Re: Efficient use of Dummynet pipes in IPFW

• Previous message: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
• In reply to: Luigi Rizzo: "Re: Efficient use of Dummynet pipes in IPFW"
• Next in thread: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW"
• Reply: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW"
• Reply: Jeremie Le Hen: "Re: Efficient use of Dummynet pipes in IPFW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 19 Sep 2005 11:20:46 -0600
To: Luigi Rizzo <rizzo@icir.org>, Jeremie Le Hen <jeremie@le-hen.org>

At 10:20 AM 9/19/2005, Luigi Rizzo wrote:

>original
>
> ipfw add 1000 dosomething cond1 cond2 cond3 cond4 cond5 ... condN
>
>negated:
>
> ipfw add 1000 skipto 1001 cond1 cond2 cond3 cond4 cond5 ... condN
> ipfw add 1000 dosomething

This doesn't work, because you must transform cond1 && cond2 && cond3...
into multiple rules that implement ~(cond1 || cond2 || cond3...). So,
you'd need do do the following:

ipfw add 1000 skipto 1001 not cond1
ipfw add 1000 skipto 1001 not cond2
... (N rules total)
ipfw add 1000 skipto 1001 not condN
ipfw add 1000 dosomething
ipfw add 1000 skipto 5000 // Where to resume on success
ipfw add 1001 // Jump target; implemented in IPFW as "count ip from any to any"

The other way to do it is via "spaghetti rules:"

ipfw add 1000 skipto 1002 cond1 cond2 cond3 cond4 cond5 ... condN
ipfw add 1001 skipto 1003
ipfw add 1002 dosomething
ipfw add 1002 skipto 5000 // Where to resume on success
ipfw add 1003 // Jump target; implemented inside IPFW as "count ip from any to any"

Or you can do the entire pattern match twice:

ipfw add 1000 dosomething cond1 cond2 cond3 cond4 cond5 ... condN
ipfw add 1000 skipto 5000 cond1 cond2 cond3 cond4 cond5 ... condN

--Brett

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
• In reply to: Luigi Rizzo: "Re: Efficient use of Dummynet pipes in IPFW"
• Next in thread: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW"
• Reply: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW"
• Reply: Jeremie Le Hen: "Re: Efficient use of Dummynet pipes in IPFW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: How to block 200K ip addresses? ... man ipfw, search for "lookup tables". ... add 2300 skipto 2301 ip from 0.0.0.0/6 to any ... add 2302 deny ip from 4.0.25.146/31 to any ... Will it be faster to load using the table? ... (freebsd-questions) Re: Efficient use of Dummynet pipes in IPFW ... because IPFW doesn't have a "not" that can cover the ... So what Luigi says is absolutely correct for that desired negation. ... you can't do it with a SINGLE rule; it is low level, ... skipto is fast. ... (freebsd-net) Re: Multiple NAT router ... The FreeBSD box would do NAT for all of them, and of course they could not "see" one another. ... I'm not sure that FreeBSD's natd is equipped to sort incoming packets for multiple, identically numbered LANs properly, because it would have to remember interface names as well as addresses. ... run a separate natd ON DIFFERENT PORTS for each inteface and use ipfw to forward packets only to the ... ipfw add 51 skipto 150 ip from any to any out ... (freebsd-net) Re: How to block 200K ip addresses? ... man ipfw, search for "lookup tables". ... add 2300 skipto 2301 ip from 0.0.0.0/6 to any ... add 2302 deny ip from 4.0.25.146/31 to any ... incoming packets from the listed IP ranges, ... (freebsd-questions) RE: How to block 200K ip addresses? ... Since my server is a remote server that I can accessed ... man ipfw, search for "lookup tables". ... add 2300 skipto 2301 ip from 0.0.0.0/6 to any ... add 2302 deny ip from 4.0.25.146/31 to any ... (freebsd-questions)