Page MenuHomeFreeBSD
Differential D6674

Add named dynamic states support.
ClosedPublic
Actions

Authored by ae on Jun 1 2016, 12:30 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 1 2024, 6:26 PM
Unknown Object (File)
Jan 7 2024, 5:57 PM
Unknown Object (File)
Dec 23 2023, 9:47 AM
Unknown Object (File)
Dec 1 2023, 3:16 PM
Unknown Object (File)
Nov 29 2023, 11:27 PM
Unknown Object (File)
Nov 29 2023, 11:27 PM
Unknown Object (File)
Nov 29 2023, 11:27 PM
Unknown Object (File)
Nov 29 2023, 11:27 PM
View All 51 Files
Subscribers
imp

Details

Reviewers
melifaro
julian
Group Reviewers
network
manpages
Commits
rS303018: Add named dynamic states support to ipfw(4).
Summary

This patch adds support of named dynamic states to ipfw(4).
The keep-state and check-state now will have additional argument - name.
This name will be assigned to dynamic rule by keep-state opcode.
And then can be matched by check-state opcode or O_PROBE_STATE internal opcode.

This implementation based on the opcode rewriting framework and uses named_objects
for fast lookups. The kernel replaces symbolic names with uint16 indexes and uses
them for matching.

For now to reduce possible breakage and to maximize compatibility introduced default name.
It will be assigned to the rules when user has omitted state name in keep-state and check-state
opcodes. Also if name is ambiguous (can be evaluated as rule opcode) it will be replaced to default.
So, if you load old ruleset, all check-state/keep-state opcodes will have default name.

Note that named states only supported by keep-state rules, limit rules doesn't have this support.

Test Plan

We did basic tests, but didn't used them in production yet.
Also limit rules not tested.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ae updated this revision to Diff 17180.Jun 1 2016, 12:30 PM
ae retitled this revision from to Add named dynamic states support..
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added reviewers: network, julian, melifaro.
Herald added a reviewer: manpages. · View Herald TranscriptJun 1 2016, 12:30 PM
Herald added a subscriber: imp. · View Herald Transcript
ae updated this object.Jun 3 2016, 9:35 AM
ae edited edge metadata.
ae updated this revision to Diff 17537.Jun 12 2016, 1:41 PM

Add named states support to limit rules.

o Modify syntax to show that flowname is optional parameter.
o Remove sentence about unsupported IPv6 flows in limit rules. They should be supported.
o Add named states support to limit rules.
o Fix lookup for existing names in dyn_create - always use zero set.
o Remove strange redundant check from lookup_dyn_rule_locked(). We don't

need O_LIMIT_PARENT states here.
Herald edited edge metadata. · View Herald TranscriptJun 12 2016, 1:41 PM
julian accepted this revision.Jun 13 2016, 2:48 PM
julian edited edge metadata.

seems ok from the quick look I gave it
We've needed this feature for a long time.

sbin/ipfw/ipfw.8
756 ↗(On Diff #17537)

flowname seems to be not quit the right name for this. statetable maybe

This revision is now accepted and ready to land.Jun 13 2016, 2:48 PM
ae mentioned this in D1776: New options for ipfw - record-state, set-limit and skip-immediate-action - for simpler rulesets.Jun 14 2016, 11:32 AM
Closed by commit rS303018: Add named dynamic states support to ipfw(4). (authored by ae). · Explain WhyJul 19 2016, 4:57 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sbin/
ipfw/
46 lines
96 lines
sys/
netinet/
4 lines
netpfil/
ipfw/
27 lines
237 lines
2 lines
9 lines

Diff 18532

View Options

head/sbin/ipfw/ipfw.8

Loading...
View Options

head/sbin/ipfw/ipfw2.c

Loading...
View Options

head/sys/netinet/ip_fw.h

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw2.c

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_dynamic.c

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_private.h

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_sockopt.c

Loading...