kern/103454: [ipfw] [patch] add a facility to modify DF bit of
the IP packet
Roman Bogorodskiy
novel at FreeBSD.org
Thu Sep 21 07:00:57 PDT 2006
The following reply was made to PR kern/103454; it has been noted by GNATS.
From: Roman Bogorodskiy <novel at FreeBSD.org>
To: bug-followup at FreeBSD.org
Cc: novel at FreeBSD.org
Subject: Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet
Date: Thu, 21 Sep 2006 17:56:15 +0400
--5G06lTa6Jq83wMTw
Content-Type: multipart/mixed; boundary="Bn2rw/3z4jIqBvZU"
Content-Disposition: inline
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi,
Attaching a slightly updated patch. Changes:
- If we got not 0 or 1 as cmd->arg1, just jump to the next rule
without updatating stats. Actually, ipfw(8) checks if the arg
for 'setdf' is only 0 or 1, so it should never happen.
- s/setdf DF/setdf N/ in `ipfw -h' output
http://novel.fannet.ru/~novel/ipfw_setdf_20060921_3_CURRENT.diff
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw_setdf_20060921_3_CURRENT.diff"
Content-Transfer-Encoding: quoted-printable
? sbin/ipfw/ipfw
Index: sbin/ipfw/ipfw.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.195
diff -u -r1.195 ipfw.8
--- sbin/ipfw/ipfw.8 18 Sep 2006 11:55:10 -0000 1.195
+++ sbin/ipfw/ipfw.8 21 Sep 2006 13:41:49 -0000
@@ -822,6 +822,11 @@
and
.Cm ngtee
actions.
+.It Cm setdf Ar value
+Changes
+.Cm DF
+bit of the IP packet.
+Value may be 0 (May Fragment) or 1 (Don't Fragment).
.El
.Ss RULE BODY
The body of a rule contains zero or more patterns (such as
Index: sbin/ipfw/ipfw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.98
diff -u -r1.98 ipfw2.c
--- sbin/ipfw/ipfw2.c 16 Sep 2006 19:27:40 -0000 1.98
+++ sbin/ipfw/ipfw2.c 21 Sep 2006 13:41:50 -0000
@@ -247,7 +247,8 @@
TOK_RESET,
TOK_UNREACH,
TOK_CHECKSTATE,
-
+ TOK_SETDF,
+=09
TOK_ALTQ,
TOK_LOG,
TOK_TAG,
@@ -374,6 +375,7 @@
{ "unreach6", TOK_UNREACH6 },
{ "unreach", TOK_UNREACH },
{ "check-state", TOK_CHECKSTATE },
+ { "setdf", TOK_SETDF },
{ "//", TOK_COMMENT },
{ NULL, 0 } /* terminator */
};
@@ -1555,6 +1557,10 @@
}
break;
=20
+ case O_SET_IPDF:
+ PRINT_UINT_ARG("setdf ", cmd->arg1);
+ break;
+
case O_LOG: /* O_LOG is printed last */
logptr =3D (ipfw_insn_log *)cmd;
break;
@@ -2635,7 +2641,7 @@
"RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
"ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n"
" skipto N | {divert|tee} PORT | forward ADDR |\n"
-" pipe N | queue N\n"
+" pipe N | queue N | setdf N\n"
"PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n"
"ADDR: [ MAC dst src ether_type ] \n"
" [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
@@ -3970,6 +3976,20 @@
action->opcode =3D O_COUNT;
break;
=20
+ case TOK_SETDF:
+ {
+ int df;
+ =20
+ NEED1("need setdf arg\n");
+ df =3D strtoul(*av, NULL, 0);
+ if (df < 0 || df > 1)
+ errx(EX_DATAERR, "illegal argument for %s",
+ *(av - 1));
+ fill_cmd(action, O_SET_IPDF, 0, df);
+ ac--; av++;
+ }
+ break;
+ =09
case TOK_QUEUE:
action->opcode =3D O_QUEUE;
goto chkarg;
Index: sys/netinet/ip_fw.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.108
diff -u -r1.108 ip_fw.h
--- sys/netinet/ip_fw.h 18 Aug 2006 22:36:04 -0000 1.108
+++ sys/netinet/ip_fw.h 21 Sep 2006 13:42:11 -0000
@@ -160,6 +160,8 @@
O_TAG, /* arg1=3Dtag number */
O_TAGGED, /* arg1=3Dtag number */
=20
+ O_SET_IPDF, /* arg1=3D[0|1] */
+=09
O_LAST_OPCODE /* not an opcode! */
};
=20
Index: sys/netinet/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.147
diff -u -r1.147 ip_fw2.c
--- sys/netinet/ip_fw2.c 16 Sep 2006 10:27:05 -0000 1.147
+++ sys/netinet/ip_fw2.c 21 Sep 2006 13:42:11 -0000
@@ -3127,6 +3127,23 @@
goto done;
}
=20
+ case O_SET_IPDF:
+ switch (cmd->arg1) {
+ case 0:
+ ip->ip_off &=3D ~IP_DF;
+ break;
+ case 1:
+ ip->ip_off |=3D IP_DF;
+ break;
+ default:
+ goto next_rule;
+ /* NOTREACHED */
+ }
+ f->pcnt++;
+ f->bcnt +=3D pktlen;
+ f->timestamp =3D time_second;
+ goto next_rule;
+
case O_COUNT:
case O_SKIPTO:
f->pcnt++; /* update stats */
@@ -3654,6 +3671,10 @@
goto bad_size;
break;
=20
+ case O_SET_IPDF:
+ have_action =3D 1;
+ break;
+
case O_UID:
case O_GID:
case O_JAIL:
--Bn2rw/3z4jIqBvZU--
--5G06lTa6Jq83wMTw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iQCVAwUBRRKZ/4B0WzgdqspGAQK5wgP/ZiaI62k5RvNb6G71CH114zGX5SH6EYFa
WDJ7T8Q/0By/KH0aHXlcBO5R3b1bEOoppaAYGOx4DXjFA75vqF17lPh9vi2Cs5R+
RKOY84KANWLvATgVe48iaUIVQvvLUXaY6E7NFgyekhEywcqRpCId1WcSElCwi4jB
uy2l78sTklU=
=VnhE
-----END PGP SIGNATURE-----
--5G06lTa6Jq83wMTw--
More information about the freebsd-ipfw
mailing list