svn commit: r269348 - in projects/ipfw: sbin/ipfw sys/netinet sys/netpfil/ipfw

Bjoern A. Zeeb bz at FreeBSD.org
Fri Aug 1 00:34:53 UTC 2014 

On 31 Jul 2014, at 20:08 , Alexander V. Chernikov <melifaro at FreeBSD.org> wrote:

> Author: melifaro
> Date: Thu Jul 31 20:08:19 2014
> New Revision: 269348
> URL: http://svnweb.freebsd.org/changeset/base/269348
> 
> Log:
>  * Add new "flow" table type to support N=1..5-tuple lookups
>  * Add "flow:hash" algorithm
> 
>  Kernel changes:
>  * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
>  * Add IPFW_TABLE_FLOW table type
>  * Add "struct tflow_entry" as strage for 6-tuple flows
>  * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
>    Additionally, we store mask of fields we need to compare in each instance/
> 
>  * Increase ipfw_obj_tentry size by adding struct tflow_entry
>  * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
>  * Increase algoname length: 32 -> 64 (algo options passed there as string)
>  * Assume every table type can be customized by flags, use u8 to store "tflags" field.
>  * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
>  * Fix bug in cidr:chash resize procedure.
> 
>  Userland changes:
>  * add "flow table(NAME)" syntax to support n-tuple checking tables.
>  * make fill_flags() separate function to ease working with _s_x arrays
>  * change "table info" output to reflect longer "type" fields
> 
>  Syntax:
>  ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]
> 
>  Examples:
> 
>  0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
>  0:02 [2] zfscurr0# ipfw table fl2 info
>  +++ table(fl2), set(0) +++
>   kindex: 0, type: flow:src-ip,proto,dst-port
>   valtype: number, references: 0
>   algorithm: flow:hash
>   items: 0, size: 280
>  0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
>  0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000
>  0:02 [2] zfscurr0# ipfw table fl2 list
>  +++ table(fl2), set(0) +++
>  2a02:6b8::333,6,443 45000
>  10.0.0.92,6,80 22000
>  0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)'
>  00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
>  0:03 [2] zfscurr0# ipfw show
>  00200   0     0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
>  65535 617 59416 allow ip from any to any
>  0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80
>  Trying 78.46.89.105...
>  ..
>  0:04 [2] zfscurr0# ipfw show
>  00200   5   272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2)
>  65535 682 66733 allow ip from any to any
> 
> Modified:
>  projects/ipfw/sbin/ipfw/ipfw2.c
>  projects/ipfw/sbin/ipfw/ipfw2.h
>  projects/ipfw/sbin/ipfw/tables.c
>  projects/ipfw/sys/netinet/ip_fw.h
>  projects/ipfw/sys/netpfil/ipfw/ip_fw2.c
>  projects/ipfw/sys/netpfil/ipfw/ip_fw_sockopt.c
>  projects/ipfw/sys/netpfil/ipfw/ip_fw_table.c
>  projects/ipfw/sys/netpfil/ipfw/ip_fw_table.h
>  projects/ipfw/sys/netpfil/ipfw/ip_fw_table_algo.c

Only in case you plan merging this to head (but even if not it might be a good idea;-)

I see no changes to the man page.  Please update the documentation;  this is were syntax and example belong and not into the commit message.  Feel free to grab someone from docs@ in case you don’t want to do it all yourself;  they are always more than willing to assist.


— 
Bjoern A. Zeeb             "Come on. Learn, goddamn it.", WarGames, 1983

More information about the svn-src-projects mailing list