Attachment #142656 for bug #189720

Lines 603-608 Link Here

(-)sbin/ipfw/ipfw.8 (+8 lines)
603	Note: logging is done after all other packet matching conditions	603	Note: logging is done after all other packet matching conditions
604	have been successfully verified, and before performing the final	604	have been successfully verified, and before performing the final
605	action (accept, deny, etc.) on the packet.	605	action (accept, deny, etc.) on the packet.
		606	.It Cm pps Ar limit duration
		607	Rule with the
		608	.Cm pps
		609	keyword will allow the first
		610	.Ar limit
		611	packets in each
		612	.Ar duration
		613	milliseconds
606	.It Cm tag Ar number	614	.It Cm tag Ar number
607	When a packet matches a rule with the	615	When a packet matches a rule with the
608	.Cm tag	616	.Cm tag

Lines 244-249 Link Here

(-)sbin/ipfw/ipfw2.c (-2 / +24 lines)
244	{ "allow", TOK_ACCEPT },	244	{ "allow", TOK_ACCEPT },
245	{ "permit", TOK_ACCEPT },	245	{ "permit", TOK_ACCEPT },
246	{ "count", TOK_COUNT },	246	{ "count", TOK_COUNT },
		247	{ "pps", TOK_PPS },
247	{ "pipe", TOK_PIPE },	248	{ "pipe", TOK_PIPE },
248	{ "queue", TOK_QUEUE },	249	{ "queue", TOK_QUEUE },
249	{ "divert", TOK_DIVERT },	250	{ "divert", TOK_DIVERT },
Lines 1231-1237 Link Here
1231	case O_SKIPTO:	1232	case O_SKIPTO:
1232	PRINT_UINT_ARG("skipto ", cmd->arg1);	1233	PRINT_UINT_ARG("skipto ", cmd->arg1);
1233	break;	1234	break;
1234		1235	case O_PPS:
		1236	{
		1237	ipfw_insn_pps pps=(ipfw_insn_pps )cmd;
		1238	printf("pps %d %d",cmd->arg1,pps->duration);
		1239	break;
		1240	}
1235	case O_PIPE:	1241	case O_PIPE:
1236	PRINT_UINT_ARG("pipe ", cmd->arg1);	1242	PRINT_UINT_ARG("pipe ", cmd->arg1);
1237	break;	1243	break;
Lines 2985-2991 Link Here
2985	case TOK_COUNT:	2991	case TOK_COUNT:
2986	action->opcode = O_COUNT;	2992	action->opcode = O_COUNT;
2987	break;	2993	break;
2988		2994
		2995	case TOK_PPS:
		2996	action->opcode = O_PPS;
		2997	ipfw_insn_pps p = (ipfw_insn_pps )action;
		2998	action->len = F_INSN_SIZE(ipfw_insn_pps);
		2999	if (isdigit(**av)) {
		3000	action->arg1 = strtoul(*av, NULL, 10);
		3001	av++;
		3002	}else
		3003	errx(EX_USAGE, "illegal argument pps `limit` %s", *av);
		3004	if (isdigit(**av)) {
		3005	p->duration = strtoul(*av, NULL, 10);
		3006	av++;
		3007	}else
		3008	errx(EX_USAGE,"illegal arugment pps `duration` %s", *av);
		3009	break;
		3010
2989	case TOK_NAT:	3011	case TOK_NAT:
2990	action->opcode = O_NAT;	3012	action->opcode = O_NAT;
2991	action->len = F_INSN_SIZE(ipfw_insn_nat);	3013	action->len = F_INSN_SIZE(ipfw_insn_nat);

Lines 92-97 Link Here

(-)sbin/ipfw/ipfw2.h (+1 lines)
92	TOK_NGTEE,	92	TOK_NGTEE,
93	TOK_FORWARD,	93	TOK_FORWARD,
94	TOK_SKIPTO,	94	TOK_SKIPTO,
		95	TOK_PPS,
95	TOK_DENY,	96	TOK_DENY,
96	TOK_REJECT,	97	TOK_REJECT,
97	TOK_RESET,	98	TOK_RESET,




	O_REJECT,		/* arg1=icmp arg (same as deny)	*/
	O_COUNT,		/* none				*/
	O_SKIPTO,		/* arg1=next rule number	*/
	O_PPS,			/* arg1=limit, pps->duration */
	O_PIPE,			/* arg1=pipe number		*/
	O_QUEUE,		/* arg1=queue number		*/
	O_DIVERT,		/* arg1=port number		*/

} ipfw_insn_log;

/*
 * This is used for PPS
 */
typedef struct _ipfw_insn_pps{
	ipfw_insn o;
	uint32_t start_time;
	uint16_t count;
	uint16_t duration;
} ipfw_insn_pps;
/*
 * Data structures required by both ipfw(8) and ipfw(4) but not part of the
 * management API are protected by IPFW_INTERNAL.
 */




			    skip_or = 0;
			    continue;
			    break;	/* not reached */
			case O_PPS:{
				ipfw_insn_pps *pps = (ipfw_insn_pps *)cmd;
				if(pps->start_time+pps->duration >= ticks){
					if(pps->count < cmd->arg1){
						retval = IP_FW_PASS;
					}else{
						retval = IP_FW_DENY;
					}
					pps->count++;
				}else{
					pps->start_time=ticks;
					pps->count=1;
					retval = IP_FW_PASS;
				}
				l = 0;		
				done = 1;
				break;	
				}
			case O_CALLRETURN: {
				/*
				 * Implementation of `subroutine' call/return,

Lines 702-707 Link Here

(-)sys/netpfil/ipfw/ip_fw_sockopt.c (-1 / +7 lines)
702	if (cmdlen != F_INSN_SIZE(ipfw_insn_altq))	702	if (cmdlen != F_INSN_SIZE(ipfw_insn_altq))
703	goto bad_size;	703	goto bad_size;
704	break;	704	break;
		705
		706	case O_PPS:
		707	have_action=1;
		708	if (cmdlen != F_INSN_SIZE(ipfw_insn_pps))
		709	goto bad_size;
		710	break;
705		711
706	case O_PIPE:	712	case O_PIPE:
707	case O_QUEUE:	713	case O_QUEUE:
Lines 769-774 Link Here
769	return EINVAL;	775	return EINVAL;
770	}	776	}
771	break;	777	break;
		778
772	#ifdef INET6	779	#ifdef INET6
773	case O_IP6_SRC:	780	case O_IP6_SRC:
774	case O_IP6_DST:	781	case O_IP6_DST:
Lines 776-782 Link Here
776	F_INSN_SIZE(ipfw_insn))	783	F_INSN_SIZE(ipfw_insn))
777	goto bad_size;	784	goto bad_size;
778	break;	785	break;
779
780	case O_FLOW6ID:	786	case O_FLOW6ID:
781	if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +	787	if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
782	((ipfw_insn_u32 *)cmd)->o.arg1)	788	((ipfw_insn_u32 *)cmd)->o.arg1)

Return to bug 189720

Lines 165-170 Link Here

(-)sys/netinet/ip_fw.h (+10 lines)
165	O_REJECT, /* arg1=icmp arg (same as deny) */	165	O_REJECT, /* arg1=icmp arg (same as deny) */
166	O_COUNT, /* none */	166	O_COUNT, /* none */
167	O_SKIPTO, /* arg1=next rule number */	167	O_SKIPTO, /* arg1=next rule number */
		168	O_PPS, /* arg1=limit, pps->duration */
168	O_PIPE, /* arg1=pipe number */	169	O_PIPE, /* arg1=pipe number */
169	O_QUEUE, /* arg1=queue number */	170	O_QUEUE, /* arg1=queue number */
170	O_DIVERT, /* arg1=port number */	171	O_DIVERT, /* arg1=port number */
Lines 378-383 Link Here
378	} ipfw_insn_log;	379	} ipfw_insn_log;
379		380
380	/*	381	/*
		382	* This is used for PPS
		383	*/
		384	typedef struct _ipfw_insn_pps{
		385	ipfw_insn o;
		386	uint32_t start_time;
		387	uint16_t count;
		388	uint16_t duration;
		389	} ipfw_insn_pps;
		390	/*
381	* Data structures required by both ipfw(8) and ipfw(4) but not part of the	391	* Data structures required by both ipfw(8) and ipfw(4) but not part of the
382	* management API are protected by IPFW_INTERNAL.	392	* management API are protected by IPFW_INTERNAL.
383	*/	393	*/

Lines 2179-2185 Link Here

(-)sys/netpfil/ipfw/ip_fw2.c (-1 / +18 lines)
2179	skip_or = 0;	2179	skip_or = 0;
2180	continue;	2180	continue;
2181	break; /* not reached */	2181	break; /* not reached */
2182		2182	case O_PPS:{
		2183	ipfw_insn_pps pps = (ipfw_insn_pps )cmd;
		2184	if(pps->start_time+pps->duration >= ticks){
		2185	if(pps->count < cmd->arg1){
		2186	retval = IP_FW_PASS;
		2187	}else{
		2188	retval = IP_FW_DENY;
		2189	}
		2190	pps->count++;
		2191	}else{
		2192	pps->start_time=ticks;
		2193	pps->count=1;
		2194	retval = IP_FW_PASS;
		2195	}
		2196	l = 0;
		2197	done = 1;
		2198	break;
		2199	}
2183	case O_CALLRETURN: {	2200	case O_CALLRETURN: {
2184	/*	2201	/*
2185	* Implementation of `subroutine' call/return,	2202	* Implementation of `subroutine' call/return,