Add ipfw protocol modification module ipfw_pmod
ClosedPublic
Actions

Authored by ae on Mar 27 2017, 1:51 PM.

Details

Reviewers

Group Reviewers

manpages
network

Commits

rS316435: Add ipfw_pmod kernel module.

Summary

This patch add new ipfw_pmod kernel module, that currently implements tcp-setmss rule action.
It sets TCP MSS value and supports both IPv4 and IPv6.

tcp-setmss rule works like setdscp rule. All TCP packets with SYN flag are matched, and if packet contains MSS TCP option, and its value is greater than specified in tcp-setmss VALUE, it modifies this value and updates TCP checksum if needed.

New O_EXTERNAL_DATA opcode added. It used together with O_EXTERNAL_ACTION opcode, but it does not require creating of some named instances, like O_EXTERNAL_INSTANCE opcode requires.

Later we can add some another opcodes with similar functional, but for different protocols to this ipfw_pmod module.

Test Plan

I tested the rule:

tcp-setmss 1300 tcp from any to any

for locally generated TCP traffic and for forwarded traffic, both IPv4 and IPv6. It modifies MSS value correctly.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ae created this revision.Mar 27 2017, 1:51 PM

Herald added a reviewer: manpages. · View Herald TranscriptMar 27 2017, 1:51 PM

Herald added a subscriber: imp. · View Herald Transcript

Harbormaster completed remote builds in B8309: Diff 26690.Mar 27 2017, 2:29 PM

Modify some comments and error messages. Fix checksum modification
for forwarded traffic.

ae edited the summary of this revision. (Show Details)Mar 27 2017, 6:43 PM

ae edited the test plan for this revision. (Show Details)

ae added reviewers: network, julian.

Harbormaster completed remote builds in B8313: Diff 26699.Mar 27 2017, 7:54 PM

Closed by commit rS316435: Add ipfw_pmod kernel module. (authored by ae). · Explain WhyApr 3 2017, 3:08 AM

This revision was automatically updated to reflect the committed changes.

wblock added a subscriber: wblock.May 19 2017, 4:18 PM

wblock added inline comments.

head/sbin/ipfw/ipfw.8
1126	must be loaded or the kernel must have
1129	s/original/the original/
1130	s/specified/the specified/
1132	The search continues with the next rule regardless of whether a packet is matched by the .Cm tcp-setmss rule.