From owner-freebsd-ipfw@FreeBSD.ORG  Thu Jan  3 08:30:34 2013
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 242D3AA
 for <freebsd-ipfw@freebsd.org>; Thu,  3 Jan 2013 08:30:34 +0000 (UTC)
 (envelope-from luigi@onelab2.iet.unipi.it)
Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238])
 by mx1.freebsd.org (Postfix) with ESMTP id E024563A
 for <freebsd-ipfw@freebsd.org>; Thu,  3 Jan 2013 08:30:33 +0000 (UTC)
Received: by onelab2.iet.unipi.it (Postfix, from userid 275)
 id 62DF17300A; Thu,  3 Jan 2013 09:29:37 +0100 (CET)
Date: Thu, 3 Jan 2013 09:29:37 +0100
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: Sami Halabi <sodynet1@gmail.com>
Subject: Re: Limit Session Bandwidth
Message-ID: <20130103082937.GB54360@onelab2.iet.unipi.it>
References: <CAEW+ogbGVYLiuPesyR5qTcjhMVFvbzU-yYX8CRbJ_Hs3C6RpMQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEW+ogbGVYLiuPesyR5qTcjhMVFvbzU-yYX8CRbJ_Hs3C6RpMQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 08:30:34 -0000

On Thu, Jan 03, 2013 at 09:19:05AM +0200, Sami Halabi wrote:
> Hi,
> I wan t to configure bandwidth limits in the folowing scenario:
> limit a specific IP to ,say 10MB, but also limit each Session to, say 1MB.
> 
> so max concurrent sessions of that same IP can with full bandwidth would be
> 10, each 1MB, this however doesn't limit the whole number of sessions, so
> there can be 20 sessions of 0.5MB.
> 
> I didn't see option like that in the man pages, any ideas?

you can do this with a first per-flow pipe that limits
the individual bandwidth, and then passing the traffic
to a scheduler (or another pipe) with an aggregate
limit of 10Mbit/s

Something like this

	# reinject packets into firewall after they come out from a pipe
	sysctl net.inet.ip.fw.one_pass=0

	# configure the pipe that applies the 1 Mbit/s cap to each flow
	ipfw pipe 123 config bw 1Mbit/s mask all

	# configure the second pipe with the global cap
	ipfw pipe 456 config bw 10Mbit/s

	# configure a scheduler that drives the second pipe
	ipfw sched 789 config mask all pipe 123

	# pass outgoing packets to the first pipe
	ipfw add 100 pipe 123 out

	# and then to the scheduler
	ipfw add 110 queue 789 out

	# and then accept
	ipfw add 120 allow ip from any to any

#
#              pipe 123              scheduler
#             +---------+            +-------+
#         --->|         +----------->|       |
#             +---------+            |       |  pipe 456
#              one per flow          |       |+---------+
#                . .  .              |       ||         |+----->
#                                    |       |+---------+
#             +---------+            |       |
#         --->|         +----------->|       |
#             +---------+            +-------+

cheers
luigi