Sticky pf(4)-like feature in ipfw?

Tue Feb 8 07:46:12 PST 2005

Hi,
I think of adding a new feature in (my local copy) ipfw (releng5) so that it
makes also sticky match when forwarding broken protocols like ftp, h.323, 
sip, etc.
Its inspired from pf(4) sticky feature as is.The general usage will be for
"skipto" forwarding rules as shown in example below:

Network ASCII-ART:

Gateway1   Gateway2
   |                |
---------------- 192.168.1.0/24
        |
[Freebsd-ipfw]
        |
---------------- 192.168.3.0/24

ipfw.sh:
~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
fwcmd="/sbin/ipfw"
pass="skipto 65535"

gateway_mac1 ="00:0e:2e:03:36:23"
gateway_mac2 ="00:0e:2e:03:37:23"
gateway1="192.168.1.2"
gateway2 ="192.168.1.1"

lan_network = "192.168.3.0/24"
broken="20,21,1720,6667,4600-4700"

#CHECK STATES.
${fwcmd} add 100 check-state

# INCOMING TRAFFIC
${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in 
recv rl0 keep-state
${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in 
recv rl0 keep-state

#OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%]
${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not 
${lan_network} dst-port ${broken} in recv rl1 keep-sticky
${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not 
${lan_network}dst-port ${broken} in recv rl1 keep-sticky

#OUTGOING  + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%]
${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not 
${lan_network}in recv rl1 keep-state
${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in 
recv rl1 keep-state

#DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER
${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not 
${lan_network} in recv rl1
${fwcmd} add 10110 ${pass} ip from any to any

#DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER
${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not 
${lan_network} in recv rl1
${fwcmd} add 10210 ${pass} ip from any to any

~~~~~~~~~~~~~~~~~~~~~~

"keep-sticky" main difference with "keep-state" is just relaxed state 
matching
using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not
(scr_ip:src_port + dst_ip:dst_port) straight and reversed 
(=keep-state/limit).

My question :
Does anyone has already working on such feature?
Cause its pretty easy to implement(*) "keep-sticky", does any of
ipfw developers planning to add such feature in near future?

Thanks,
Chris.

(*)
1.  TOK_KEEPSTICKY in  /usr/src/sbin/ipfw/ipfw2.c
    O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h
    and copy TOK_KEEPSTATE+O_KEEPSTATE code
    as a new case of cmd+rule argument.
2. Some changes in "lookup_dyn_rule_locked" function of
/usr/src/sys/netinet/ip_fw2.c to make a more relaxed state
when "keep-sticky" is enabled.

____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.