Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy.
Details
Details
- Reviewers
melifaro pauamma_gundo.com - Group Reviewers
manpages network - Commits
- rGfc727ad63d3f: ipfw: add [fw]mark implementation for ipfw
root@freebsd:~ # ipfw show 00100 123 21435 allow ip from any to any 65535 0 0 deny ip from any to any root@freebsd:~ # ipfw add 50 setmark 22 icmp from 0.0.0.0 to 0.0.0.0 00050 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0 root@freebsd:~ # ipfw add 51 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0 00051 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0 root@freebsd:~ # ipfw table 10 create type addr valtype mark root@freebsd:~ # ipfw table 10 info --- table(10), set(0) --- kindex: 1, type: addr references: 0, valtype: mark algorithm: addr:radix items: 0, size: 296 root@freebsd:~ # ipfw add 10 setmark tablearg icmp from 'table(10)' to any via lo0 00010 setmark tablearg icmp from table(10) to any via lo0 root@freebsd:~ # ipfw add 20 count log icmp from 'table(10)' to any mark tablearg 00020 count log icmp from table(10) to any mark tablearg root@freebsd:~ # ipfw show 00010 0 0 setmark tablearg icmp from table(10) to any via lo0 00020 0 0 count log icmp from table(10) to any mark tablearg 00050 0 0 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0 00051 0 0 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0 00100 1138 106883 allow ip from any to any 65535 0 0 deny ip from any to any root@freebsd:~ # ifconfig em1 em1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP> ether 08:00:27:19:f4:d6 inet6 fe80::a00:27ff:fe19:f4d6%em1 prefixlen 64 scopeid 0x2 inet 192.168.56.101 netmask 0xffffff00 broadcast 192.168.56.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> root@freebsd:~ # ipfw table 10 add 192.168.56.0/24 0x44 added: 192.168.56.0/24 0x44 root@freebsd:~ # ipfw table 10 list 192.168.56.0/24 0x44 root@freebsd:~ # sysctl net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose: 0 -> 1 root@freebsd:~ # ping -c 1 192.168.56.101 PING 192.168.56.101 (192.168.56.101): 56 data bytes 64 bytes from 192.168.56.101: icmp_seq=0 ttl=64 time=0.232 ms --- 192.168.56.101 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.232/0.232/0.232/0.000 ms root@freebsd:~ # tail /var/log/security Apr 14 12:16:14 freebsd syslogd: last message repeated 1 times Apr 14 12:27:01 freebsd kernel: ipfw: 20 Count ICMP:0.0 192.168.56.101 127.0.0.1 mark:0x44 out via lo0 Apr 14 12:27:01 freebsd kernel: ipfw: 20 Count ICMP:0.0 192.168.56.101 127.0.0.1 mark:0x44 in via lo0 root@freebsd:~ # ipfw show 00010 2 168 setmark tablearg icmp from table(10) to any via lo0 00020 2 168 count log icmp from table(10) to any mark tablearg 00050 0 0 setmark 0x16 icmp from 0.0.0.0 to 0.0.0.0 00051 0 0 setmark 0x22 icmp from 0.0.0.0 to 0.0.0.0 00100 2104 194583 allow ip from any to any 65535 0 0 deny ip from any to any root@freebsd:~ #
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
Comment Actions
Generally LGTM.
sys/netinet/ip_fw.h | ||
---|---|---|
908 | Why underscore? | |
sys/netpfil/ipfw/ip_fw_log.c | ||
107 | Nit: I'd name it mark_str to avoid confusion with other field names. | |
sys/netpfil/ipfw/ip_fw_pfil.c | ||
342 | This one is not required, it'll be initialized to 0 by default. | |
sys/netpfil/ipfw/ip_fw_private.h | ||
331 | I understand the reason, but I'd rather do it in a separate change (especially given it's pretty easy). | |
339 | Why do you need underscore here? |