Details

Reviewers

melifaro
pauamma_gundo.com

Group Reviewers

manpages
network

Commits

rGfc727ad63d3f: ipfw: add [fw]mark implementation for ipfw

Summary

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy.

Test Plan

root@freebsd:~ # ipfw show
00100 123 21435 allow ip from any to any
65535   0     0 deny ip from any to any
root@freebsd:~ # ipfw add 50 setmark 22 icmp from 0.0.0.0 to 0.0.0.0
00050 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0
root@freebsd:~ # ipfw add 51 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0
00051 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0
root@freebsd:~ # ipfw table 10 create type addr valtype mark
root@freebsd:~ # ipfw table 10 info
--- table(10), set(0) ---
 kindex: 1, type: addr
 references: 0, valtype: mark
 algorithm: addr:radix
 items: 0, size: 296
root@freebsd:~ # ipfw add 10 setmark tablearg icmp from 'table(10)' to any via lo0
00010 setmark tablearg icmp from table(10) to any via lo0
root@freebsd:~ # ipfw add 20 count log icmp from 'table(10)' to any mark tablearg
00020 count log icmp from table(10) to any mark tablearg
root@freebsd:~ # ipfw show
00010    0      0 setmark tablearg icmp from table(10) to any via lo0
00020    0      0 count log icmp from table(10) to any mark tablearg
00050    0      0 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0
00051    0      0 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0
00100 1138 106883 allow ip from any to any
65535    0      0 deny ip from any to any
root@freebsd:~ # ifconfig em1
em1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:19:f4:d6
        inet6 fe80::a00:27ff:fe19:f4d6%em1 prefixlen 64 scopeid 0x2
        inet 192.168.56.101 netmask 0xffffff00 broadcast 192.168.56.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@freebsd:~ # ipfw table 10 add 192.168.56.0/24 0x44
added: 192.168.56.0/24 0x44
root@freebsd:~ # ipfw table 10 list
192.168.56.0/24 0x44
root@freebsd:~ # sysctl net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose: 0 -> 1
root@freebsd:~ # ping -c 1 192.168.56.101
PING 192.168.56.101 (192.168.56.101): 56 data bytes
64 bytes from 192.168.56.101: icmp_seq=0 ttl=64 time=0.232 ms

--- 192.168.56.101 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.232/0.232/0.232/0.000 ms
root@freebsd:~ # tail /var/log/security
Apr 14 12:16:14 freebsd syslogd: last message repeated 1 times
Apr 14 12:27:01 freebsd kernel: ipfw: 20 Count ICMP:0.0 192.168.56.101 127.0.0.1 mark:0x44 out via lo0
Apr 14 12:27:01 freebsd kernel: ipfw: 20 Count ICMP:0.0 192.168.56.101 127.0.0.1 mark:0x44 in via lo0
root@freebsd:~ # ipfw show
00010    2    168 setmark tablearg icmp from table(10) to any via lo0
00020    2    168 count log icmp from table(10) to any mark tablearg
00050    0      0 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0
00051    0      0 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0
00100 2104 194583 allow ip from any to any
65535    0      0 deny ip from any to any
root@freebsd:~ #

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

lytboris_gmail.com created this revision.Apr 13 2023, 8:55 AM

Herald added subscribers: glebius, donner, melifaro and 2 others. · View Herald TranscriptApr 13 2023, 8:55 AM

lytboris_gmail.com requested review of this revision.Apr 13 2023, 8:55 AM

lytboris_gmail.com updated this revision to Diff 120298.Apr 14 2023, 9:32 AM

lytboris_gmail.com edited the test plan for this revision. (Show Details)

afedorov added a subscriber: afedorov.Apr 14 2023, 10:27 AM

lytboris_gmail.com edited the summary of this revision. (Show Details)Apr 14 2023, 10:47 AM

lytboris_gmail.com added a project: manpages.Apr 14 2023, 11:26 AM

lytboris_gmail.com updated this revision to Diff 120349.Apr 15 2023, 12:09 PM

lytboris_gmail.com updated this revision to Diff 120351.Apr 15 2023, 12:51 PM

lytboris_gmail.com updated this revision to Diff 120370.Apr 15 2023, 6:49 PM

lytboris_gmail.com updated this revision to Diff 120389.Apr 16 2023, 6:48 AM

Generally LGTM.

sys/netinet/ip_fw.h
908	Why underscore?
sys/netpfil/ipfw/ip_fw_log.c
107	Nit: I'd name it `mark_str` to avoid confusion with other field names.
sys/netpfil/ipfw/ip_fw_pfil.c
342	This one is not required, it'll be initialized to 0 by default.
sys/netpfil/ipfw/ip_fw_private.h
331	I understand the reason, but I'd rather do it in a separate change (especially given it's pretty easy).
339	Why do you need underscore here?