Userland and manual page changes for probabilistic rule match.

Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.

2 files changed, 41 insertions, 4 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index e3933d5..94b9f09 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,5 +1,5 @@
 .\"
-.\" $Id: ipfw.8,v 1.54 1999/06/19 18:43:18 green Exp $
+.\" $Id: ipfw.8,v 1.55 1999/08/01 16:57:23 green Exp $
 .\"
 .Dd July 20, 1996
 .Dt IPFW 8
@@ -54,6 +54,7 @@ show
 .Oc
 add
 .Op Ar number
+.Op prob match_probability
 .Ar action 
 .Op log Op Ar logamount Ar number
 .Ar proto
@@ -209,6 +210,16 @@ All rules have two associated counters, a packet count and
 a byte count.
 These counters are updated when a packet matches the rule.
 .Pp
+If a rule has the optional
+.Dq prob match_probability
+specifier, where the match_probability is a floating point number
+between 0 and 1, a match is only declared with the specified
+probability. This can be useful for a number of applications
+such as random packet drop or (in conjunction with
+.Xr dummynet 4
+) to simulate the effect of multiple paths leading to out-of-order
+packet delivery.
+.Pp
 The rules are ordered by a 
 .Dq line-number
 from 1 to 65534 that is used
@@ -388,6 +399,15 @@ The search terminates if this rule matches. If the port number is not
 given then the port number in the packet is used, so that a packet for
 an external machine port Y would be forwarded to local port Y. The kernel
 must have been compiled with options IPFIREWALL_FORWARD.
+.It Ar pipe pipe_nr
+Pass packet to a
+.Xr dummynet 4
+``pipe'' (for bandwidth limitation, delay etc.). See the
+.Xr dummynet 4
+manpage for further information. The search terminates; however,
+on exit from the pipe and if the sysctl variable
+net.inet.ip.fw.one_pass is not set, the packet is passed again to
+the firewall code starting from the next rule.
 .It Ar skipto number
 Skip all subsequent rules numbered less than
 .Ar number .
@@ -723,6 +743,7 @@ This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
 .Xr cpp 1 ,
 .Xr m4 1 ,
 .Xr divert 4 ,
+.Xr dummynet 4 ,
 .Xr ip 4 ,
 .Xr ipfirewall 4 ,
 .Xr protocols 5 ,
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 1ff1ed7..bbeddaf 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -20,7 +20,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-	"$Id: ipfw.c,v 1.71 1999/06/19 18:43:15 green Exp $";
+	"$Id: ipfw.c,v 1.72 1999/08/01 16:57:24 green Exp $";
 #endif /* not lint */
 
 
@@ -247,7 +247,12 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
 		default:
 			errx(EX_OSERR, "impossible");
 	}
-   
+
+	if (chain->fw_flg & IP_FW_F_RND_MATCH) {
+		double d = 1.0 * (int)(chain->pipe_ptr) ;
+		d = 1 - (d / 0x7fffffff) ;
+		printf(" prob %f", d);
+	}
 	if (chain->fw_flg & IP_FW_F_PRN) {
 		printf(" log");
 		if (chain->fw_logamount)
@@ -605,7 +610,7 @@ show_usage(const char *fmt, ...)
 "    zero [number ...]\n"
 "    resetlog [number ...]\n"
 "    pipe number config [pipeconfig]\n"
-"  rule:  action proto src dst extras...\n"
+"  rule: [prob <match_probability>] action proto src dst extras...\n"
 "    action:\n"
 "      {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
 "       reset|count|skipto num|divert port|tee port|fwd ip|\n"
@@ -1073,6 +1078,17 @@ add(ac,av)
 	}
 
 	/* Action */
+	if (ac > 1 && !strncmp(*av, "prob", strlen(*av) ) ) {
+		double d = strtod(av[1], NULL);
+		if (d <= 0 || d > 1)
+			show_usage("illegal match prob. %s", av[1]);
+		if (d != 1) { /* 1 means always match */
+			rule.fw_flg |= IP_FW_F_RND_MATCH ;
+			/* we really store dont_match probability */
+			(long)rule.pipe_ptr = (long)((1 - d) * 0x7fffffff) ;
+		}
+	}
+
 	if (ac == 0)
 		show_usage("missing action");
 	if (!strncmp(*av,"accept",strlen(*av))