kern/189720: pps action for ipfw

bycn82 bycn82 at gmail.com
Tue May 13 03:00:01 UTC 2014


The following reply was made to PR kern/189720; it has been noted by GNATS.

From: bycn82 <bycn82 at gmail.com>
To: bug-followup at FreeBSD.org, bycn82 at gmail.com
Cc:  
Subject: Re: kern/189720: pps action for ipfw
Date: Tue, 13 May 2014 10:54:47 +0800

 This is a multi-part message in MIME format.
 --------------060500040406000407020409
 Content-Type: multipart/alternative;
  boundary="------------070308050506000908020500"
 
 
 --------------070308050506000908020500
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 1.Clean some gratuitous white-space.
 2.Increase `count` and `duration` to uint32.
 
 --------------070308050506000908020500
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 <html>
   <head>
 
     <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
   </head>
   <body bgcolor="#FFFFFF" text="#000000">
     <font face="Calibri">1.Clean some gratuitous white-space.<br>
       2.Increase `count` and `duration` to uint32. <br>
     </font>
   </body>
 </html>
 
 --------------070308050506000908020500--
 
 --------------060500040406000407020409
 Content-Type: text/plain;
  name="pps.patch2.txt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="pps.patch2.txt"
 
 Index: sbin/ipfw/ipfw.8
 ===================================================================
 --- sbin/ipfw/ipfw.8	(revision 265941)
 +++ sbin/ipfw/ipfw.8	(working copy)
 @@ -603,6 +603,14 @@
  Note: logging is done after all other packet matching conditions
  have been successfully verified, and before performing the final
  action (accept, deny, etc.) on the packet.
 +.It Cm pps Ar limit duration
 +Rule with the 
 +.Cm pps
 +keyword will allow the first
 +.Ar limit
 +packets in recent 
 +.Ar duration 
 +milliseconds
  .It Cm tag Ar number
  When a packet matches a rule with the
  .Cm tag
 Index: sbin/ipfw/ipfw2.c
 ===================================================================
 --- sbin/ipfw/ipfw2.c	(revision 265941)
 +++ sbin/ipfw/ipfw2.c	(working copy)
 @@ -244,6 +244,7 @@
  	{ "allow",		TOK_ACCEPT },
  	{ "permit",		TOK_ACCEPT },
  	{ "count",		TOK_COUNT },
 +	{ "pps",		TOK_PPS },
  	{ "pipe",		TOK_PIPE },
  	{ "queue",		TOK_QUEUE },
  	{ "divert",		TOK_DIVERT },
 @@ -1232,6 +1233,13 @@
  			PRINT_UINT_ARG("skipto ", cmd->arg1);
  			break;
  
 +		case O_PPS:
 +			{
 +			ipfw_insn_pps *pps=(ipfw_insn_pps *)cmd;
 +			printf("pps %d %d",cmd->arg1,pps->duration);
 +			break;			
 +			}
 +
  		case O_PIPE:
  			PRINT_UINT_ARG("pipe ", cmd->arg1);
  			break;
 @@ -2986,6 +2994,24 @@
  		action->opcode = O_COUNT;
  		break;
  
 +	case TOK_PPS:
 +		action->opcode = O_PPS;
 +		ipfw_insn_pps *p = (ipfw_insn_pps *)action;
 +		action->len = F_INSN_SIZE(ipfw_insn_pps);
 +		if (isdigit(**av)) {
 +			action->arg1 = strtoul(*av, NULL, 10);
 +			av++;
 +		}else{
 +			errx(EX_USAGE, "illegal argument pps `limit` %s", *av);
 +		}
 +		if (isdigit(**av)) {
 +			p->duration = strtoul(*av, NULL, 10);
 +			av++;
 +		}else{
 +			errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);
 +		}
 +		break;	
 +
  	case TOK_NAT:
  		action->opcode = O_NAT;
  		action->len = F_INSN_SIZE(ipfw_insn_nat);
 Index: sbin/ipfw/ipfw2.h
 ===================================================================
 --- sbin/ipfw/ipfw2.h	(revision 265941)
 +++ sbin/ipfw/ipfw2.h	(working copy)
 @@ -92,6 +92,7 @@
  	TOK_NGTEE,
  	TOK_FORWARD,
  	TOK_SKIPTO,
 +	TOK_PPS,
  	TOK_DENY,
  	TOK_REJECT,
  	TOK_RESET,
 Index: sys/netinet/ip_fw.h
 ===================================================================
 --- sys/netinet/ip_fw.h	(revision 265941)
 +++ sys/netinet/ip_fw.h	(working copy)
 @@ -165,6 +165,7 @@
  	O_REJECT,		/* arg1=icmp arg (same as deny)	*/
  	O_COUNT,		/* none				*/
  	O_SKIPTO,		/* arg1=next rule number	*/
 +	O_PPS,			/* arg1=limit, pps->duration */
  	O_PIPE,			/* arg1=pipe number		*/
  	O_QUEUE,		/* arg1=queue number		*/
  	O_DIVERT,		/* arg1=port number		*/
 @@ -378,6 +379,16 @@
  } ipfw_insn_log;
  
  /*
 + *	This is used for PPS
 + */
 +typedef struct _ipfw_insn_pps{
 +	ipfw_insn o;
 +	uint32_t start_time;
 +	uint32_t count;
 +	uint32_t duration;
 +} ipfw_insn_pps;
 +
 +/*
   * Data structures required by both ipfw(8) and ipfw(4) but not part of the
   * management API are protected by IPFW_INTERNAL.
   */
 Index: sys/netpfil/ipfw/ip_fw2.c
 ===================================================================
 --- sys/netpfil/ipfw/ip_fw2.c	(revision 265941)
 +++ sys/netpfil/ipfw/ip_fw2.c	(working copy)
 @@ -2180,6 +2180,24 @@
  			    continue;
  			    break;	/* not reached */
  
 +			case O_PPS:{
 +				ipfw_insn_pps *pps = (ipfw_insn_pps *)cmd;
 +				if(pps->start_time+pps->duration >= ticks){
 +					if(pps->count < cmd->arg1){
 +						retval = IP_FW_PASS;
 +					}else{
 +						retval = IP_FW_DENY;
 +					}
 +					pps->count++;
 +				}else{
 +					pps->start_time=ticks;
 +					pps->count=1;
 +					retval = IP_FW_PASS;
 +				}
 +				l = 0;		
 +				done = 1;
 +				break;	
 +			}
  			case O_CALLRETURN: {
  				/*
  				 * Implementation of `subroutine' call/return,
 Index: sys/netpfil/ipfw/ip_fw_sockopt.c
 ===================================================================
 --- sys/netpfil/ipfw/ip_fw_sockopt.c	(revision 265941)
 +++ sys/netpfil/ipfw/ip_fw_sockopt.c	(working copy)
 @@ -703,6 +703,12 @@
  				goto bad_size;
  			break;
  
 +		case O_PPS:
 +			have_action=1;
 +			if (cmdlen != F_INSN_SIZE(ipfw_insn_pps))
 +				goto bad_size;
 +			break;
 +
  		case O_PIPE:
  		case O_QUEUE:
  			if (cmdlen != F_INSN_SIZE(ipfw_insn))
 
 --------------060500040406000407020409--


More information about the freebsd-bugs mailing list