propose a new generic purpose rule option for ipfw
Andreas Nilsson
andrnils at gmail.com
Thu May 29 13:32:41 UTC 2014
On Thu, May 29, 2014 at 3:10 PM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
> On Thu, May 29, 2014 at 08:45:26PM +0800, bycn82 wrote:
> ...
> >
> > Sure, that is the reason why developers are providing more and more rule
> options. But the my question is do we have enough options to match all the
> fixed position values?
>
> we do not have an option for fixed position matching.
>
> As i said, feel free to submit one and i will be happy to
> import it if the code is clean (btw i am still waiting
> for fixes to the other 'rate limiting' option you sent),
> but keep in mind that 'fixed position' is mostly useless.
>
> More useful options would be one where you express the position as
>
> '{MAC|VLAN|IP|UDP|TCP|...|PAYLOAD}+offset'
>
> so at least you can adapt to variant headers, or one where you can look
> for a pattern in the entire packet or in a portion of it.
>
> cheers
> luigi
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
Wouldn't PAYLOAD require possibly reassembly of a fragmented packet?
It certainly is a good feature, don't get me wrong. But what are the
performance hits?
Best regards
Andreas
More information about the freebsd-net
mailing list