Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet

Roman Bogorodskiy Thu, 21 Sep 2006 07:05:23 -0700

The following reply was made to PR kern/103454; it has been noted by GNATS.


From: Roman Bogorodskiy <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the 
IP packet
Date: Thu, 21 Sep 2006 17:56:15 +0400

 --5G06lTa6Jq83wMTw
 Content-Type: multipart/mixed; boundary="Bn2rw/3z4jIqBvZU"
 Content-Disposition: inline
 
 
 --Bn2rw/3z4jIqBvZU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi,
 
 Attaching a slightly updated patch. Changes:
 
 - If we got not 0 or 1 as cmd->arg1, just jump to the next rule
   without updatating stats. Actually, ipfw(8) checks if the arg
   for 'setdf' is only 0 or 1, so it should never happen.
 - s/setdf DF/setdf N/ in `ipfw -h' output
 
 http://novel.fannet.ru/~novel/ipfw_setdf_20060921_3_CURRENT.diff
 
 --Bn2rw/3z4jIqBvZU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="ipfw_setdf_20060921_3_CURRENT.diff"
 Content-Transfer-Encoding: quoted-printable
 
 ? sbin/ipfw/ipfw
 Index: sbin/ipfw/ipfw.8
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v
 retrieving revision 1.195
 diff -u -r1.195 ipfw.8
 --- sbin/ipfw/ipfw.8   18 Sep 2006 11:55:10 -0000      1.195
 +++ sbin/ipfw/ipfw.8   21 Sep 2006 13:41:49 -0000
 @@ -822,6 +822,11 @@
  and
  .Cm ngtee
  actions.
 +.It Cm setdf Ar value
 +Changes
 +.Cm DF
 +bit of the IP packet.
 +Value may be 0 (May Fragment) or 1 (Don't Fragment).
  .El
  .Ss RULE BODY
  The body of a rule contains zero or more patterns (such as
 Index: sbin/ipfw/ipfw2.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
 retrieving revision 1.98
 diff -u -r1.98 ipfw2.c
 --- sbin/ipfw/ipfw2.c  16 Sep 2006 19:27:40 -0000      1.98
 +++ sbin/ipfw/ipfw2.c  21 Sep 2006 13:41:50 -0000
 @@ -247,7 +247,8 @@
        TOK_RESET,
        TOK_UNREACH,
        TOK_CHECKSTATE,
 -
 +      TOK_SETDF,
 +=09
        TOK_ALTQ,
        TOK_LOG,
        TOK_TAG,
 @@ -374,6 +375,7 @@
        { "unreach6",           TOK_UNREACH6 },
        { "unreach",            TOK_UNREACH },
        { "check-state",        TOK_CHECKSTATE },
 +      { "setdf",              TOK_SETDF },
        { "//",                 TOK_COMMENT },
        { NULL, 0 }     /* terminator */
  };
 @@ -1555,6 +1557,10 @@
                    }
                        break;
 =20
 +              case O_SET_IPDF:
 +                      PRINT_UINT_ARG("setdf ", cmd->arg1);
 +                      break;
 +
                case O_LOG: /* O_LOG is printed last */
                        logptr =3D (ipfw_insn_log *)cmd;
                        break;
 @@ -2635,7 +2641,7 @@
  "RULE-BODY:   check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
  "ACTION:      check-state | allow | count | deny | unreach{,6} CODE |\n"
  "               skipto N | {divert|tee} PORT | forward ADDR |\n"
 -"               pipe N | queue N\n"
 +"               pipe N | queue N | setdf N\n"
  "PARAMS:      [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n"
  "ADDR:                [ MAC dst src ether_type ] \n"
  "             [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
 @@ -3970,6 +3976,20 @@
                action->opcode =3D O_COUNT;
                break;
 =20
 +      case TOK_SETDF:
 +         {
 +              int df;
 +                =20
 +              NEED1("need setdf arg\n");
 +              df =3D strtoul(*av, NULL, 0);
 +              if (df < 0 || df > 1)
 +                      errx(EX_DATAERR, "illegal argument for %s",
 +                              *(av - 1));
 +              fill_cmd(action, O_SET_IPDF, 0, df);
 +              ac--; av++;
 +         }
 +              break;
 +      =09
        case TOK_QUEUE:
                action->opcode =3D O_QUEUE;
                goto chkarg;
 Index: sys/netinet/ip_fw.h
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
 retrieving revision 1.108
 diff -u -r1.108 ip_fw.h
 --- sys/netinet/ip_fw.h        18 Aug 2006 22:36:04 -0000      1.108
 +++ sys/netinet/ip_fw.h        21 Sep 2006 13:42:11 -0000
 @@ -160,6 +160,8 @@
        O_TAG,                  /* arg1=3Dtag number */
        O_TAGGED,               /* arg1=3Dtag number */
 =20
 +      O_SET_IPDF,             /* arg1=3D[0|1] */
 +=09
        O_LAST_OPCODE           /* not an opcode!               */
  };
 =20
 Index: sys/netinet/ip_fw2.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
 retrieving revision 1.147
 diff -u -r1.147 ip_fw2.c
 --- sys/netinet/ip_fw2.c       16 Sep 2006 10:27:05 -0000      1.147
 +++ sys/netinet/ip_fw2.c       21 Sep 2006 13:42:11 -0000
 @@ -3127,6 +3127,23 @@
                                goto done;
                        }
 =20
 +                      case O_SET_IPDF:
 +                              switch (cmd->arg1) {
 +                                      case 0:
 +                                              ip->ip_off &=3D ~IP_DF;
 +                                              break;
 +                                      case 1:
 +                                              ip->ip_off |=3D IP_DF;
 +                                              break;
 +                                      default:
 +                                              goto next_rule;
 +                                              /* NOTREACHED */
 +                              }
 +                              f->pcnt++;
 +                              f->bcnt +=3D pktlen;
 +                              f->timestamp =3D time_second;
 +                              goto next_rule;
 +
                        case O_COUNT:
                        case O_SKIPTO:
                                f->pcnt++;      /* update stats */
 @@ -3654,6 +3671,10 @@
                                goto bad_size;
                        break;
 =20
 +              case O_SET_IPDF:
 +                      have_action =3D 1;
 +                      break;
 +
                case O_UID:
                case O_GID:
                case O_JAIL:
 
 --Bn2rw/3z4jIqBvZU--
 
 --5G06lTa6Jq83wMTw
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 
 iQCVAwUBRRKZ/4B0WzgdqspGAQK5wgP/ZiaI62k5RvNb6G71CH114zGX5SH6EYFa
 WDJ7T8Q/0By/KH0aHXlcBO5R3b1bEOoppaAYGOx4DXjFA75vqF17lPh9vi2Cs5R+
 RKOY84KANWLvATgVe48iaUIVQvvLUXaY6E7NFgyekhEywcqRpCId1WcSElCwi4jB
 uy2l78sTklU=
 =VnhE
 -----END PGP SIGNATURE-----
 
 --5G06lTa6Jq83wMTw--
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet

Reply via email to