On Thu, 31 Jul 2008, Julian Elischer wrote: > looking int he code I noticed that the following command gave > no error but didn't work.. > > > ipfw add 1000 skipto tablearg ip from any to table(31)
Content addressible branching is an elegant and useful idea, thanks for making it work. A simple example in ipfw(8) might promote 'uptake'? > and as I have a use for that, I implemented it.. MFC to 6 possible? likely? I know there's lots of other stuff that hasn't / won't / can't be, but this one looked perhaps stand-alone .. > see attached patch... (hopefully not stripped) > > Of course it is hoped that the rules you are skipping to are nearby > as it iterates through the rules following the skipto to find the > target, Until $someone adds a direct skipto target jump at the virtual machine code level - big recalc hit when adding/deleting rules/sets I suppose - it's still the fastest way to get from a to b, where b > a Speaking of which, should ipfw whinge when asked to skip backwards, which it can't, confirmed on a recent browse re Mike's ipfw-classifyd and a local test months ago. > but.... > if you had a thousand table entries and wanted to sort them into > 20 buckets, it could save you puting them into 20 different > tables and doing 20 table lookups on them. Or even just for quick basic traffic-splitting, bogon lists, whatever .. > here I sort into two categories.. possibly already a win.. > > > [EMAIL PROTECTED]:cat ipfw-test.sh > #!/bin/sh > ipfw add 100 skipto 10000 ip from any to not 1.1.1.0/24 > ipfw add 1000 skipto tablearg ip from any to "table(31)" > ipfw add 2000 drop ip from any to any > ipfw add 2001 drop ip from any to any > ipfw add 3000 drop ip from any to any > ipfw add 3001 drop ip from any to any > ipfw add 10000 count ip from any to any > ipfw table 31 add 1.1.1.1 2000 > ipfw table 31 add 1.1.1.2 3000 > > [EMAIL PROTECTED]: ping 1.1.1.1 > [...] (2 packets bounced) > [EMAIL PROTECTED]: ping 1.1.1.2 > [...] (12 packets bounced) > > [EMAIL PROTECTED]: ipfw show > 00100 220 19633 skipto 10000 ip from any to not 1.1.1.0/24 > 01000 14 1176 skipto tablearg ip from any to table(31) > 02000 2 168 deny ip from any to any > 02001 0 0 deny ip from any to any > 03000 12 1008 deny ip from any to any > 03001 0 0 deny ip from any to any > 10000 209 18549 count ip from any to any > 65535 1751 153792 allow ip from any to any > > > comments? I like it, FWIW. > + if (tablearg != 0) { > + rulenum = (u_int16_t)tablearg; Should we check that tablearg is < 64K before merrily casting? cheers, Ian _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"