Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
This commit is contained in:
parent
772759420f
commit
f0706ad422
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=49631
@ -1,5 +1,5 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $Id: ipfw.8,v 1.54 1999/06/19 18:43:18 green Exp $
|
.\" $Id: ipfw.8,v 1.55 1999/08/01 16:57:23 green Exp $
|
||||||
.\"
|
.\"
|
||||||
.Dd July 20, 1996
|
.Dd July 20, 1996
|
||||||
.Dt IPFW 8
|
.Dt IPFW 8
|
||||||
@ -54,6 +54,7 @@ show
|
|||||||
.Oc
|
.Oc
|
||||||
add
|
add
|
||||||
.Op Ar number
|
.Op Ar number
|
||||||
|
.Op prob match_probability
|
||||||
.Ar action
|
.Ar action
|
||||||
.Op log Op Ar logamount Ar number
|
.Op log Op Ar logamount Ar number
|
||||||
.Ar proto
|
.Ar proto
|
||||||
@ -209,6 +210,16 @@ All rules have two associated counters, a packet count and
|
|||||||
a byte count.
|
a byte count.
|
||||||
These counters are updated when a packet matches the rule.
|
These counters are updated when a packet matches the rule.
|
||||||
.Pp
|
.Pp
|
||||||
|
If a rule has the optional
|
||||||
|
.Dq prob match_probability
|
||||||
|
specifier, where the match_probability is a floating point number
|
||||||
|
between 0 and 1, a match is only declared with the specified
|
||||||
|
probability. This can be useful for a number of applications
|
||||||
|
such as random packet drop or (in conjunction with
|
||||||
|
.Xr dummynet 4
|
||||||
|
) to simulate the effect of multiple paths leading to out-of-order
|
||||||
|
packet delivery.
|
||||||
|
.Pp
|
||||||
The rules are ordered by a
|
The rules are ordered by a
|
||||||
.Dq line-number
|
.Dq line-number
|
||||||
from 1 to 65534 that is used
|
from 1 to 65534 that is used
|
||||||
@ -388,6 +399,15 @@ The search terminates if this rule matches. If the port number is not
|
|||||||
given then the port number in the packet is used, so that a packet for
|
given then the port number in the packet is used, so that a packet for
|
||||||
an external machine port Y would be forwarded to local port Y. The kernel
|
an external machine port Y would be forwarded to local port Y. The kernel
|
||||||
must have been compiled with options IPFIREWALL_FORWARD.
|
must have been compiled with options IPFIREWALL_FORWARD.
|
||||||
|
.It Ar pipe pipe_nr
|
||||||
|
Pass packet to a
|
||||||
|
.Xr dummynet 4
|
||||||
|
``pipe'' (for bandwidth limitation, delay etc.). See the
|
||||||
|
.Xr dummynet 4
|
||||||
|
manpage for further information. The search terminates; however,
|
||||||
|
on exit from the pipe and if the sysctl variable
|
||||||
|
net.inet.ip.fw.one_pass is not set, the packet is passed again to
|
||||||
|
the firewall code starting from the next rule.
|
||||||
.It Ar skipto number
|
.It Ar skipto number
|
||||||
Skip all subsequent rules numbered less than
|
Skip all subsequent rules numbered less than
|
||||||
.Ar number .
|
.Ar number .
|
||||||
@ -723,6 +743,7 @@ This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
|
|||||||
.Xr cpp 1 ,
|
.Xr cpp 1 ,
|
||||||
.Xr m4 1 ,
|
.Xr m4 1 ,
|
||||||
.Xr divert 4 ,
|
.Xr divert 4 ,
|
||||||
|
.Xr dummynet 4 ,
|
||||||
.Xr ip 4 ,
|
.Xr ip 4 ,
|
||||||
.Xr ipfirewall 4 ,
|
.Xr ipfirewall 4 ,
|
||||||
.Xr protocols 5 ,
|
.Xr protocols 5 ,
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
|
|
||||||
#ifndef lint
|
#ifndef lint
|
||||||
static const char rcsid[] =
|
static const char rcsid[] =
|
||||||
"$Id: ipfw.c,v 1.71 1999/06/19 18:43:15 green Exp $";
|
"$Id: ipfw.c,v 1.72 1999/08/01 16:57:24 green Exp $";
|
||||||
#endif /* not lint */
|
#endif /* not lint */
|
||||||
|
|
||||||
|
|
||||||
@ -247,7 +247,12 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
|
|||||||
default:
|
default:
|
||||||
errx(EX_OSERR, "impossible");
|
errx(EX_OSERR, "impossible");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (chain->fw_flg & IP_FW_F_RND_MATCH) {
|
||||||
|
double d = 1.0 * (int)(chain->pipe_ptr) ;
|
||||||
|
d = 1 - (d / 0x7fffffff) ;
|
||||||
|
printf(" prob %f", d);
|
||||||
|
}
|
||||||
if (chain->fw_flg & IP_FW_F_PRN) {
|
if (chain->fw_flg & IP_FW_F_PRN) {
|
||||||
printf(" log");
|
printf(" log");
|
||||||
if (chain->fw_logamount)
|
if (chain->fw_logamount)
|
||||||
@ -605,7 +610,7 @@ show_usage(const char *fmt, ...)
|
|||||||
" zero [number ...]\n"
|
" zero [number ...]\n"
|
||||||
" resetlog [number ...]\n"
|
" resetlog [number ...]\n"
|
||||||
" pipe number config [pipeconfig]\n"
|
" pipe number config [pipeconfig]\n"
|
||||||
" rule: action proto src dst extras...\n"
|
" rule: [prob <match_probability>] action proto src dst extras...\n"
|
||||||
" action:\n"
|
" action:\n"
|
||||||
" {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
|
" {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
|
||||||
" reset|count|skipto num|divert port|tee port|fwd ip|\n"
|
" reset|count|skipto num|divert port|tee port|fwd ip|\n"
|
||||||
@ -1073,6 +1078,17 @@ add(ac,av)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Action */
|
/* Action */
|
||||||
|
if (ac > 1 && !strncmp(*av, "prob", strlen(*av) ) ) {
|
||||||
|
double d = strtod(av[1], NULL);
|
||||||
|
if (d <= 0 || d > 1)
|
||||||
|
show_usage("illegal match prob. %s", av[1]);
|
||||||
|
if (d != 1) { /* 1 means always match */
|
||||||
|
rule.fw_flg |= IP_FW_F_RND_MATCH ;
|
||||||
|
/* we really store dont_match probability */
|
||||||
|
(long)rule.pipe_ptr = (long)((1 - d) * 0x7fffffff) ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ac == 0)
|
if (ac == 0)
|
||||||
show_usage("missing action");
|
show_usage("missing action");
|
||||||
if (!strncmp(*av,"accept",strlen(*av))
|
if (!strncmp(*av,"accept",strlen(*av))
|
||||||
|
Loading…
Reference in New Issue
Block a user