> Am 02.08.2016 um 05:08 schrieb Julian Elischer <jul...@freebsd.org>: > > looking for thoughts from people who know the new IPFW features well.. > > > A recent addition to our armory is the geoip program that, given an address > can tell you what country it is in and given a country code, can give an ipfw > table that describes all the ip addresses in that country. > > SO I was thinking how to use this, and the obvious way would be to have a set > of rules for each country, and use the "skipto tablearg" facility to skip to > the right rules for each country. But the trouble is that a tablearg skipto > is very inefficient. It's also a hard thing to set up with a set of rules for > each country (how many countries are there in the internet allocation > system?).
As of today a total of 236 country codes are in use for IPv4 delegations. If this helps for anything, a command line switch to the geoip tool could be added for letting it output the country code (as the hex encoded CC taken as a plain decimal integer) as the value for the given table entry. In the moment you can give one value for all entries generated by geoip, with this switch set, the output of geoip could look like: $ geoip -t "DE:BR:US" -x ... table 0 add 93.157.48.0/21 4445 table 0 add 93.158.236.0/22 4252 table 0 add 93.159.96.0/19 4445 table 0 add 93.159.248.0/21 4445 table 0 add 93.180.72.0/21 4445 table 0 add 93.180.152.0/21 4445 table 0 add 93.181.0.0/18 4445 table 0 add 93.183.0.0/18 5553 ... Given that ... 0x4445 = 'DE' 0x4252 = 'BR' 0x5553 = 'US' ..., IT people who know by heart the low ASCII table like chemists (are supposed to) know the periodic table of the elements, this should be not too hard to remember. > Another way would be to just put 'action numbers' in the tablearg field and > have a few actions, shared by countries, but the trouble comes when you want > to change the action for a country, you need to rewrite potentially > thousands of entries (USA has over 15800 allocations). Two or more geoip commands can be used for populating ipfw tables for different utilization in ipfw directives: # Europe geoip -t "FR:IT:DE:NL:BE:GB:..." -n 1 -x | ipfw -q > /dev/stdin # North America geoip -t "US:CA" -n 2 -x | ipfw -q > /dev/stdin # South America geoip -t "AR:BR:UR:CL:PY:BO:PE..." -n 3 -x | ipfw -q > /dev/stdin ... > A second way woudl be to somehow map the tablearg of the country, into a > table of actions. effectively doing two levels of lookup. > > The first table converting IP addresses to a country number and a second > lookup converting that to an action. > > the only trouble is that I don't know of a way to do that. If the new > changes allow that, and anyone knows how, please let me know :-). Looking-up a given IP in the totally balanced binary search tree takes on a decent system on average about 10-20 nanoseconds. So in theory 50 to 100 million packets per second could be filtered by this algorithm. In order to come more close to this performance in reality, it might be an option to move the search algorithm into ipfw. Best regards Rolf _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
