Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate
Hi Marcelo Araujo! On Mon, 24 Mar 2008 08:53:26 -0300; Marcelo Araujo wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': 2.5. Just to mention: modip, counter limits, fragments. These patches are already currently discussed in ipfw@, but included here just to not forget. These are modip action, allowing to modify IP header (DSCP, ToS, TTL) and corresponding match rule options, and a rule option to match when rule counters are less then specified number packets or bytes (possibly from dynamic rule's counters), may be a tablearg. This is also related with mentioned in section 1.2 ability to control rule counters. Adding a few keywords for O_FRAG more fragment matching (not only non-first fragment), e.g. for sending to specialized netgraph(4) reassembling module, is also desirable. For remember to all, I work around of modip action stilly, I stoped my work during last week, but I work again in it. Work status: 1) We have modip action implemented: island# ipfw add modip ipfw: need modip [DF|TOS|IPPRE|DSCP]:code arg 2) Both DF and IPPRE works perfect: island# ipfw show 0001037136133 modip ippre:immediate ip from any to any 00011 52 5035 modip df:0 ip from any to any 3) DSCP: With the DSCP I've some errors but I believe that I fix it on this week. 4) ToS: I start the work on the next week. The patch: http://people.freebsd.org/~araujo/logs/ipfw-modip20080324.diff= Looked at the patch. Some line are changed e.g. in NAT definitions without any visible changes, strange. Also, you're adding 7 opcode in the kernel, 2 for match and 5 for setting, while having single modip action in userland. In the case of significantly changing compilation rulesm, etc., we may need many new opcodes so we should not waste them. For example, your O_IPTOSPRE is redundant because we already have O_IPPRECEDENCE which compiler could utilize while retainig more ABI compatibility. I can correct and extend your patch for DSCP/TTL/any bytes (not forgetting credits, of course), if you're too busy... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED] [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate
Vadim Goncharov wrote: Looked at the patch. Some line are changed e.g. in NAT definitions without any visible changes, strange. Also, you're adding 7 opcode in the kernel, 2 for match and 5 for setting, while having single modip action in userland. In the case of significantly changing compilation rulesm, etc., we may need many new opcodes so we should not waste them. For example, your O_IPTOSPRE is redundant because we already have O_IPPRECEDENCE which compiler could utilize while retainig more ABI compatibility. I can correct and extend your patch for DSCP/TTL/any bytes (not forgetting credits, of course), if you're too busy... Of course, I've interest in any external support, because I need to finish my degree project and I'm a bit busy. Any help are welcome and please feel free to re-work the patch. Just like the really the most important thing is the *modip*, I'm happy that you work within this idea. I'd like to see *modip* committed. I continue to my research and if I've some time to work with ipfw or another mechanism that have some relation with my project degree, I'll make. Best Regards, -- Marcelo Araujo(__) [EMAIL PROTECTED] \\\'',) http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_) signature.asc Description: OpenPGP digital signature
Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate
Vadim Goncharov wrote: Hi Julian Elischer! On Mon, 24 Mar 2008 10:53:44 -0700; Julian Elischer wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': here are some of my ideas for ipfw changes: 1/ redo locking so that packets do not have to get locks on the structure... I have several ideas on this Currently the main need for locking arises for rule byte/packet counters. The easiest short-term solution The main need for locking is that the rules can be changed while a processor is traversing the rule set. 2/ allow separate firewalls to be used at different parts of the network stack (i.e allow multiple taboe sto co-exist) there are many places that ipfw is currently callable from. ip_input(), ip_output(), ether_demux(), if_brige, ether_output() it would be interesting tobe able to have differnt firewalls in these places (possibly per interface) so that state (e.g. keep_state) can be kept seprately for one place then from another. for example you may not want the result of 'keep state' on an external interface to necessarily affect what happens to packets from the same session when viewed traversing an internal interface. Currently on my more complex ipfw rule sets I break the rule sets out so that packets in different places traverse different rules but it would be nice to have it explicitly supported. Umm, could you explain it a little?.. 3/ possibly keeping per CPU stats.. How that would be represented to user? it wouldn't.. you'd add them together before presenting them. but every time a packet changes a counter that is shared, there is a chance that it is being altered by another processor, so if you have fine grained locking in ipfw, you really should use atomic adds, which are slow, or accept possibl collisions (which might be ok) but still cause a lot of cross cpu TLB flushing. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: kern/122109: ipfw nat traceroute problem
Synopsis: ipfw nat traceroute problem Responsible-Changed-From-To: freebsd-ipfw-piso Responsible-Changed-By: piso Responsible-Changed-When: Wed Mar 26 20:32:04 UTC 2008 Responsible-Changed-Why: Mine. http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate
Hi Marcelo Araujo! On Wed, 26 Mar 2008 09:17:48 -0300; Marcelo Araujo wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': Of course, I've interest in any external support, because I need to finish my degree project and I'm a bit busy. Any help are welcome and please feel free to re-work the patch. Just like the really the most important thing is the *modip*, I'm happy that you work within this idea.= I'd like to see *modip* committed. I continue to my research and if I've some time to work with ipfw or another mechanism that have some relation with my project degree, I'll ma= ke. OK, I'll take it. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED] [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]