kern/80642: IPFW small patch - new RULE OPTION
Andrey V. Elsukov
bu7cher at yandex.ru
Wed May 4 23:10:03 PDT 2005
>Number: 80642
>Category: kern
>Synopsis: IPFW small patch - new RULE OPTION
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 05 06:10:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Andrey V. Elsukov
>Release: FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
RELENG_5
>Description:
This is small patch for IPFW.
Patch add new rule option - bound value. Rules with this option match while rule bytes counter below specified bound value. Example:
ipfw add 100 allow ip from any to A.B.C.D in recv Ext_Interface bound 1000000
ipfw add 200 deny ip from any to A.B.C.D
While bytes counter below that 1000000, then rule 100 matchs.
>How-To-Repeat:
>Fix:
--- ipfw_bound.diff begins here ---
--- sys/netinet/ip_fw.h.orig Tue Feb 1 02:26:35 2005
+++ sys/netinet/ip_fw.h Tue May 3 22:38:07 2005
@@ -78,6 +78,7 @@
O_RECV, /* none */
O_XMIT, /* none */
O_VIA, /* none */
+ O_BOUND, /* u64 = bound in bytes */
O_IPOPT, /* arg1 = 2*u8 bitmap */
O_IPLEN, /* arg1 = len */
@@ -198,6 +199,14 @@
ipfw_insn o;
u_int32_t d[1]; /* one or more */
} ipfw_insn_u32;
+
+/*
+ * This is used to store 64-bit bound value.
+ */
+typedef struct _ipfw_insn_u64 {
+ ipfw_insn o;
+ u_int64_t bound;
+} ipfw_insn_u64;
/*
* This is used to store IP addr-mask pairs.
--- sys/netinet/ip_fw2.c.orig Sun Feb 6 19:16:20 2005
+++ sys/netinet/ip_fw2.c Tue May 3 22:22:04 2005
@@ -2294,6 +2294,9 @@
/* otherwise no match */
break;
+ case O_BOUND:
+ match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound);
+ break;
/*
* The second set of opcodes represents 'actions',
* i.e. the terminal part of a rule once the packet
@@ -2939,6 +2942,11 @@
if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
goto bad_size;
break;
+
+ case O_BOUND:
+ if (cmdlen != F_INSN_SIZE(ipfw_insn_u64))
+ goto bad_size;
+ break;
case O_LIMIT:
if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
--- sbin/ipfw/ipfw2.c.orig Tue Jan 25 10:23:34 2005
+++ sbin/ipfw/ipfw2.c Tue May 3 22:56:41 2005
@@ -236,6 +236,7 @@
TOK_ANTISPOOF,
TOK_IPSEC,
TOK_COMMENT,
+ TOK_BOUND,
TOK_PLR,
TOK_NOERROR,
@@ -351,6 +352,7 @@
{ "antispoof", TOK_ANTISPOOF },
{ "ipsec", TOK_IPSEC },
{ "//", TOK_COMMENT },
+ { "bound", TOK_BOUND },
{ "not", TOK_NOT }, /* pseudo option */
{ "!", /* escape ? */ TOK_NOT }, /* pseudo option */
@@ -1198,6 +1200,9 @@
break;
}
+ case O_BOUND:
+ printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound);
+ break;
case O_IPID:
if (F_LEN(cmd) == 1)
printf(" ipid %u", cmd->arg1 );
@@ -1917,7 +1922,7 @@
" ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
" mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
" setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
-" verrevpath | versrcreach | antispoof\n"
+" bound VALUE | verrevpath | versrcreach | antispoof\n"
);
exit(0);
}
@@ -3220,6 +3225,14 @@
cmd->opcode = O_RECV;
else if (i == TOK_VIA)
cmd->opcode = O_VIA;
+ break;
+
+ case TOK_BOUND:
+ NEED1("bound requires numeric value");
+ cmd->opcode = O_BOUND;
+ ((ipfw_insn_u64 *)cmd)->bound = strtoull(*av, NULL, 0);
+ cmd->len |= F_INSN_SIZE(ipfw_insn_u64);
+ ac--; av++;
break;
case TOK_ICMPTYPES:
--- sbin/ipfw/ipfw.8.orig Wed Mar 2 22:50:11 2005
+++ sbin/ipfw/ipfw.8 Wed May 4 19:23:13 2005
@@ -920,6 +920,8 @@
.It Cm bridged
Alias for
.Cm layer2 .
+.It Cm bound Ar value
+Matches while bytes counter below bound value.
.It Cm dst-ip Ar ip-address
Matches IP packets whose destination IP is one of the address(es)
specified as argument.
--- ipfw_bound.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list