Why not exist a TCP/UDP port_table for IPFW? It can solve 30 itens limit in ipfw rule. It is good to use in QoS. Example ipfw add allow { tcp or udp } from any port_table(10) to any ipfw port_table 10 add 20,21,25,110,443,993,995,1025-65535 # Deny bad ports ipfw add deny { tcp or udp } from any to any port_table(11) ipfw port_table 11 add 135,137-139,445 ipfw add queue 100 udp from any port_table(20) to any ipfw port_table(20) add 123,53
State Changed From-To: open->suspended Mark suspended awaiting patches.
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw
Hi Joao Rocha Braga Filho! On Mon, 17 Mar 2008 20:15:12 GMT; Joao Rocha Braga Filho <goffredo@gmail.com> wrote: > Why not exist a TCP/UDP port_table for IPFW? It can solve 30 itens limit in ipfw rule. It is good to use in QoS. > Example > ipfw add allow { tcp or udp } from any port_table(10) to any > ipfw port_table 10 add 20,21,25,110,443,993,995,1025-65535 > # Deny bad ports > ipfw add deny { tcp or udp } from any to any port_table(11) > ipfw port_table 11 add 135,137-139,445 > ipfw add queue 100 udp from any port_table(20) to any > ipfw port_table(20) add 123,53 For what puprose should it _really_ serve? Limit-upping? Per-packet speed optimisation? More handy config preapring? Should that tables serve as a collection-only, or do have tableargs, and for what practical purpose that tableargs would be useful? If it is simply annoying to put long list in config several times, then it is correctly solved by shell vars: good_ports="20,21,25,110,443,993,995,1025-65535" ipfw add allow { tcp or udp } from any $good_ports to any ipfw add allow { tcp or udp } from ant to $my_server $good_ports If you care about both value-repeating, limit of 30 items and slightly about speed of packet processing, then you'd better classify your traffic with or-blocks on start of ruleset with tags: ipfw add 1 count tag 1 { src-port 20,21,25,110,443,993,995,1025-65535 \ or src-port 1,2,3,4,5,6,7,8,9,10,11,12,13,...long-list2...,29,30 \ or src-port ...list3... } // can have up to 8 full 30-port blocks per rule ipfw add 2 count tag 2 dst-port 135,137-139,445 // and so on Packet can have more than one tag at a time, so then you can write like: ipfw add queue 100 udp from any to any tagged 3 ipfw add allow { tcp or udp } from any to any tagged 1,2 And if your suggested port table is concerned on a per-packet performance, like our IP tables do, then how do you suggest it to be implemented in-kernel? Current tables for IP are radix trees, they consume a lot of kernel memory (which is a scarce resource) and process in term of mask - but it is not handy to specify ports in form like "128/8". And any form of tree will consume to a lot of memory per entry. It can be thought as a bit set, one bit for every port, very fast, but will consume 8K per one table - 1 meg for 128 such tables, unacceptable, again. So, I think it is best to use tags for your purposes. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Hi, Vadim Goncharov wrote: > > > Why not exist a TCP/UDP port_table for IPFW? It can solve 30 itens limit in ipfw rule. It is good to use in QoS. > > Example > > ipfw add allow { tcp or udp } from any port_table(10) to any > > ipfw port_table 10 add 20,21,25,110,443,993,995,1025-65535 > > # Deny bad ports > > ipfw add deny { tcp or udp } from any to any port_table(11) > > ipfw port_table 11 add 135,137-139,445 > > ipfw add queue 100 udp from any port_table(20) to any > > ipfw port_table(20) add 123,53 > > For what puprose should it _really_ serve? Limit-upping? Per-packet speed > optimisation? More handy config preapring? Should that tables serve as > a collection-only, or do have tableargs, and for what practical purpose that > tableargs would be useful? > > If it is simply annoying to put long list in config several times, then it is > correctly solved by shell vars: > good_ports="20,21,25,110,443,993,995,1025-65535" > > ipfw add allow { tcp or udp } from any $good_ports to any > ipfw add allow { tcp or udp } from ant to $my_server $good_ports > > If you care about both value-repeating, limit of 30 items and slightly about > speed of packet processing, then you'd better classify your traffic with > or-blocks on start of ruleset with tags: > > ipfw add 1 count tag 1 { src-port 20,21,25,110,443,993,995,1025-65535 \ > or src-port 1,2,3,4,5,6,7,8,9,10,11,12,13,...long-list2...,29,30 \ > or src-port ...list3... } // can have up to 8 full 30-port blocks per rule > ipfw add 2 count tag 2 dst-port 135,137-139,445 // and so on > > Packet can have more than one tag at a time, so then you can write like: > > ipfw add queue 100 udp from any to any tagged 3 > ipfw add allow { tcp or udp } from any to any tagged 1,2 > > > And if your suggested port table is concerned on a per-packet performance, like > our IP tables do, then how do you suggest it to be implemented in-kernel? > Current tables for IP are radix trees, they consume a lot of kernel memory > (which is a scarce resource) and process in term of mask - but it is not > handy to specify ports in form like "128/8". And any form of tree will consume > to a lot of memory per entry. > > It can be thought as a bit set, one bit for every port, very fast, but will > consume 8K per one table - 1 meg for 128 such tables, unacceptable, again. > > So, I think it is best to use tags for your purposes. For small number of port entries I thought port lookup table functionality is quite useful. It gives benefit like no need to modify existing rule, adding/deleting port entries is easy. I did some small tests and it seems like working. Patches are at: http://people.freebsd.org/~ganbold/ipfw_port_table/ The output of some usage samples is at: http://people.freebsd.org/~ganbold/ipfw_port_table/ipfw_port_table_usage_sample.txt Patches can be successfully applied to CURRENT. Didn't test RELENG_7 due to no RELENG_7 PC :) Please let me know your thoughts. I'm happy to discuss to improve the patch. Correct me if I'm doing something wrong here. thanks, Ganbold
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
This feature is already implemented. You can create table with type "number" and use it with "lookup src-port|dst-port" opcode. # ipfw table PORTS create type number algo number:array # ipfw table PORTS add 80 # ipfw table PORTS add 443 # ipfw add count tcp from any to any lookup dst-port PORTS