From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 20 01:19:48 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD79D1065672; Tue, 20 Dec 2011 01:19:48 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 2A8F08FC20; Tue, 20 Dec 2011 01:19:47 +0000 (UTC) Received: by wgbds13 with SMTP id ds13so8190388wgb.1 for ; Mon, 19 Dec 2011 17:19:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TwherHnjgX2eiyQ7NtZ7ZlRsoSC+A+Y0gC1NC0qbKrw=; b=L4suuLBxgu8OTS6HiIdQ3DRPn2Cam+ACZSYOOAiRObXRXXcXAegFIAnwGR0fYg4FCu MqinUgd2/sMEDKHHXoNZqDfEjyIPr9XyAh8Q3WKRXrQdOz0IMkkFNyYDSsuI7lHXea7W 2Nb/GZqQ7WAS7BVu8DZM0Oji3yjT5xBi5eiDA= MIME-Version: 1.0 Received: by 10.181.13.17 with SMTP id eu17mr111275wid.12.1324343986716; Mon, 19 Dec 2011 17:19:46 -0800 (PST) Received: by 10.216.168.195 with HTTP; Mon, 19 Dec 2011 17:19:46 -0800 (PST) In-Reply-To: References: <4EDE2739.1040104@FreeBSD.org> <20111208132002.R16498@sola.nimnet.asn.au> <20111209021345.Y11090@sola.nimnet.asn.au> Date: Mon, 19 Dec 2011 17:19:46 -0800 Message-ID: From: alan yang To: araujo@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org, Ian Smith , Sergey Matveychuk Subject: Re: ipfw dscp support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 01:19:48 -0000 Hi Marcelo, Thanks for the modip work! I am trying to see: - ipfw rule to divert traffic for ipfw-classifyd - ipfw-classifyd to classify specific traffic: ftp, sip, ...etc. - ipfw-classifyd to reinject traffic with sin-port set according to application flow (ftp == 1000, sip == 1001, ... ) - ipfw rule modip module to set DSCP - ipfw rule to send traffic to appropriate ALTQ queue with the following ipfw config: 1) pfctl to create ALTQ queue: pf.conf altq on em0 cbq bandwidth 5Mb queue { ftp } queue ftp bandwidth 10% cbq(default) reload pf.conf: pfctl -f /etc/pf.conf 2) ipfw-classifyd /usr/local/sbin/ipfw-classifyd p 7777 3) add ipfw rule /* enable ALTQ */ ipfw enable ALTQ ipfw add 100 divert 7777 tcp from any to any via em0 ipfw add 101 divert 7777 udp from any to any via em0 ipfw add 1010 modip dscp:AF11 ip from any to any out diverted ipfw add 1020 allow altq ftp ip from any to any out diverted ipfw add 64000 allow altq root_em0 ip from any to any via em0 (one_pass was enabled in above testing case. ) 65535 deny ip from any to any 4) observe packet flow through ALTQ ftp queue ipfw show - list the packets matched the firewall rule pfctel -s queue -v - view the packet captured by ALTQ queue With ICMP and FTP traffics: 1) icmp traffic matches rule 64000, traffic direct to root_em0 queue 2) ftp traffic matches rule 100, 1010, 1020, 64000 all match Not sure how to configure ipfw rules so that ftp traffic would match rule 100, 1010, 1020, but not 64000? Thanks in advance! alan