ipfw add skipto tablearg....

Tue Aug 19 13:12:16 UTC 2008

On Thu, 31 Jul 2008, Julian Elischer wrote:
 > looking int he code I noticed that the following command gave
 > no error but didn't work..
 > 
 > 
 > ipfw add 1000 skipto tablearg ip from any to table(31)

Content addressible branching is an elegant and useful idea, thanks for
making it work.  A simple example in ipfw(8) might promote 'uptake'?

 > and as I have a use for that, I implemented it..

MFC to 6 possible?  likely?  I know there's lots of other stuff that
hasn't / won't / can't be, but this one looked perhaps stand-alone .. 

 > see attached patch... (hopefully not stripped)
 > 
 > Of course it is hoped that the rules you are skipping to are nearby
 > as it iterates through the rules following the skipto to find the
 > target,

Until $someone adds a direct skipto target jump at the virtual machine
code level - big recalc hit when adding/deleting rules/sets I suppose -
it's still the fastest way to get from a to b, where b > a

Speaking of which, should ipfw whinge when asked to skip backwards,
which it can't, confirmed on a recent browse re Mike's ipfw-classifyd
and a local test months ago.

 > but....
 > if you had a thousand table entries and wanted to sort them into
 > 20 buckets, it could save you puting them into 20 different
 > tables and doing 20 table lookups on them.

Or even just for quick basic traffic-splitting, bogon lists, whatever .. 

 > here I sort into two categories.. possibly already a win..
 > 
 > 
 > julian at trafmon2:cat ipfw-test.sh
 > #!/bin/sh
 > ipfw add 100 skipto 10000 ip from any to not 1.1.1.0/24
 > ipfw add 1000 skipto tablearg ip from any to "table(31)"
 > ipfw add 2000 drop ip from any to any
 > ipfw add 2001 drop ip from any to any
 > ipfw add 3000 drop ip from any to any
 > ipfw add 3001 drop ip from any to any
 > ipfw add 10000 count ip from any to any
 > ipfw table 31 add 1.1.1.1 2000
 > ipfw table 31 add 1.1.1.2 3000
 > 
 > julian at trafmon2: ping 1.1.1.1
 > [...] (2 packets bounced)
 > julian at trafmon2: ping 1.1.1.2
 > [...] (12 packets bounced)
 > 
 > julian at trafmon2: ipfw show
 > 00100  220  19633 skipto 10000 ip from any to not 1.1.1.0/24
 > 01000   14   1176 skipto tablearg ip from any to table(31)
 > 02000    2    168 deny ip from any to any
 > 02001    0      0 deny ip from any to any
 > 03000   12   1008 deny ip from any to any
 > 03001    0      0 deny ip from any to any
 > 10000  209  18549 count ip from any to any
 > 65535 1751 153792 allow ip from any to any
 > 
 > 
 > comments?

I like it, FWIW.

 > +		if (tablearg != 0) {
 > +			rulenum = (u_int16_t)tablearg;

Should we check that tablearg is < 64K before merrily casting?

cheers, Ian