Lookup tables with dst-port as argument

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Mon Jan 25 14:29:52 UTC 2021 

Hello again,

Thank you Andrey V. Elsukov,

Actually I could do what I wanted using flow lookup. For the archives, how it was done and tested preliminarily:

a) Setup a flow table and a rule to use entries indexed with tabelar 1:
# ipfw table idpsflow create type flow:src-ip,dst-port
# ipfw add 1 count log all from any to any flow 'table(idpsflow,1)’ in

b) Add some flows and args
# ipfw table idpsflow add 201.71.251.91,6969 1
# ipfw table idpsflow add 201.71.251.91,22 2
# ipfw table idpsflow add 177.10.156.20,8080 1

c) See what we have
# ipfw table idpsflow list
201.71.251.91,6969 1
177.10.156.20,8080 1
201.71.251.91,22 2

 # ipfw table idpsflow detail
--- table(idpsflow), set(0) ---
 kindex: 3, type: flow:src-ip,dst-port
 references: 1, valtype: legacy
 algorithm: flow:hash
 items: 3, size: 656
 algorithm hash info
  size: 512 items: 3 itemsize4: 32 itemsize6: 56

d) Check wether it’s matching

# ipfw show 1
00001     1189      69888 count log logamount 100 ip from any to any flow table(idpsflow,1) in

The idea behind the 1 and 2 rationale was to abstract the IDS priority of severity rules adding entries of severity 1, 2, 3, and so on.

I did not need the new features of ipfw ever before and know that I just did, I realized how powerful it became. Actually I have converted over a couple dozen rules into just 3 rules. This is huge!

I don’t know when it those lookup table improvements was committed and by who, who did it please let me know your ether walled so I can pay you a beer (for real, distance is no excuse anymore).

I don’t know if it’s performance costy but hope someone could implement table match counters, as we have the bytes and packets counters per rule, having it per table entry would keep visibility of what is matching. The only thing I miss converting by 38 rules firewall into a just 3 is that I only have 3 counters which are almost meaningless now.

Best,
Patrick Tracanelli







> On 20.01.2021 18:26, Patrick Tracanelli wrote:
> > Hello FreeBSD community,
> > 
> > I need to dynamically allocate filtering ports on a tuplet, table
> > would do the job, can I lookup the port argument from a table?
> > Something like:
> > 
> > ipfw add count all from “table(blist)” to any dst-port tablearg in
> > 
> > In the above example table blist was created as “ipfw table blist
> > create type number”.
> > 
> > It certainly won’t work as above written since tablearg is not
> > supported for dst-port.
> > 
> > Is there any other approach possible to reach this desired behavior?
> 
> Hi,
> 
> it seems you need to take alook at the 'lookup dst-port tablename' opcode.
> 
> -- 
> WBR, Andrey V. Elsukov

More information about the freebsd-ipfw mailing list