looking int he code I noticed that the following command gave
no error but didn't work..
ipfw add 1000 skipto tablearg ip from any to table(31)
and as I have a use for that, I implemented it..
see attached patch... (hopefully not stripped)
Of course it is hoped that the rules you are skipping to are nearby
as it iterates through the rules following the skipto to find the
target,
but....
if you had a thousand table entries and wanted to sort them into
20 buckets, it could save you puting them into 20 different
tables and doing 20 table lookups on them.
here I sort into two categories.. possibly already a win..
[EMAIL PROTECTED]:cat ipfw-test.sh
#!/bin/sh
ipfw add 100 skipto 10000 ip from any to not 1.1.1.0/24
ipfw add 1000 skipto tablearg ip from any to "table(31)"
ipfw add 2000 drop ip from any to any
ipfw add 2001 drop ip from any to any
ipfw add 3000 drop ip from any to any
ipfw add 3001 drop ip from any to any
ipfw add 10000 count ip from any to any
ipfw table 31 add 1.1.1.1 2000
ipfw table 31 add 1.1.1.2 3000
[EMAIL PROTECTED]: ping 1.1.1.1
[...] (2 packets bounced)
[EMAIL PROTECTED]: ping 1.1.1.2
[...] (12 packets bounced)
[EMAIL PROTECTED]: ipfw show
00100 220 19633 skipto 10000 ip from any to not 1.1.1.0/24
01000 14 1176 skipto tablearg ip from any to table(31)
02000 2 168 deny ip from any to any
02001 0 0 deny ip from any to any
03000 12 1008 deny ip from any to any
03001 0 0 deny ip from any to any
10000 209 18549 count ip from any to any
65535 1751 153792 allow ip from any to any
comments?
Index: ip_fw2.c
===================================================================
RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.186
diff -u -r1.186 ip_fw2.c
--- ip_fw2.c 9 May 2008 23:02:57 -0000 1.186
+++ ip_fw2.c 1 Aug 2008 01:15:06 -0000
@@ -1738,10 +1738,11 @@
*/
static struct ip_fw *
-lookup_next_rule(struct ip_fw *me)
+lookup_next_rule(struct ip_fw *me, u_int32_t tablearg)
{
struct ip_fw *rule = NULL;
ipfw_insn *cmd;
+ u_int16_t rulenum;
/* look for action, in case it is a skipto */
cmd = ACTION_PTR(me);
@@ -1751,10 +1752,18 @@
cmd += F_LEN(cmd);
if (cmd->opcode == O_TAG)
cmd += F_LEN(cmd);
- if ( cmd->opcode == O_SKIPTO )
- for (rule = me->next; rule ; rule = rule->next)
- if (rule->rulenum >= cmd->arg1)
+ if (cmd->opcode == O_SKIPTO ) {
+ if (tablearg != 0) {
+ rulenum = (u_int16_t)tablearg;
+ } else {
+ rulenum = cmd->arg1;
+ }
+ for (rule = me->next; rule ; rule = rule->next) {
+ if (rule->rulenum >= rulenum) {
break;
+ }
+ }
+ }
if (rule == NULL) /* failure or not a skipto */
rule = me->next;
me->next_rule = rule;
@@ -2475,7 +2484,7 @@
f = args->rule->next_rule;
if (f == NULL)
- f = lookup_next_rule(args->rule);
+ f = lookup_next_rule(args->rule, 0);
} else {
/*
* Find the starting rule. It can be either the first
@@ -3226,9 +3235,13 @@
if (cmd->opcode == O_COUNT)
goto next_rule;
/* handle skipto */
- if (f->next_rule == NULL)
- lookup_next_rule(f);
- f = f->next_rule;
+ if (cmd->arg1 == IP_FW_TABLEARG) {
+ f = lookup_next_rule(f, tablearg);
+ } else {
+ if (f->next_rule == NULL)
+ lookup_next_rule(f, 0);
+ f = f->next_rule;
+ }
goto again;
case O_REJECT:
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
