propose a new generic purpose rule option for ipfw
bycn82
bycn82 at gmail.com
Thu May 29 13:49:02 UTC 2014
-----Original Message-----
From: 'Luigi Rizzo' [mailto:rizzo at iet.unipi.it]
Sent: 29 May, 2014 21:10
To: bycn82
Cc: 'FreeBSD Net'
Subject: Re: propose a new generic purpose rule option for ipfw
On Thu, May 29, 2014 at 08:45:26PM +0800, bycn82 wrote:
...
>
> Sure, that is the reason why developers are providing more and more rule options. But the my question is do we have enough options to match all the fixed position values?
we do not have an option for fixed position matching.
Can I say that “It will be useful when a user come up with a special requirement which cannot be fulfilled by any existing rule option.” Since there are so many rule options already. So I don’t know when that special requirement will appear. L that is what you said “useless”, I accept that .
As i said, feel free to submit one and i will be happy to import it if the code is clean (btw i am still waiting for fixes to the other 'rate limiting' option you sent), but keep in mind that 'fixed position' is mostly useless.
Which `rate limiting`, the `Packet per second`?
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/189720
More useful options would be one where you express the position as
'{MAC|VLAN|IP|UDP|TCP|...|PAYLOAD}+offset'
It is possible,
match <position> <mask> <value>
the <mask> can be a pattern , then that means it can match multiple value at the same time.
so at least you can adapt to variant headers, or one where you can look for a pattern in the entire packet or in a portion of it.
cheers
luigi
More information about the freebsd-net
mailing list