kern/189720: [ipfw] [patch] pps action for ipfw
bycn82
bycn82 at gmail.com
Fri May 30 17:00:01 UTC 2014
The following reply was made to PR kern/189720; it has been noted by GNATS.
From: "bycn82" <bycn82 at gmail.com>
To: <bug-followup at FreeBSD.org>,
<bycn82 at gmail.com>
Cc: "Luigi Rizzo" <rizzo at iet.unipi.it>
Subject: Re: kern/189720: [ipfw] [patch] pps action for ipfw
Date: Sat, 31 May 2014 00:53:56 +0800
This is a multipart message in MIME format.
------=_NextPart_000_0002_01CF7C6A.CF4B9B50
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0003_01CF7C6A.CF4B9B50"
------=_NextPart_001_0003_01CF7C6A.CF4B9B50
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
1. Add static int to store the value of kern.hz
2. Convert the duration into number of ticks based on kern.hz
regards,
bycn82
------=_NextPart_001_0003_01CF7C6A.CF4B9B50
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 14 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:=E5=AE=8B=E4=BD=93;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:=E5=AE=8B=E4=BD=93;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@=E5=AE=8B=E4=BD=93";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:633340690;
mso-list-type:hybrid;
mso-list-template-ids:1182030700 67698703 67698713 67698715 67698703 =
67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoListParagraph =
style=3D'text-indent:-.25in;mso-list:l0 level1 lfo1'><![if =
!supportLists]><span style=3D'mso-list:Ignore'>1.<span =
style=3D'font:7.0pt "Times New =
Roman"'> </span></span><![endif]>Add =
static int to store the value of kern.hz<o:p></o:p></p><p =
class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'mso-list:Ignore'>2.<span =
style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span><![endif]>Convert the duration into number of ticks based =
on =C2=A0kern.hz<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>regards,<o:p></o:p></p><p =
class=3DMsoNormal>bycn82<o:p></o:p></p></div></body></html>
------=_NextPart_001_0003_01CF7C6A.CF4B9B50--
------=_NextPart_000_0002_01CF7C6A.CF4B9B50
Content-Type: application/octet-stream;
name="pps.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="pps.patch"
Index: sbin/ipfw/ipfw.8=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sbin/ipfw/ipfw.8 (revision 266886)=0A=
+++ sbin/ipfw/ipfw.8 (working copy)=0A=
@@ -602,6 +602,14 @@=0A=
Note: logging is done after all other packet matching conditions=0A=
have been successfully verified, and before performing the final=0A=
action (accept, deny, etc.) on the packet.=0A=
+.It Cm pps Ar limit duration=0A=
+Rule with the =0A=
+.Cm pps=0A=
+keyword will allow the first=0A=
+.Ar limit=0A=
+packets in recent =0A=
+.Ar duration =0A=
+milliseconds=0A=
.It Cm tag Ar number=0A=
When a packet matches a rule with the=0A=
.Cm tag=0A=
Index: sbin/ipfw/ipfw2.c=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sbin/ipfw/ipfw2.c (revision 266886)=0A=
+++ sbin/ipfw/ipfw2.c (working copy)=0A=
@@ -244,6 +244,7 @@=0A=
{ "allow", TOK_ACCEPT },=0A=
{ "permit", TOK_ACCEPT },=0A=
{ "count", TOK_COUNT },=0A=
+ { "pps", TOK_PPS },=0A=
{ "pipe", TOK_PIPE },=0A=
{ "queue", TOK_QUEUE },=0A=
{ "divert", TOK_DIVERT },=0A=
@@ -1232,6 +1233,13 @@=0A=
PRINT_UINT_ARG("skipto ", cmd->arg1);=0A=
break;=0A=
=0A=
+ case O_PPS:=0A=
+ {=0A=
+ ipfw_insn_pps *pps=3D(ipfw_insn_pps *)cmd;=0A=
+ printf("pps %d %d",cmd->arg1,pps->duration);=0A=
+ break; =0A=
+ }=0A=
+=0A=
case O_PIPE:=0A=
PRINT_UINT_ARG("pipe ", cmd->arg1);=0A=
break;=0A=
@@ -2985,6 +2993,24 @@=0A=
case TOK_COUNT:=0A=
action->opcode =3D O_COUNT;=0A=
break;=0A=
+ =0A=
+ case TOK_PPS:=0A=
+ action->opcode =3D O_PPS;=0A=
+ ipfw_insn_pps *p =3D (ipfw_insn_pps *)action;=0A=
+ action->len =3D F_INSN_SIZE(ipfw_insn_pps);=0A=
+ if (isdigit(**av)) {=0A=
+ action->arg1 =3D strtoul(*av, NULL, 10);=0A=
+ av++;=0A=
+ }else{=0A=
+ errx(EX_USAGE, "illegal argument pps `limit` %s", *av);=0A=
+ }=0A=
+ if (isdigit(**av)) {=0A=
+ p->duration =3D strtoul(*av, NULL, 10);=0A=
+ av++;=0A=
+ }else{=0A=
+ errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);=0A=
+ }=0A=
+ break; =0A=
=0A=
case TOK_NAT:=0A=
action->opcode =3D O_NAT;=0A=
Index: sbin/ipfw/ipfw2.h=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sbin/ipfw/ipfw2.h (revision 266886)=0A=
+++ sbin/ipfw/ipfw2.h (working copy)=0A=
@@ -92,6 +92,7 @@=0A=
TOK_NGTEE,=0A=
TOK_FORWARD,=0A=
TOK_SKIPTO,=0A=
+ TOK_PPS,=0A=
TOK_DENY,=0A=
TOK_REJECT,=0A=
TOK_RESET,=0A=
Index: sys/netinet/ip_fw.h=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sys/netinet/ip_fw.h (revision 266886)=0A=
+++ sys/netinet/ip_fw.h (working copy)=0A=
@@ -165,6 +165,7 @@=0A=
O_REJECT, /* arg1=3Dicmp arg (same as deny) */=0A=
O_COUNT, /* none */=0A=
O_SKIPTO, /* arg1=3Dnext rule number */=0A=
+ O_PPS, /* arg1=3Dlimit, pps->duration */=0A=
O_PIPE, /* arg1=3Dpipe number */=0A=
O_QUEUE, /* arg1=3Dqueue number */=0A=
O_DIVERT, /* arg1=3Dport number */=0A=
@@ -378,6 +379,16 @@=0A=
} ipfw_insn_log;=0A=
=0A=
/*=0A=
+ * This is used for PPS=0A=
+ */=0A=
+typedef struct _ipfw_insn_pps{=0A=
+ ipfw_insn o;=0A=
+ uint32_t start_time;=0A=
+ uint32_t count;=0A=
+ uint32_t duration;=0A=
+} ipfw_insn_pps;=0A=
+=0A=
+/*=0A=
* Data structures required by both ipfw(8) and ipfw(4) but not part of =
the=0A=
* management API are protected by IPFW_INTERNAL.=0A=
*/=0A=
Index: sys/netpfil/ipfw/ip_fw2.c=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sys/netpfil/ipfw/ip_fw2.c (revision 266886)=0A=
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)=0A=
@@ -124,6 +124,7 @@=0A=
/* Use 128 tables by default */=0A=
static unsigned int default_fw_tables =3D IPFW_TABLES_DEFAULT;=0A=
=0A=
+static unsigned int kern_hz=3D1000;=0A=
/*=0A=
* Each rule belongs to one of 32 different sets (0..31).=0A=
* The variable set_disable contains one bit per set.=0A=
@@ -186,6 +187,7 @@=0A=
SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count,=0A=
CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,=0A=
"Number of static rules");=0A=
+TUNABLE_INT("kern.hz", (int *)&kern_hz);=0A=
=0A=
#ifdef INET6=0A=
SYSCTL_DECL(_net_inet6_ip6);=0A=
@@ -2189,6 +2191,31 @@=0A=
continue;=0A=
break; /* not reached */=0A=
=0A=
+ case O_PPS:{=0A=
+ int duration_in_ticks;=0A=
+ ipfw_insn_pps *pps =3D (ipfw_insn_pps *)cmd;=0A=
+ if(1000/kern_hz >=3D pps->duration){=0A=
+ duration_in_ticks=3D1;=0A=
+ }else{=0A=
+ duration_in_ticks=3Dpps->duration*kern_hz/1000+1;=0A=
+ }=0A=
+ if(pps->start_time+duration_in_ticks>=3D ticks){=0A=
+ if(pps->count < cmd->arg1){=0A=
+ retval =3D IP_FW_PASS;=0A=
+ }else{=0A=
+ retval =3D IP_FW_DENY;=0A=
+ }=0A=
+ pps->count++;=0A=
+ }else{=0A=
+ pps->start_time=3Dticks;=0A=
+ pps->count=3D1;=0A=
+ retval =3D IP_FW_PASS;=0A=
+ }=0A=
+ l =3D 0; =0A=
+ done =3D 1;=0A=
+ break; =0A=
+ }=0A=
+=0A=
case O_CALLRETURN: {=0A=
/*=0A=
* Implementation of `subroutine' call/return,=0A=
Index: sys/netpfil/ipfw/ip_fw_sockopt.c=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- sys/netpfil/ipfw/ip_fw_sockopt.c (revision 266886)=0A=
+++ sys/netpfil/ipfw/ip_fw_sockopt.c (working copy)=0A=
@@ -703,6 +703,12 @@=0A=
goto bad_size;=0A=
break;=0A=
=0A=
+ case O_PPS:=0A=
+ have_action=3D1;=0A=
+ if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_pps))=0A=
+ goto bad_size;=0A=
+ break;=0A=
+=0A=
case O_PIPE:=0A=
case O_QUEUE:=0A=
if (cmdlen !=3D F_INSN_SIZE(ipfw_insn))=0A=
------=_NextPart_000_0002_01CF7C6A.CF4B9B50--
More information about the freebsd-ipfw
mailing list