Bug 215875

Summary: [ipfw] ipfw lookup tables do not support mbuf_tags(9) ipfw cookies lookups
Product: Base System Reporter: Eugene Grosbein <ports>
Component: kernAssignee: freebsd-ipfw (Nobody) <ipfw>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: ae, eugen, melifaro
Priority: --- Flags: ports: mfc-stable11?
Version: 11.0-STABLE   
Hardware: Any   
OS: Any   

Description Eugene Grosbein 2017-01-08 17:15:08 UTC 
Please make it possible to perform table lookups using ipfw mbuf_tags(9) cookies as lookup keys. For example:

# this currently works:
ipfw table ngtags create type number valtype netgraph algo number:array
ipfw table ngtags add 1 1000
ipfw table ngtags add 2 2000
ipfw table ngtags add 3 3000

# but this is not supported yet:
ipfw add netgraph tablearg ip from any to any lookup tag ngtags

That is, packets tagged with cookie 1 would be directed to ng_ipfw netgraph node hook 1000; packets tagged with 2 go to hook 2000 etc.
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-05-02 17:28:55 UTC 
Such opcode handling should be a bit complicated than other lookup keys, because a packet can have many tags and you need to make lookup in a table for each tag in the loop.

If you want to try, you can look at the O_IP_DST_LOOKUP opcode handling in ip_fw2.c and add new key support here.
Comment 2 Andrey V. Elsukov freebsd_committer freebsd_triage 2023-05-03 12:41:25 UTC 
Hi,

recently ipfw mark was introduced in CURRENT, probably it can help with your task.

https://reviews.freebsd.org/D39555
Comment 3 Eugene Grosbein freebsd_committer freebsd_triage 2023-05-03 13:15:22 UTC 
I almost forgot about this PR. The problem I wanted to solve also gone after 6 years. It's no use keeping the PR open.