[CFT]: ipfw named tables / different tabletypes
Alexander V. Chernikov
melifaro at FreeBSD.org
Mon May 19 12:52:45 UTC 2014
Hello list!
This patch adds ability to name tables / reference them by name.
Additionally, it simplifies adding new table types.
Change list:
Kernel:
1) Add new IP_FW_TABLE_XGETCFG / IP_FW_TABLE_XSETCFG opcodes to permit
table reconfiguration
2) Tables data is now opaque to main ipfw code: use 1 pointer in first
ip_fw_chain cache line for lookups and another one for config state.
3) Do not assume radix is the one and only lookup mechasim for doing
lookups (more changes following)
4) Table data layout is changed to the following:
+struct table_info {
+ void *state; /* IPv4 tables */
+ void *xstate;/* extended tables */
+ table_lookup_t *lookup;/* lookup function */
+ struct table_config *cfg; /* Additional data, can be NULL */
+};
Array of size "table_max * sizeof(struct table_info)" is allocated on
startup (very much like in current code in term of memory).
5) State holds any additional info table may need for configuration
purposes and is allocated on demand.
6) By default, all tables are CIDR (IPv4+IPv6) and does not hold *cfg state.
7) State is allocated when:
* table is referenced in some rules
* type is non-default
* table is named
8) Tables can be named and referenced by their names, but it is still
needed to explicitly select table number.
8) Table references are now explicitly tracked by kernel checking if
opcode lookup type and table type are the same
9) Do not assume tbl is uint16_t
10) Change locking model: use both IPFW and IPFW_UH locks, as main ipfw
code does
11) While here, fix possible panic in case of adding new table entry
while reallocating tables_max
Some more on table types:
+struct table_config {
+ uint8_t tabletype; /* lookup table types */
+ uint8_t ftype; /* format table type */
+ uint8_t atype; /* algorithm type */
+ uint8_t spare0;
+ uint32_t refcnt; /* Number of references */
+ uint32_t count; /* Number of records */
+ struct table_info *ti;
+ TAILQ_ENTRY(table_config) next; /* namehash */
+ char tablename[64]; /* table name */
+};
"tabletype" is basically type of the key we're looking for (e.g.
IPv4/IPv6 address, interface name, port/uid, etc..).
"ftype" is pure userland field helping to format keys in appropriate way
(like shown DSCP values in hex or binary).
"atype" permits to use different algorithm for the same lookup key (
currently not implemented, but planned).
Good example can be CIDR table consisting only of host routes.
User:
Nothing changes for people using tables for IPv4/IPv6 address matching.
New cmds:
ipfw table <num|name> type <cidr|iface>
Changes table type to different one. Permitted IFF:
* table is not referenced in ruleset
* table is empy
ipfw table <num> name XXX
Names (or renames) table. Not the name has to be unique.
ipfw table <num|name> flush
(Not a new command, actually).
Flushes all table records leaving configuration intact.
ipfw table <num|name> destroy
Flushes table state AND configuration.
Tables becomes unnamed IPFW_TABLE_CIDR one.
Next changes:
* Further rework add/del table entry to permit adding non-radix tables
more easily
* Change "iface" table type implementation to uint32_t iflist[65536] to
permit O(1) interface matching
* Add general u32 lookup method for dealing with ports/uids/jails/dscp
and other such consumers
I'm planning to commit this one (actually, a bit improved version) in
the beginning of next week if no objections received.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipfw_tables3.diff
Type: text/x-patch
Size: 49177 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140519/0721cb9d/attachment.bin>
More information about the freebsd-net
mailing list