out of a pipe.
So you will be able to write
100 count set 0x10 src-ip 1.2.3.4,5.6.7.8,9.10.11.12 // good guys
100 count set 0x20 dst-port 80
110 count set 0x40 src-ip 10.0.0.0/8,192.168.0.0/16 // bad guys
...
500 pipe 1 flags & 0x60 == 0x20
500 deny flags & 0x40 != 0
and so on. I am still a bit uncertain on the syntax for the 'flags'
opcode -- this is basically the only think stopping me from implementing
the thing. If you want to give it a shot...
cheers
luigi
> not, this will live in the archives for people to apply locally.
>
> --
> - bill fumerola / fumerola at yahoo-inc.com / billf at FreeBSD.org
>
>
> ----- Forwarded message from bill fumerola <fumerola at yahoo-inc.com> -----
>
> ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content
> @@ -225,6 +225,7 @@
> TOK_MACTYPE,
> TOK_VERREVPATH,
> TOK_IPSEC,
> + TOK_PREVMATCH,
> TOK_COMMENT,
>
> TOK_PLR,
> @@ -337,6 +338,7 @@
> { "mac-type", TOK_MACTYPE },
> { "verrevpath", TOK_VERREVPATH },
> { "ipsec", TOK_IPSEC },
> + { "prevmatch", TOK_PREVMATCH },
> { "//", TOK_COMMENT },
>
> { "not", TOK_NOT }, /* pseudo option */
> @@ -1262,6 +1264,10 @@
> printf(" ipsec");
> break;
>
> + case O_PREVMATCH:
> + printf(" prevmatch");
> + break;
> +
> case O_NOP:
> comment = (char *)(cmd + 1);
> break;
> @@ -3400,6 +3406,10 @@
> fill_cmd(cmd, O_IPSEC, 0, 0);
> break;
>
> + case TOK_PREVMATCH:
> + fill_cmd(cmd, O_PREVMATCH, 0, 0);
> + break;
> +
> case TOK_COMMENT:
> fill_comment(cmd, ac, av);
> av += ac;
> ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content
> @@ -1352,6 +1352,7 @@
> int pktlen;
> int dyn_dir = MATCH_UNKNOWN;
> ipfw_dyn_rule *q = NULL;
> + int prevmatch = 0;
>
> if (m->m_flags & M_SKIP_FIREWALL)
> return 0; /* accept */
> @@ -1524,6 +1525,10 @@
> match = 1;
> break;
>
> + case O_PREVMATCH:
> + match = prevmatch;
> + break;
> +
> case O_FORWARD_MAC:
> printf("ipfw: opcode %d unimplemented\n",
> cmd->opcode);
> @@ -1948,6 +1953,7 @@
>
> case O_COUNT:
> case O_SKIPTO:
> + prevmatch = 1;
> f->pcnt++; /* update stats */
> f->bcnt += pktlen;
> f->timestamp = time_second;
> @@ -2004,6 +2010,7 @@
> }
>
> } /* end of inner for, scan opcodes */
> + prevmatch = 0;
>
> next_rule:; /* try next rule */
>
> @@ -2414,6 +2421,7 @@
> case O_ESTAB:
> case O_VERREVPATH:
> case O_IPSEC:
> + case O_PREVMATCH:
> if (cmdlen != F_INSN_SIZE(ipfw_insn))
> goto bad_size;
> break;
> ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content
> @@ -96,6 +96,8 @@
>
> O_VERREVPATH, /* none */
>
> + O_PREVMATCH, /* none (previous rule matched) */
> +
> O_PROBE_STATE, /* none */
> O_KEEP_STATE, /* none */
> O_LIMIT, /* ipfw_insn_limit */
>
>
> ----- End forwarded message -----
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list