[patch] ipfw packet tagging

Fri May 12 15:19:52 UTC 2006

12.05.06 в 20:53 Luigi Rizzo wrote:

>> > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from:
>> > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/
>> >
>> > Tested on 5.5-PRERELEASE production server with moderate
>> > load - rock stable [I've also looked through the code - patch
>> > is small, so it simply can't be any bugs there ;)].
>> >
>> > Personally I very like the idea from original Andrey's letter
>>
>> I have tested on 6.1 and works fine too.
>>
>> Hope it gets commited. Very useful for altq/dummynet flexibility too.
>
> i would, however, like to have a bit more documentation in the patch,
> in particular:
>
> - a manpage patch describing how to use the thing, and also the
>   behaviour in in odd situations (e.g. what happens when we try to tag
>   a packet multiple times ? does the tag survive between the 'input'
>   and 'output' path of ipfw for routed packets, etc ?).
>   I can look this up in the code, but the average user cannot,

I think it will always survive, but not sure, may be it is better for your
to review the code and correct description.

>   and the patch does not contain a single line of comment,
>   plus we generally want to have some textual description of the
>   behaviour (so we can RTFM), not just an implementation
>   without comments.

OK, Andrey currently comments the code and implements untag action,
and here is my patch for manpage describing all this stuff:

--- ipfw.8.orig Fri May 12 21:09:14 2006
+++ ipfw.8      Fri May 12 22:08:42 2006
@@ -563,6 +563,30 @@
  Note: logging is done after all other packet matching conditions
  have been successfully verified, and before performing the final
  action (accept, deny, etc.) on the packet.
+.It Cm tag Ar number
+When a packet matches a rule with the
+.Cm tag
+keyword, the numeric tag for the given
+.Ar number
+in the range 0..65535 will be attached to the packet.
+The tag acts as an internal marker (it is not sent out over
+the wire) that can be used to identify these packets later on.
+This can be used, for example, to provide trust between interfaces
+and to start doing policy-based filtering.
+A packet can have mutiple tags at the same time.
+Tags are "sticky", meaning once a tag is applied to a packet by a
+matching rule it exists everywhere while packet is still in kernel
+until explicit removal or sending packet out to the network.
+To check for previously applied tags, use the
+.Cm tagged
+rule option.
+.It Cm untag Ar number
+When a packet matches a rule with the
+.Cm untag
+keyword, the tag with the number
+.Ar number
+is searched in the set of tags attached to
+this packet and, if found, removed from this set.
  .It Cm altq Ar queue
  When a packet matches a rule with the
  .Cm altq
@@ -1257,6 +1281,15 @@
  .It Cm src-port Ar ports
  Matches IP packets whose source port is one of the port(s)
  specified as argument.
+.It Cm tagged Ar number
+Match if packet has a tag with number
+.Ar number .
+Tags can be applied to the packet using
+.Cm tag
+rule action parameter or set somewhere in another part of the kernel
+network subsytem using
+.Xr mbuf_tags 9
+facility.
  .It Cm tcpack Ar ack
  TCP packets only.
  Match if the TCP header acknowledgment number field is set to


-- 
WBR, Vadim Goncharov
