|
|
|
|
|
|
| Author |
Message |
Luigi Rizzo
*nix forums addict
Joined: 07 Apr 2002
Posts: 72
|
 Posted: Thu Jun 13, 2002 10:13 pm Post subject:
ipfw rewrite - new snapshot available
|
|
|
[Bcc to -net]
Hi,
as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
manageable.
The code is now almost ready for commit, so I would appreciate
some feedback if any of you feels like trying it and, even
better, run some performance test. You can fetch the code from
http://info.iet.unipi.it/~luigi/ipfw5.20020613.tgz
This is for a -current after May 15th, and replaces
sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sys/netinet/ip_dummynet.c
sbin/ipfw/ipfw.c
The idea behind this work was to replace the old ipfw rules
(macroinstructions) with a set of microinstructions, each of them
performing a single operation such as matching an address, or a
port range, or a protocol flag, etc. -- much in the spirit of BPF
and derivatives -- and to let the userland front-end compile ipfw(
commands into an appropriate set of microinstructions.
There are several advantages in using this technique: first of all,
instructions are typically shorter and faster, because the old
code had to check for the presence of all the possible options
(there are over 25 of them!) in a rule, whereas the new one can
simply do just the things that are required.
I have implemented all the actions (accept/deny/pipe/divert/forward
....) and almost all the 25+ (ouch!) different options that can be
specified in a rule. The syntax for the userland program is 100%
backward compatible.
I have also implemented a few extensions to demonstrate the flexibility
of the new approach: you can put "or" connectives between fields,
so you can write things like
ipfw add allow ip from host1 or host2 or host3 or not net1/24 to any
and the like, and this greatly simplifies writing rulesets as
you can imagine.
Other extensions (in the form of address sets, multiple rule
chains to be used on layer-2 and layer-3 firewalls, etc. will
be trivial to implement.
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
 |
Andre Oppermann
*nix forums addict
Joined: 21 Mar 2002
Posts: 55
|
| Posted: Thu Jun 13, 2002 10:29 pm Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
'Luigi Rizzo' wrote:
| Quote: |
[Bcc to -net]
Hi,
as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
|
Cool stuff! I'm impressed!
--
Andre
| Quote: | The code is now almost ready for commit, so I would appreciate
some feedback if any of you feels like trying it and, even
better, run some performance test. You can fetch the code from
http://info.iet.unipi.it/~luigi/ipfw5.20020613.tgz
This is for a -current after May 15th, and replaces
sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sys/netinet/ip_dummynet.c
sbin/ipfw/ipfw.c
The idea behind this work was to replace the old ipfw rules
(macroinstructions) with a set of microinstructions, each of them
performing a single operation such as matching an address, or a
port range, or a protocol flag, etc. -- much in the spirit of BPF
and derivatives -- and to let the userland front-end compile ipfw(
commands into an appropriate set of microinstructions.
There are several advantages in using this technique: first of all,
instructions are typically shorter and faster, because the old
code had to check for the presence of all the possible options
(there are over 25 of them!) in a rule, whereas the new one can
simply do just the things that are required.
I have implemented all the actions (accept/deny/pipe/divert/forward
...) and almost all the 25+ (ouch!) different options that can be
specified in a rule. The syntax for the userland program is 100%
backward compatible.
I have also implemented a few extensions to demonstrate the flexibility
of the new approach: you can put "or" connectives between fields,
so you can write things like
ipfw add allow ip from host1 or host2 or host3 or not net1/24 to any
and the like, and this greatly simplifies writing rulesets as
you can imagine.
Other extensions (in the form of address sets, multiple rule
chains to be used on layer-2 and layer-3 firewalls, etc. will
be trivial to implement.
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
|
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Poul-Henning Kamp
*nix forums Guru
Joined: 21 Mar 2002
Posts: 436
|
| Posted: Fri Jun 14, 2002 4:45 am Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
In message <20020613171319.D93980@iguana.icir.org>, "'Luigi Rizzo'" writes:
| Quote: | as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
manageable.
|
Does your testing reveal if it is faster ?
Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Luigi Rizzo
*nix forums addict
Joined: 07 Apr 2002
Posts: 72
|
| Posted: Fri Jun 14, 2002 5:01 am Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
On Fri, Jun 14, 2002 at 08:45:34AM +0200, Poul-Henning Kamp wrote:
| Quote: | In message <20020613171319.D93980@iguana.icir.org>, "'Luigi Rizzo'" writes:
as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
manageable.
Does your testing reveal if it is faster ?
|
not tried yet, my day is only 24 hours and i am using lot
of it already :(
It does reveal that the new code is orders of magnitude easier to extend,
debug and audit, which seems to me an equally important result.
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Julian Elischer
*nix forums Guru Wannabe
Joined: 20 Mar 2002
Posts: 279
|
| Posted: Fri Jun 14, 2002 5:41 am Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
Hi Luigi.
I haven't had a chance to look at it yet..
Too busy at USENIX..
I'll try look at it after I et back after I do KSE-MIII after..... :-)
On Thu, 13 Jun 2002, 'Luigi Rizzo' wrote:
| Quote: | [Bcc to -net]
Hi,
as I mentioned in a posting to -net a few days ago, over the past
weeks I have done an extensive rewrite of the ipfw code (both userland
and kernel) in an attempt to make it faster, more flexible and more
manageable.
The code is now almost ready for commit, so I would appreciate
some feedback if any of you feels like trying it and, even
better, run some performance test. You can fetch the code from
http://info.iet.unipi.it/~luigi/ipfw5.20020613.tgz
This is for a -current after May 15th, and replaces
sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sys/netinet/ip_dummynet.c
sbin/ipfw/ipfw.c
The idea behind this work was to replace the old ipfw rules
(macroinstructions) with a set of microinstructions, each of them
performing a single operation such as matching an address, or a
port range, or a protocol flag, etc. -- much in the spirit of BPF
and derivatives -- and to let the userland front-end compile ipfw(
commands into an appropriate set of microinstructions.
There are several advantages in using this technique: first of all,
instructions are typically shorter and faster, because the old
code had to check for the presence of all the possible options
(there are over 25 of them!) in a rule, whereas the new one can
simply do just the things that are required.
I have implemented all the actions (accept/deny/pipe/divert/forward
...) and almost all the 25+ (ouch!) different options that can be
specified in a rule. The syntax for the userland program is 100%
backward compatible.
I have also implemented a few extensions to demonstrate the flexibility
of the new approach: you can put "or" connectives between fields,
so you can write things like
ipfw add allow ip from host1 or host2 or host3 or not net1/24 to any
and the like, and this greatly simplifies writing rulesets as
you can imagine.
Other extensions (in the form of address sets, multiple rule
chains to be used on layer-2 and layer-3 firewalls, etc. will
be trivial to implement.
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
|
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Dag-Erling Smorgrav
*nix forums Guru Wannabe
Joined: 23 Mar 2002
Posts: 110
|
| Posted: Fri Jun 14, 2002 9:29 am Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
"'Luigi Rizzo'" <rizzo@icir.org> writes:
| Quote: | It does reveal that the new code is orders of magnitude easier to extend,
debug and audit, which seems to me an equally important result.
|
Absolutely. Excellent work, Luigi!
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Andrew V. Jemerya
*nix forums beginner
Joined: 14 Jun 2002
Posts: 1
|
| Posted: Fri Jun 14, 2002 9:38 am Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
Hi!
Can i use this new ipfw snapshot for 4.x?
With best regards
Andrew V. Jemerya
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Trish Lynch
*nix forums beginner
Joined: 14 Jun 2002
Posts: 3
|
| Posted: Fri Jun 14, 2002 3:58 pm Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
On Thu, 13 Jun 2002, 'Luigi Rizzo' wrote:
| Quote: |
I have implemented all the actions (accept/deny/pipe/divert/forward
...) and almost all the 25+ (ouch!) different options that can be
specified in a rule. The syntax for the userland program is 100%
backward compatible.
|
Did something change with the syntax of divert rules?
ipfw add divert 8668 from any to any via fxp1
returns an error, "Illegal divert/tee port"
of course this makes it difficult to use natd with it :)
(how I built: I built world and a kernel with old ipfw, then rebooted,
backed up /sbin/ipfw and the /boot/kernel directories, then backed up
/include/netinet/ip_fw.h and /include/netinet/ip_dummynet.h and replaced
them with your versions, and rebuilt ipfw and the kernel with the new
code, did I miss something?)
-Trish
--
Trish Lynch trish@bsdunix.net
FreeBSD The Power to Serve
Ecartis Core Team trish@listmistress.org
http://www.freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Luigi Rizzo
*nix forums addict
Joined: 07 Apr 2002
Posts: 72
|
| Posted: Fri Jun 14, 2002 6:24 pm Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
On Fri, Jun 14, 2002 at 11:58:23AM -0400, Trish Lynch wrote:
....
| Quote: | Did something change with the syntax of divert rules?
|
yeah, a misused a variable in ipfw.c ... have fixed it, thanks.
In the meantime you can use
ipfw add divert natd ip from any to any via fxp1
(i just tested it, it works)
cheers
luigi
| Quote: | ipfw add divert 8668 from any to any via fxp1
returns an error, "Illegal divert/tee port"
of course this makes it difficult to use natd with it :)
(how I built: I built world and a kernel with old ipfw, then rebooted,
backed up /sbin/ipfw and the /boot/kernel directories, then backed up
/include/netinet/ip_fw.h and /include/netinet/ip_dummynet.h and replaced
them with your versions, and rebuilt ipfw and the kernel with the new
code, did I miss something?)
-Trish
--
Trish Lynch trish@bsdunix.net
FreeBSD The Power to Serve
Ecartis Core Team trish@listmistress.org
http://www.freebsd.org
|
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Trish Lynch
*nix forums beginner
Joined: 14 Jun 2002
Posts: 3
|
| Posted: Fri Jun 14, 2002 10:09 pm Post subject:
Re: ipfw rewrite - new snapshot available
|
|
|
On Fri, 14 Jun 2002, 'Luigi Rizzo' wrote:
| Quote: | On Fri, Jun 14, 2002 at 11:58:23AM -0400, Trish Lynch wrote:
...
Did something change with the syntax of divert rules?
yeah, a misused a variable in ipfw.c ... have fixed it, thanks.
In the meantime you can use
ipfw add divert natd ip from any to any via fxp1
(i just tested it, it works)
cheers
luigi
|
So far so good, I'm going to work on testing this this week.
dummynet works, divert works :)
-Trish
--
Trish Lynch trish@bsdunix.net
FreeBSD The Power to Serve
Ecartis Core Team trish@listmistress.org
http://www.freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Jan 10, 2009 2:30 am | All times are GMT
|
|
vShare YouTube Clone | Shops | Credit Cards UK | Personal Loans | MPAA
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
BSD
»
FreeBSD
»
mail-lists
»
Architecture
