kern/80642: IPFW small patch - new RULE OPTION

Robert Watson rwatson at FreeBSD.org
Sun May 15 05:30:10 GMT 2005


The following reply was made to PR kern/80642; it has been noted by GNATS.

From: Robert Watson <rwatson at FreeBSD.org>
To: FreeBSD-gnats-submit at FreeBSD.org
Cc:  
Subject: Re: kern/80642: IPFW small patch - new RULE OPTION
Date: Sun, 15 May 2005 06:30:20 +0100 (BST)

 This patch breaks the ABI by inserting a new type into an implicitly 
 numbered enumeration, renumbering all entries later in the enum. 
 O_BOUND, if added, should be appended to the end, and/or we should number 
 the operations explicitly.
 
 Robert N M Watson
 
 On Thu, 5 May 2005, Andrey V. Elsukov wrote:
 
 >
 >> Number:         80642
 >> Category:       kern
 >> Synopsis:       IPFW small patch - new RULE OPTION
 >> Confidential:   no
 >> Severity:       non-critical
 >> Priority:       low
 >> Responsible:    freebsd-bugs
 >> State:          open
 >> Quarter:
 >> Keywords:
 >> Date-Required:
 >> Class:          change-request
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Thu May 05 06:10:02 GMT 2005
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Andrey V. Elsukov
 >> Release:        FreeBSD 5.4-STABLE i386
 >> Organization:
 >> Environment:
 > 	RELENG_5
 >> Description:
 > This is small patch for IPFW.
 > Patch add new rule option - bound value. Rules with this option match while rule bytes counter below specified bound value. Example:
 >
 > ipfw add 100 allow ip from any to A.B.C.D in recv Ext_Interface bound 1000000
 > ipfw add 200 deny ip from any to A.B.C.D
 >
 > While bytes counter below that 1000000, then rule 100 matchs.
 >> How-To-Repeat:
 >> Fix:
 >
 >
 > --- ipfw_bound.diff begins here ---
 > --- sys/netinet/ip_fw.h.orig	Tue Feb  1 02:26:35 2005
 > +++ sys/netinet/ip_fw.h	Tue May  3 22:38:07 2005
 > @@ -78,6 +78,7 @@
 > 	O_RECV,			/* none				*/
 > 	O_XMIT,			/* none				*/
 > 	O_VIA,			/* none				*/
 > +	O_BOUND,		/* u64 = bound in bytes */
 >
 > 	O_IPOPT,		/* arg1 = 2*u8 bitmap		*/
 > 	O_IPLEN,		/* arg1 = len			*/
 > @@ -198,6 +199,14 @@
 > 	ipfw_insn o;
 > 	u_int32_t d[1];	/* one or more */
 > } ipfw_insn_u32;
 > +
 > +/*
 > + * This is used to store 64-bit bound value.
 > + */
 > +typedef struct	_ipfw_insn_u64 {
 > +	ipfw_insn o;
 > +	u_int64_t bound;
 > +} ipfw_insn_u64;
 >
 > /*
 >  * This is used to store IP addr-mask pairs.
 >
 > --- sys/netinet/ip_fw2.c.orig	Sun Feb  6 19:16:20 2005
 > +++ sys/netinet/ip_fw2.c	Tue May  3 22:22:04 2005
 > @@ -2294,6 +2294,9 @@
 > 				/* otherwise no match */
 > 				break;
 >
 > +			case O_BOUND:
 > +				match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound);
 > +				break;
 > 			/*
 > 			 * The second set of opcodes represents 'actions',
 > 			 * i.e. the terminal part of a rule once the packet
 > @@ -2939,6 +2942,11 @@
 > 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
 > 				goto bad_size;
 > 			break;
 > +
 > +		case O_BOUND:
 > +			if (cmdlen != F_INSN_SIZE(ipfw_insn_u64))
 > +				goto bad_size;
 > +			break;
 >
 > 		case O_LIMIT:
 > 			if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
 >
 > --- sbin/ipfw/ipfw2.c.orig	Tue Jan 25 10:23:34 2005
 > +++ sbin/ipfw/ipfw2.c	Tue May  3 22:56:41 2005
 > @@ -236,6 +236,7 @@
 > 	TOK_ANTISPOOF,
 > 	TOK_IPSEC,
 > 	TOK_COMMENT,
 > +	TOK_BOUND,
 >
 > 	TOK_PLR,
 > 	TOK_NOERROR,
 > @@ -351,6 +352,7 @@
 > 	{ "antispoof",		TOK_ANTISPOOF },
 > 	{ "ipsec",		TOK_IPSEC },
 > 	{ "//",			TOK_COMMENT },
 > +	{ "bound",		TOK_BOUND },
 >
 > 	{ "not",		TOK_NOT },		/* pseudo option */
 > 	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
 > @@ -1198,6 +1200,9 @@
 >
 > 				break;
 > 			    }
 > +			case O_BOUND:
 > +				printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound);
 > +				break;
 > 			case O_IPID:
 > 				if (F_LEN(cmd) == 1)
 > 				    printf(" ipid %u", cmd->arg1 );
 > @@ -1917,7 +1922,7 @@
 > "	ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
 > "	mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
 > "	setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
 > -"	verrevpath | versrcreach | antispoof\n"
 > +"	bound VALUE | verrevpath | versrcreach | antispoof\n"
 > );
 > exit(0);
 > }
 > @@ -3220,6 +3225,14 @@
 > 				cmd->opcode = O_RECV;
 > 			else if (i == TOK_VIA)
 > 				cmd->opcode = O_VIA;
 > +			break;
 > +
 > +		case TOK_BOUND:
 > +			NEED1("bound requires numeric value");
 > +            cmd->opcode = O_BOUND;
 > +			((ipfw_insn_u64 *)cmd)->bound = strtoull(*av, NULL, 0);
 > +            cmd->len |= F_INSN_SIZE(ipfw_insn_u64);
 > +            ac--; av++;
 > 			break;
 >
 > 		case TOK_ICMPTYPES:
 >
 > --- sbin/ipfw/ipfw.8.orig	Wed Mar  2 22:50:11 2005
 > +++ sbin/ipfw/ipfw.8	Wed May  4 19:23:13 2005
 > @@ -920,6 +920,8 @@
 > .It Cm bridged
 > Alias for
 > .Cm layer2 .
 > +.It Cm bound Ar value
 > +Matches while bytes counter below bound value.
 > .It Cm dst-ip Ar ip-address
 > Matches IP packets whose destination IP is one of the address(es)
 > specified as argument.
 > --- ipfw_bound.diff ends here ---
 >
 >
 >> Release-Note:
 >> Audit-Trail:
 >> Unformatted:
 > _______________________________________________
 > freebsd-bugs at freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
 > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe at freebsd.org"
 >


More information about the freebsd-bugs mailing list