From f0706ad422926e3598b2ca76b0864213015a6a29 Mon Sep 17 00:00:00 2001 From: Luigi Rizzo Date: Wed, 11 Aug 1999 15:36:13 +0000 Subject: [PATCH] Userland and manual page changes for probabilistic rule match. Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature. --- sbin/ipfw/ipfw.8 | 23 ++++++++++++++++++++++- sbin/ipfw/ipfw.c | 22 +++++++++++++++++++--- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index e3933d5dd119..94b9f09599ea 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,5 +1,5 @@ .\" -.\" $Id: ipfw.8,v 1.54 1999/06/19 18:43:18 green Exp $ +.\" $Id: ipfw.8,v 1.55 1999/08/01 16:57:23 green Exp $ .\" .Dd July 20, 1996 .Dt IPFW 8 @@ -54,6 +54,7 @@ show .Oc add .Op Ar number +.Op prob match_probability .Ar action .Op log Op Ar logamount Ar number .Ar proto @@ -209,6 +210,16 @@ All rules have two associated counters, a packet count and a byte count. These counters are updated when a packet matches the rule. .Pp +If a rule has the optional +.Dq prob match_probability +specifier, where the match_probability is a floating point number +between 0 and 1, a match is only declared with the specified +probability. This can be useful for a number of applications +such as random packet drop or (in conjunction with +.Xr dummynet 4 +) to simulate the effect of multiple paths leading to out-of-order +packet delivery. +.Pp The rules are ordered by a .Dq line-number from 1 to 65534 that is used @@ -388,6 +399,15 @@ The search terminates if this rule matches. If the port number is not given then the port number in the packet is used, so that a packet for an external machine port Y would be forwarded to local port Y. The kernel must have been compiled with options IPFIREWALL_FORWARD. +.It Ar pipe pipe_nr +Pass packet to a +.Xr dummynet 4 +``pipe'' (for bandwidth limitation, delay etc.). See the +.Xr dummynet 4 +manpage for further information. The search terminates; however, +on exit from the pipe and if the sysctl variable +net.inet.ip.fw.one_pass is not set, the packet is passed again to +the firewall code starting from the next rule. .It Ar skipto number Skip all subsequent rules numbered less than .Ar number . @@ -723,6 +743,7 @@ This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: .Xr cpp 1 , .Xr m4 1 , .Xr divert 4 , +.Xr dummynet 4 , .Xr ip 4 , .Xr ipfirewall 4 , .Xr protocols 5 , diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index 1ff1ed7b4a37..bbeddaff1024 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -20,7 +20,7 @@ #ifndef lint static const char rcsid[] = - "$Id: ipfw.c,v 1.71 1999/06/19 18:43:15 green Exp $"; + "$Id: ipfw.c,v 1.72 1999/08/01 16:57:24 green Exp $"; #endif /* not lint */ @@ -247,7 +247,12 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth) default: errx(EX_OSERR, "impossible"); } - + + if (chain->fw_flg & IP_FW_F_RND_MATCH) { + double d = 1.0 * (int)(chain->pipe_ptr) ; + d = 1 - (d / 0x7fffffff) ; + printf(" prob %f", d); + } if (chain->fw_flg & IP_FW_F_PRN) { printf(" log"); if (chain->fw_logamount) @@ -605,7 +610,7 @@ show_usage(const char *fmt, ...) " zero [number ...]\n" " resetlog [number ...]\n" " pipe number config [pipeconfig]\n" -" rule: action proto src dst extras...\n" +" rule: [prob ] action proto src dst extras...\n" " action:\n" " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n" " reset|count|skipto num|divert port|tee port|fwd ip|\n" @@ -1073,6 +1078,17 @@ add(ac,av) } /* Action */ + if (ac > 1 && !strncmp(*av, "prob", strlen(*av) ) ) { + double d = strtod(av[1], NULL); + if (d <= 0 || d > 1) + show_usage("illegal match prob. %s", av[1]); + if (d != 1) { /* 1 means always match */ + rule.fw_flg |= IP_FW_F_RND_MATCH ; + /* we really store dont_match probability */ + (long)rule.pipe_ptr = (long)((1 - d) * 0x7fffffff) ; + } + } + if (ac == 0) show_usage("missing action"); if (!strncmp(*av,"accept",strlen(*av))