HEADS UP: Merging projects/ipfw to HEAD

From: Alexander V. Chernikov <melifaro_at_FreeBSD.org>
Date: Sat, 04 Oct 2014 16:35:51 +0400
Hi,

I'm going to merge projects/ipfw branch to HEAD in the middle of next week.

What has changed:

Main user-visible changes are related to tables:

* Tables are now identified by names, not numbers. There can be up to 
65k tables with up to 63-byte long names.
* Tables are now set-aware (default off), so you can switch/move them 
atomically with rules.
* More functionality is supported (swap, lock, limits, user-level 
lookup, batched add/del) by generic table code.
* New table types are added (flow) so you can match multiple packet 
fields at once.
* Ability to add different type of lookup algorithms for particular 
table type has been added.
* New table algorithms are added (cidr:hash, iface:array, number:array 
and flow:hash) to make certain types of lookup more effective.
* Table value are now capable of holding multiple data fields for 
different tablearg users

Some examples (see ipfw(8) manual page for the description):

   0:02 [2] zfscurr0# ipfw table fl2 create type 
flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib
    0:02 [2] zfscurr0# ipfw table fl2 info
    +++ table(fl2), set(0) +++
     kindex: 0, type: flow:src-ip,proto,dst-port
     valtype: number, references: 0
     algorithm: flow:hash
     items: 0, size: 280
    0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12
    0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13
    0:02 [2] zfscurr0# ipfw table fl2 list
    +++ table(fl2), set(0) +++
    2a02:6b8::333,6,443 45000
    10.0.0.92,6,80 22000
    0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 
flow 'table(fl2)'

    ipfw table mi_test create type cidr algo "cidr:hash masks=/30,/64"
    ipfw table mi_test add 10.0.0.8/30
    ipfw table mi_test add 2a02:6b8:b010::1/64 25

    # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222
    added: 1.1.1.1/32 1111
    added: 2.2.2.2/32 2222
    # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444
    exists: 2.2.2.2/32 2200
    added: 4.4.4.4/32 4444
    ipfw: Adding record failed: record already exists
    ^^^^^ Returns error but keeps inserted items
    # ipfw table si list
    +++ table(si), set(0) +++
    1.1.1.1/32 1111
    2.2.2.2/32 2222
    4.4.4.4/32 4444
    # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 
5.5.5.5/32 5555
    added(reverted): 3.3.3.3/32 3333
    exists: 4.4.4.4/32 4400
    ignored: 5.5.5.5/32 5555
    ipfw: Adding record failed: record already exists
    ^^^^^ Returns error and reverts added records

Performance changes:
* Main ipfw lock was converted to rmlock
* Rule counters were separated from rule itself and made per-cpu.
* Radix table entries fits into 128 bytes
* struct ip_fw is now more compact so more rules will fit into 64 bytes
* interface tables uses array of existing ifindexes for faster match

ABI changes:
All functionality supported by old ipfw(8) remains functional. Old & new 
binaries can work together with the following restrictions:
* Tables named other than ^\d+$ are shown as table(65535) in ruleset in 
old binaries
* I'm a bit unsure about "lookup src-port|dst-port N" case, something 
may be broken here. Anyway, this can be fixed for MFC

Internal changes:.
Changing table ids to numbers resulted in format modification for most 
sockopt codes.
Old sopt format was compact, but very hard to extend (no versioning, 
inability to add more opcodes), so
* All relevant opcodes were converted to TLV-based versioned 
IP_FW3-based codes.
* The remaining opcodes were also converted to be able to eliminate all 
older opcodes at once
* All IP_FW3 handlers uses special API instead of calling sooptcopy* 
directly to ease adding another communication methods
* struct ip_fw is now different for kernel and userland
* tablearg value has been changed to 0 to ease future extensions
* table "values" are now indexes in special value array which holds 
extended data for given index
* Batched add/delete has been added to tables code
* Most changes has been done to permit batched rule addition.
* interface tracking API has been added (started on demand) to permit 
effective interface tables operations
* O(1) skipto cache, currently turned off by default at compile-time 
(eats 512K).

* Several steps has been made towards making libipfw:
   * most of new functions were separated into "parse/prepare/show and 
actuall-do-stuff" pieces (already merged).
   * there are separate functions for parsing text string into "struct 
ip_fw" and printing "struct ip_fw" to supplied buffer (already merged).
* Probably some more less significant/forgotten features
Received on Sat Oct 04 2014 - 10:37:04 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:52 UTC