The following reply was made to PR kern/189720; it has been noted by GNATS.
From: bycn82 <[email protected]> To: [email protected], [email protected] Cc: Subject: Re: kern/189720: pps action for ipfw Date: Tue, 13 May 2014 10:54:47 +0800 This is a multi-part message in MIME format. --------------060500040406000407020409 Content-Type: multipart/alternative; boundary="------------070308050506000908020500" --------------070308050506000908020500 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit 1.Clean some gratuitous white-space. 2.Increase `count` and `duration` to uint32. --------------070308050506000908020500 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#FFFFFF" text="#000000"> <font face="Calibri">1.Clean some gratuitous white-space.<br> 2.Increase `count` and `duration` to uint32. <br> </font> </body> </html> --------------070308050506000908020500-- --------------060500040406000407020409 Content-Type: text/plain; name="pps.patch2.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pps.patch2.txt" Index: sbin/ipfw/ipfw.8 =================================================================== --- sbin/ipfw/ipfw.8 (revision 265941) +++ sbin/ipfw/ipfw.8 (working copy) @@ -603,6 +603,14 @@ Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.It Cm pps Ar limit duration +Rule with the +.Cm pps +keyword will allow the first +.Ar limit +packets in recent +.Ar duration +milliseconds .It Cm tag Ar number When a packet matches a rule with the .Cm tag Index: sbin/ipfw/ipfw2.c =================================================================== --- sbin/ipfw/ipfw2.c (revision 265941) +++ sbin/ipfw/ipfw2.c (working copy) @@ -244,6 +244,7 @@ { "allow", TOK_ACCEPT }, { "permit", TOK_ACCEPT }, { "count", TOK_COUNT }, + { "pps", TOK_PPS }, { "pipe", TOK_PIPE }, { "queue", TOK_QUEUE }, { "divert", TOK_DIVERT }, @@ -1232,6 +1233,13 @@ PRINT_UINT_ARG("skipto ", cmd->arg1); break; + case O_PPS: + { + ipfw_insn_pps *pps=(ipfw_insn_pps *)cmd; + printf("pps %d %d",cmd->arg1,pps->duration); + break; + } + case O_PIPE: PRINT_UINT_ARG("pipe ", cmd->arg1); break; @@ -2986,6 +2994,24 @@ action->opcode = O_COUNT; break; + case TOK_PPS: + action->opcode = O_PPS; + ipfw_insn_pps *p = (ipfw_insn_pps *)action; + action->len = F_INSN_SIZE(ipfw_insn_pps); + if (isdigit(**av)) { + action->arg1 = strtoul(*av, NULL, 10); + av++; + }else{ + errx(EX_USAGE, "illegal argument pps `limit` %s", *av); + } + if (isdigit(**av)) { + p->duration = strtoul(*av, NULL, 10); + av++; + }else{ + errx(EX_USAGE,"illegal arugment pps `duration` %s", *av); + } + break; + case TOK_NAT: action->opcode = O_NAT; action->len = F_INSN_SIZE(ipfw_insn_nat); Index: sbin/ipfw/ipfw2.h =================================================================== --- sbin/ipfw/ipfw2.h (revision 265941) +++ sbin/ipfw/ipfw2.h (working copy) @@ -92,6 +92,7 @@ TOK_NGTEE, TOK_FORWARD, TOK_SKIPTO, + TOK_PPS, TOK_DENY, TOK_REJECT, TOK_RESET, Index: sys/netinet/ip_fw.h =================================================================== --- sys/netinet/ip_fw.h (revision 265941) +++ sys/netinet/ip_fw.h (working copy) @@ -165,6 +165,7 @@ O_REJECT, /* arg1=icmp arg (same as deny) */ O_COUNT, /* none */ O_SKIPTO, /* arg1=next rule number */ + O_PPS, /* arg1=limit, pps->duration */ O_PIPE, /* arg1=pipe number */ O_QUEUE, /* arg1=queue number */ O_DIVERT, /* arg1=port number */ @@ -378,6 +379,16 @@ } ipfw_insn_log; /* + * This is used for PPS + */ +typedef struct _ipfw_insn_pps{ + ipfw_insn o; + uint32_t start_time; + uint32_t count; + uint32_t duration; +} ipfw_insn_pps; + +/* * Data structures required by both ipfw(8) and ipfw(4) but not part of the * management API are protected by IPFW_INTERNAL. */ Index: sys/netpfil/ipfw/ip_fw2.c =================================================================== --- sys/netpfil/ipfw/ip_fw2.c (revision 265941) +++ sys/netpfil/ipfw/ip_fw2.c (working copy) @@ -2180,6 +2180,24 @@ continue; break; /* not reached */ + case O_PPS:{ + ipfw_insn_pps *pps = (ipfw_insn_pps *)cmd; + if(pps->start_time+pps->duration >= ticks){ + if(pps->count < cmd->arg1){ + retval = IP_FW_PASS; + }else{ + retval = IP_FW_DENY; + } + pps->count++; + }else{ + pps->start_time=ticks; + pps->count=1; + retval = IP_FW_PASS; + } + l = 0; + done = 1; + break; + } case O_CALLRETURN: { /* * Implementation of `subroutine' call/return, Index: sys/netpfil/ipfw/ip_fw_sockopt.c =================================================================== --- sys/netpfil/ipfw/ip_fw_sockopt.c (revision 265941) +++ sys/netpfil/ipfw/ip_fw_sockopt.c (working copy) @@ -703,6 +703,12 @@ goto bad_size; break; + case O_PPS: + have_action=1; + if (cmdlen != F_INSN_SIZE(ipfw_insn_pps)) + goto bad_size; + break; + case O_PIPE: case O_QUEUE: if (cmdlen != F_INSN_SIZE(ipfw_insn)) --------------060500040406000407020409-- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
