From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 11 11:02:11 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEDB216A42B for ; Mon, 11 Jul 2005 11:02:10 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55E8943D5F for ; Mon, 11 Jul 2005 11:02:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6BB2915011459 for ; Mon, 11 Jul 2005 11:02:09 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6BB2896011453 for freebsd-ipfw@freebsd.org; Mon, 11 Jul 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 11 Jul 2005 11:02:08 GMT Message-Id: <200507111102.j6BB2896011453@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2005 11:02:11 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw Add setnexthop and defaultroute features 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 11 11:02:51 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 167C616A41C for ; Mon, 11 Jul 2005 11:02:51 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AF7B43D88 for ; Mon, 11 Jul 2005 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6BB2hwA011961 for ; Mon, 11 Jul 2005 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6BB2gBu011955 for ipfw@freebsd.org; Mon, 11 Jul 2005 11:02:42 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 11 Jul 2005 11:02:42 GMT Message-Id: <200507111102.j6BB2gBu011955@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2005 11:02:51 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 13 15:57:57 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 612F916A41C for ; Wed, 13 Jul 2005 15:57:57 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id B544343D48 for ; Wed, 13 Jul 2005 15:57:56 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (vidqfm@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6DFvrOK024296 for ; Wed, 13 Jul 2005 17:57:54 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6DFvrSY024295; Wed, 13 Jul 2005 17:57:53 +0200 (CEST) (envelope-from olli) Date: Wed, 13 Jul 2005 17:57:53 +0200 (CEST) Message-Id: <200507131557.j6DFvrSY024295@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: "or" blocks in IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 15:57:57 -0000 Hi, I'm using IPFW2 on FreeBSD 4-stable (only a few days old). This is a small router with multiple interfaces. I would like to write a rule that matches packets that enter the router on fxp0 _or_ leave it on fxp0. My first idea was to simply use "via fxp0", but that would also match routed packets that leave the system on some other interface (and have entered the system on fxp0 pre- viously). This is not what I want. My next idea was to use "or" blocks, according to the ipfw manpage, to combine "in recv fxp0" with "out xmit fxp0". However, when I enter the command, the parser of ipfw(8) seems to move the braces to different locations: # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \} 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0 Of course, now the rule does something completely different which doesn't even make any sense. Most confusingly, I don't get an error message or even a warning from the parser. Is this a bug in ipfw, or a bug in the manpage, or do I just misunderstand things? Do I have to write two separate rules? Thanks in advance! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 Mόnchen Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 16 15:02:43 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F0CF16A41C; Sat, 16 Jul 2005 15:02:43 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9819443D46; Sat, 16 Jul 2005 15:02:42 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id AAABABC0AF; Sat, 16 Jul 2005 18:02:38 +0300 (EEST) Received: from R3B (unknown [62.38.168.175])by smtp.freemail.gr (Postfix) with ESMTP id 91248BC0A6; Sat, 16 Jul 2005 18:02:35 +0300 (EEST) Message-ID: <001c01c58a17$5dbe4a40$0100000a@R3B> From: "Chris Dionissopoulos" To: , Date: Sat, 16 Jul 2005 18:02:19 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0019_01C58A30.81E63C20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 15:02:43 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0019_01C58A30.81E63C20 Content-Type: text/plain; format=flowed; charset="windows-1253"; reply-type=original Content-Transfer-Encoding: 7bit Hi ppl, ( and sorry for cross posting) I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i decide to push a little forward this feature. You can see the whole picture in there: http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 and there: http://butcher.heavennet.ru/ In my patch, 3 new options are added: 1. "below " (which is the same option as Andrey's "bound" option, I just rename it) 2. "above " which is the oposite option of "below". Match rules when the counter is above 3. "check-quota" (which is the same option as Andrey's "check-bound" , but now applies to both "above" and "below" options). Notes: 1. Patch is against releng_6. 2. I also include a more compicated example which is (IMHO) a complete traffic quota+shaping solution for a small (or not so small) ISP. 3. For installation, follow the instructions Adrey publish in his webspace: http://butcher.heavennet.ru/ 4. Patch doesn't breaks ipfw ABI (today) , because adds new options at the end of list. If you apply this patch in a month or so, I cannot guarantee success. 5. Please test, and send me your feedbacks. I 'll be happy if you find usefull these features and if any developer commits this patch in current or releng_6 branch. Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. ------=_NextPart_000_0019_01C58A30.81E63C20 Content-Type: application/octet-stream;name="releng6_ipfw_quota.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment;filename="releng6_ipfw_quota.patch" --- sys/netinet/ip_fw.h.orig Sat Jul 16 14:55:58 2005=0A= +++ sys/netinet/ip_fw.h Sat Jul 16 15:08:37 2005=0A= @@ -154,6 +154,13 @@=0A= O_NGTEE, /* copy to ng_ipfw */=0A= =0A= O_IP4,=0A= + =0A= + /*=0A= + * Traffic quota options=0A= + */=0A= + O_QBELOW, /* u64 =3D uplimit in bytes */=0A= + O_QABOVE, /* u64 =3D downlimit in bytes */=0A= + O_CHECK_QUOTA, /* u16 =3D rule number */=0A= =0A= O_LAST_OPCODE /* not an opcode! */=0A= };=0A= @@ -230,6 +237,14 @@=0A= } ipfw_insn_u32;=0A= =0A= /*=0A= + * This is used to store 64-bit quota value.=0A= + */=0A= +typedef struct _ipfw_insn_u64 {=0A= + ipfw_insn o;=0A= + u_int64_t quota;=0A= +} ipfw_insn_u64;=0A= +=0A= +/*=0A= * This is used to store IP addr-mask pairs.=0A= */=0A= typedef struct _ipfw_insn_ip {=0A= @@ -351,12 +366,17 @@=0A= *=0A= * When assembling instruction, remember the following:=0A= *=0A= + * + if a rule has a "quota" option, then the first instruction=0A= + * (at r->cmd) MUST BE an O_QBELOW|O_QABOVE=0A= * + if a rule has a "keep-state" (or "limit") option, then the=0A= * first instruction (at r->cmd) MUST BE an O_PROBE_STATE=0A= * + if a rule has a "log" option, then the first action=0A= * (at ACTION_PTR(r)) MUST be O_LOG=0A= * + if a rule has an "altq" option, it comes after "log"=0A= *=0A= + *=0A= + * NOTE: actually, O_PROB instruction may be first too. But = O_QBELOW|O_QABOVE=0A= + * MUST BE always first (at r->cmd).=0A= * NOTE: we use a simple linked list of rules because we never need=0A= * to delete a rule without scanning the list. We do not use=0A= * queue(3) macros for portability and readability.=0A= --- sys/netinet/ip_fw2.c.orig Sat Jul 16 14:55:58 2005=0A= +++ sys/netinet/ip_fw2.c Sat Jul 16 17:06:19 2005=0A= @@ -2251,6 +2251,36 @@=0A= * logic to deal with F_NOT and F_OR flags associated=0A= * with the opcode.=0A= */=0A= + case O_QBELOW:=0A= + match =3D (f->bcnt < ((ipfw_insn_u64 *)cmd)->quota);=0A= + break;=0A= +=0A= + case O_QABOVE:=0A= + match =3D (f->bcnt > ((ipfw_insn_u64 = *)cmd)->quota);=0A= + break;=0A= +=0A= + case O_CHECK_QUOTA:=0A= + {=0A= + struct ip_fw* rule;=0A= + for (rule =3D f->next;=0A= + rule && cmd->arg1 >=3D rule->rulenum;=0A= + rule =3D rule->next)=0A= + if (rule->rulenum =3D=3D cmd->arg1)=0A= + switch (rule->cmd->opcode) {=0A= + case O_QBELOW:=0A= + match =3D (rule->bcnt <=0A= + ((ipfw_insn_u64 *)(rule->cmd))->quota);=0A= + break;=0A= + case O_QABOVE:=0A= + match =3D (rule->bcnt >=0A= + = ((ipfw_insn_u64 *)(rule->cmd))->quota);=0A= + break;=0A= + default: =0A= + break;=0A= + }=0A= + }=0A= + break;=0A= +=0A= case O_NOP:=0A= match =3D 1;=0A= break;=0A= @@ -3373,6 +3403,7 @@=0A= case O_EXT_HDR:=0A= case O_IP6:=0A= case O_IP4:=0A= + case O_CHECK_QUOTA:=0A= if (cmdlen !=3D F_INSN_SIZE(ipfw_insn))=0A= goto bad_size;=0A= break;=0A= @@ -3388,6 +3419,17 @@=0A= case O_ICMPTYPE:=0A= if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_u32))=0A= goto bad_size;=0A= + break;=0A= +=0A= + case O_QBELOW:=0A= + case O_QABOVE:=0A= + if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_u64))=0A= + goto bad_size;=0A= + if (cmd !=3D rule->cmd) {=0A= + printf("ipfw: bogus rule, opcode %d must be first\n",=0A= + cmd->opcode);=0A= + return EINVAL;=0A= + }=0A= break;=0A= =0A= case O_LIMIT:=0A= --- sbin/ipfw/ipfw2.c.orig Sat Jul 16 15:21:06 2005=0A= +++ sbin/ipfw/ipfw2.c Sat Jul 16 17:11:42 2005=0A= @@ -73,6 +73,8 @@=0A= show_sets, /* display rule sets */=0A= test_only, /* only check syntax */=0A= comment_only, /* only print action and comment */=0A= + not_humanval, /* don't use human-readable unit suffixes=0A= + when show boundary values */=0A= verbose;=0A= =0A= #define IP_MASK_ALL 0xffffffff=0A= @@ -277,6 +279,10 @@=0A= TOK_SRCIP6,=0A= =0A= TOK_IPV4,=0A= +=0A= + TOK_QBELOW,=0A= + TOK_QABOVE,=0A= + TOK_CHECK_QUOTA,=0A= };=0A= =0A= struct _s_x dummynet_params[] =3D {=0A= @@ -404,6 +410,9 @@=0A= { "src-ipv6", TOK_SRCIP6},=0A= { "src-ip6", TOK_SRCIP6},=0A= { "//", TOK_COMMENT },=0A= + { "below", TOK_QBELOW},=0A= + { "above", TOK_QABOVE},=0A= + { "check-quota", TOK_CHECK_QUOTA},=0A= =0A= { "not", TOK_NOT }, /* pseudo option */=0A= { "!", /* escape ? */ TOK_NOT }, /* pseudo option */=0A= @@ -1636,6 +1645,10 @@=0A= flags |=3D HAVE_PROTO;=0A= break;=0A= =0A= + case O_QBELOW:=0A= + case O_QABOVE:=0A= + break; =0A= +=0A= default: /*options ... */=0A= if (!(cmd->len & (F_OR|F_NOT)))=0A= if (((cmd->opcode =3D=3D O_IP6) &&=0A= @@ -1857,6 +1870,10 @@=0A= case O_EXT_HDR:=0A= print_ext6hdr( (ipfw_insn *) cmd );=0A= break;=0A= + =0A= + case O_CHECK_QUOTA:=0A= + printf(" check-quota %d", cmd->arg1);=0A= + break;=0A= =0A= default:=0A= printf(" [opcode %d len %d]",=0A= @@ -1872,6 +1889,28 @@=0A= }=0A= }=0A= show_prerequisites(&flags, HAVE_IP, 0);=0A= +=0A= + if (rule->cmd->opcode =3D=3D O_QBELOW || rule->cmd->opcode =3D=3D = O_QABOVE) {=0A= + uint64_t bound =3D ((ipfw_insn_u64 *)(rule->cmd))->quota;=0A= + if (rule->cmd->opcode =3D=3D O_QBELOW) =0A= + printf(" below ");=0A= + else=0A= + printf(" above ");=0A= + if (!not_humanval) {=0A= + if ((bound >> 10) && !(bound & 0x2FF)) {=0A= + if ((bound >> 20) && !(bound & 0xFFFFF)) {=0A= + if ((bound >> 30) && !(bound & 0x3FFFFFFF))=0A= + printf("%uGB", bound >> 30);=0A= + else=0A= + printf("%uMB", bound >> 20);=0A= + } else=0A= + printf("%uKB", bound >> 10);=0A= + } else=0A= + printf("%uB", bound);=0A= + } else=0A= + printf("%u", bound);=0A= + }=0A= +=0A= if (comment)=0A= printf(" // %s", comment);=0A= printf("\n");=0A= @@ -2515,6 +2554,9 @@=0A= " icmp6types LIST | ext6hdr LIST | flow-id N[,N] |\n"=0A= " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} = |\n"=0A= " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC = |\n"=0A= +" tcpdatalen LIST | below VALUE | above VALUE | check-quota NUM |\n"=0A= +" verrevpath | versrcreach | antispoof\n"=0A= +=0A= " tcpdatalen LIST | verrevpath | versrcreach | antispoof\n"=0A= );=0A= exit(0);=0A= @@ -3677,7 +3719,7 @@=0A= * various flags used to record that we entered some fields.=0A= */=0A= ipfw_insn *have_state =3D NULL; /* check-state or keep-state */=0A= - ipfw_insn *have_log =3D NULL, *have_altq =3D NULL;=0A= + ipfw_insn *have_log =3D NULL, *have_altq =3D NULL, *have_quota =3D = NULL;=0A= size_t len;=0A= =0A= int i;=0A= @@ -4494,6 +4536,66 @@=0A= ac =3D 0;=0A= break;=0A= =0A= + case TOK_QBELOW:=0A= + NEED1("below requires numeric value");=0A= + if (open_par)=0A= + errx(EX_USAGE, "below cannot be part "=0A= + "of an or block");=0A= + if (have_quota)=0A= + errx(EX_USAGE, "only one of below|above is allowed");=0A= + if (cmd->len & F_NOT)=0A= + errx(EX_USAGE,=0A= + "\"not\" not allowed with below option");=0A= + {=0A= + char *end =3D NULL;=0A= + uint64_t bound =3D strtoull(*av, &end, 0);=0A= + if (bound)=0A= + switch (*end){=0A= + case 'G': bound *=3D 1024;=0A= + case 'M': bound *=3D 1024;=0A= + case 'K': bound *=3D 1024;=0A= + };=0A= + cmd->opcode =3D O_QBELOW;=0A= + ((ipfw_insn_u64 *)cmd)->quota =3D bound;=0A= + cmd->len =3D F_INSN_SIZE(ipfw_insn_u64) & F_LEN_MASK;=0A= + have_quota =3D cmd;=0A= + ac--; av++;=0A= + }=0A= + break;=0A= +=0A= + case TOK_QABOVE:=0A= + NEED1("above requires numeric value");=0A= + if (open_par)=0A= + errx(EX_USAGE, "above cannot be part "=0A= + "of an or block");=0A= + if (have_quota)=0A= + errx(EX_USAGE, "only one of below|above = is allowed");=0A= + if (cmd->len & F_NOT)=0A= + errx(EX_USAGE,=0A= + "\"not\" not allowed with above = option");=0A= + {=0A= + char *end =3D NULL;=0A= + uint64_t bound =3D strtoull(*av, &end, = 0);=0A= + if (bound)=0A= + switch (*end){=0A= + case 'G': bound *=3D 1024;=0A= + case 'M': bound *=3D 1024;=0A= + case 'K': bound *=3D 1024;=0A= + };=0A= + cmd->opcode =3D O_QABOVE;=0A= + ((ipfw_insn_u64 *)cmd)->quota =3D bound;=0A= + cmd->len =3D F_INSN_SIZE(ipfw_insn_u64) = & F_LEN_MASK;=0A= + have_quota =3D cmd;=0A= + ac--; av++;=0A= + }=0A= + break;=0A= +=0A= + case TOK_CHECK_QUOTA:=0A= + NEED1("check-quota requires rule number");=0A= + fill_cmd(cmd, O_CHECK_QUOTA, 0, strtoul(*av, NULL, 0));=0A= + ac--; av++;=0A= + break;=0A= +=0A= default:=0A= errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);=0A= }=0A= @@ -4506,6 +4608,8 @@=0A= done:=0A= /*=0A= * Now copy stuff into the rule.=0A= + * If we have a quota option, the first instruction MUST BE=0A= + * a O_QBELOW or O_QABOVE.=0A= * If we have a keep-state option, the first instruction=0A= * must be a PROBE_STATE (which is generated here).=0A= * If we have a LOG option, it was stored as the first command,=0A= @@ -4514,7 +4618,15 @@=0A= dst =3D (ipfw_insn *)rule->cmd;=0A= =0A= /*=0A= - * First thing to write into the command stream is the match = probability.=0A= + * First write into the command stream quota instruction=0A= + */=0A= + if (have_quota) {=0A= + bcopy(have_quota, dst, F_LEN(have_quota) * sizeof(uint32_t));=0A= + dst =3D next_cmd(dst);=0A= + }=0A= +=0A= + /*=0A= + * write the match probability=0A= */=0A= if (match_prob !=3D 1) { /* 1 means always match */=0A= dst->opcode =3D O_PROB;=0A= @@ -4531,7 +4643,8 @@=0A= dst =3D next_cmd(dst);=0A= }=0A= /*=0A= - * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ=0A= + * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ,=0A= + * O_QBELOW, O_QABOVE=0A= */=0A= for (src =3D (ipfw_insn *)cmdbuf; src !=3D cmd; src +=3D i) {=0A= i =3D F_LEN(src);=0A= @@ -4541,6 +4654,8 @@=0A= case O_KEEP_STATE:=0A= case O_LIMIT:=0A= case O_ALTQ:=0A= + case O_QBELOW:=0A= + case O_QABOVE:=0A= break;=0A= default:=0A= bcopy(src, dst, i * sizeof(uint32_t));=0A= @@ -4848,7 +4963,7 @@=0A= save_av =3D av;=0A= =0A= optind =3D optreset =3D 0;=0A= - while ((ch =3D getopt(ac, av, "abcdefhnNqs:STtv")) !=3D -1)=0A= + while ((ch =3D getopt(ac, av, "abcdefhHnNqs:STtv")) !=3D -1)=0A= switch (ch) {=0A= case 'a':=0A= do_acct =3D 1;=0A= @@ -4879,6 +4994,10 @@=0A= free_args(save_ac, save_av);=0A= help();=0A= break; /* NOTREACHED */=0A= +=0A= + case 'H': /* don't use human-readable output */=0A= + not_humanval =3D 1;=0A= + break;=0A= =0A= case 'n':=0A= test_only =3D 1;=0A= ------=_NextPart_000_0019_01C58A30.81E63C20 Content-Type: text/plain; format=flowed; name="traffic_quota_example.txt"; reply-type=original Content-Transfer-Encoding: 7bit Content-Disposition: attachment;filename="traffic_quota_example.txt" Example: We will enforce traffic shaping and traffic quota in a client's network behind a freebsd gateway. Definitions/policy: 1. clients network: 1.1.1.0/24. 2. Quota policy: unlimited clients: 1.1.1.0/27 100MB/day clients: 1.1.1.32/27 ipfw-set:2 ipfw-range:1000-9999 1GB/week clients: 1.1.1.64/26 ipfw-set:3 ipfw-range:10000-19999 10GB/month clients: 1.1.1.128/25 ipfw-set:4 ipfw-range:20000-29999 3. Shaping policy: 1.1.1.0/27 unlimited 1.1.1.32/27 100Mbps in/out 1.1.1.64/26 10Mbps in/out 1.1.1.128/25 1Mbps in/out quota exceeded 64Kbps in/out ipfw.sh ======= #!/bin/sh ipfw = "/sbin/ipfw" qos = "40000" allow = "65000" lan="em0" wan="em1" # ****************** # * QOS definition * # ****************** # quota exceeded pipes: ${ipfw} pipe 1 config bw 64Kbit/s mask dst-ip 0x000000ff ${ipfw} pipe 2 config bw 64Kbit/s mask src-ip 0x000000ff # 1MB pipes: ${ipfw} pipe 3 config bw 1Mbit/s mask dst-ip 0x000000ff ${ipfw} pipe 4 config bw 1Mbit/s mask src-ip 0x000000ff # 10MB pipes: ${ipfw} pipe 5 config bw 10Mbit/s mask dst-ip 0x000000ff ${ipfw} pipe 6 config bw 10Mbit/s mask src-ip 0x000000ff # 100MB pipes: ${ipfw} pipe 7 config bw 100Mbit/s mask dst-ip 0x000000ff ${ipfw} pipe 8 config bw 100Mbit/s mask src-ip 0x000000ff # ************************* # * RECEIVE Without Quota * # ************************* ${ipfw} add 100 allow ip from any to any in recv ${lan} ${ipfw} add 200 allow ip from any to any in recv ${wan} # *********************** # * 100MB/DAY both ways * # *********************** ${ipfw} add 1000 set 2 allow ip from any to 1.1.1.32/32 out xmit ${lan} check-quota 1001 ${ipfw} add 1001 set 2 skipto ${qos} ip from 1.1.1.32/32 to any out xmit ${wan} above 100M ${ipfw} add 1002 set 2 allow ip from any to 1.1.1.33/32 out xmit ${lan} check-quota 1003 ${ipfw} add 1003 set 2 skipto ${qos} ip from 1.1.1.33/32 to any out xmit ${wan} above 100M .... ${ipfw} add 1062 set 2 allow ip from any to 1.1.1.63/32 out xmit ${lan} check-quota 1063 ${ipfw} add 1063 set 2 skipto ${qos} ip from 1.1.1.63/32 to any out xmit ${wan} above 100M ${ipfw} add 9999 skipto ${allow} pipe 1 ip from any to 1.1.1.32/27 out xmit ${lan} ${ipfw} add 9999 skipto ${allow} pipe 2 ip from 1.1.1.32/27 to any out xmit ${wan} # ********************** # * 1GB/WEEK both ways * # ********************** ${ipfw} add 10000 set 3 allow ip from any to 1.1.1.64/32 out xmit ${lan} check-quota 10001 ${ipfw} add 10001 set 3 skipto ${qos} ip from 1.1.1.64/32 to any out xmit ${wan} above 1G ${ipfw} add 10002 set 3 allow ip from any to 1.1.1.65/32 out xmit ${lan} check-quota 10003 ${ipfw} add 10003 set 3 skipto ${qos} ip from 1.1.1.65/32 to any out xmit ${wan} above 1G .... ${ipfw} add 10126 set 3 allow ip from any to 1.1.1.127/32 out xmit ${lan} check-quota 10063 ${ipfw} add 10127 set 3 skipto ${qos} ip from 1.1.1.127/32 to any out xmit ${wan} above 1G ${ipfw} add 19999 skipto ${allow} pipe 1 ip from any to 1.1.1.64/26 out xmit ${lan} ${ipfw} add 19999 skipto ${allow} pipe 2 ip from 1.1.1.64/26 to any out xmit ${wan} # *********************** # * 10GB/MONTH both ways* # *********************** ${ipfw} add 20000 set 4 allow ip from any to 1.1.1.128/32 out xmit ${lan} check-quota 20001 ${ipfw} add 20001 set 4 skipto ${qos} ip from 1.1.1.128/32 to any out xmit ${wan} above 10G ${ipfw} add 20002 set 4 allow ip from any to 1.1.1.129/32 out xmit ${lan} check-quota 20003 ${ipfw} add 20003 set 4 skipto ${qos} ip from 1.1.1.129/32 to any out xmit ${wan} above 10G .... ${ipfw} add 20254 set 4 allow ip from any to 1.1.1.255/32 out xmit ${lan} check-quota 20255 ${ipfw} add 20255 set 4 skipto ${qos} ip from 1.1.1.255/32 to any out xmit ${wan} above 10G ${ipfw} add 29999 skipto ${allow} pipe 1 ip from any to 1.1.1.128/25 out xmit ${lan} ${ipfw} add 29999 skipto ${allow} pipe 2 ip from 1.1.1.128/25 to any out xmit ${wan} # ************* # * QOS * # ************* # 1.1.1.128/25 each of them has 1MBps in and 1Mbps out shaping ${ipfw} add ${qos} skipto ${allow} pipe 3 ip from any to 1.1.1.128/25 out xmit ${lan} ${ipfw} add ${qos} skipto ${allow} pipe 4 ip from 1.1.1.128/25 to any out xmit ${wan} # 1.1.1.64/26 each of them has 10MBps in and 10Mbps out shaping ${ipfw} add ${qos} skipto ${allow} pipe 5 ip from any to 1.1.1.64/26 out xmit ${lan} ${ipfw} add ${qos} skipto ${allow} pipe 6 ip from 1.1.1.64/26 to any out xmit ${wan} # 1.1.1.32/32 each of them has 100MBps in and 100Mbps out shaping ${ipfw} add ${qos} skipto ${allow} pipe 7 ip from any to 1.1.1.32/27 out xmit ${lan} ${ipfw} add ${qos} skipto ${allow} pipe 8 ip from 1.1.1.32/27 to any out xmit ${wan} # ********* # * allow * # ********* ${ipfw} add ${allow} allow ip from any to any /etc/crontab: ============= # Perform daily/weekly/monthly ipfw counter reset. 0 0 * * * root /sbin/ipfw zero set 2 0 0 * * 0 root /sbin/ipfw zero set 3 0 0 0 * * root /sbin/ipfw zero set 4 ------=_NextPart_000_0019_01C58A30.81E63C20-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 16 15:40:43 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEF816A41C; Sat, 16 Jul 2005 15:40:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10EA243D48; Sat, 16 Jul 2005 15:40:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D1A6.dip.t-dialin.net [84.163.209.166] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML29c-1DtomO2H3o-0004xu; Sat, 16 Jul 2005 17:40:40 +0200 From: Max Laier To: freebsd-ipfw@freebsd.org, Chris Dionissopoulos Date: Sat, 16 Jul 2005 17:40:32 +0200 User-Agent: KMail/1.8 References: <001c01c58a17$5dbe4a40$0100000a@R3B> In-Reply-To: <001c01c58a17$5dbe4a40$0100000a@R3B> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1851428.8rYmtsePCh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507161740.38234.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-net@freebsd.org Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 15:40:43 -0000 --nextPart1851428.8rYmtsePCh Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 July 2005 17:02, Chris Dionissopoulos wrote: > Hi ppl, ( and sorry for cross posting) > > I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i > decide to push a little forward this feature. Sorry to be blunt, but I don't see the point in this feature nor do I think= =20 it's a good idea. All it does is adding overhead to every packet that is=20 processed by IPFW. You might argue that this overhead is fairly little, bu= t=20 if you combine the last ten "neat to have though not really necessary"=20 features this adds up. Also the code is getting more and more hacked up. = =20 Your feature might be nicely done, but it adds to the main switch-loops=20 making them more and more unreadable until it all falls over and nobody is= =20 willing to touch the code anymore. I have seen (too) much ipfw code lately= =20 while tieing together lose ends in the IPv6-import and it's already messy=20 enough. I urge you to reconsider if we really need this. If you think we can't liv= e=20 without it, it'd be nice if you could come up with a clean(er) way to exten= d=20 IPFW with additional stuff like this without impact to performance and=20 maintainability for the common case (without the magic foobar-option of the= =20 day). Thanks. BTW: This function can be done with a three line awk-skript without any eff= ect=20 on performance. Of course you will lose some precision, but I don't see=20 applications where you have to be *that* percise. > You can see the whole picture in there: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D80642 > and there: > http://butcher.heavennet.ru/ > > In my patch, 3 new options are added: > 1. "below " (which is the same option as Andrey's "bound" option, I > just rename it) 2. "above " which is the oposite option of "below". > Match rules when the counter is above 3. "check-quota" (which is > the same option as Andrey's "check-bound" , but now applies to both "abov= e" > and "below" options). > > Notes: > 1. Patch is against releng_6. > 2. I also include a more compicated example which is (IMHO) a complete > traffic quota+shaping solution for a small (or not so small) ISP. > 3. For installation, follow the instructions Adrey publish in his webspac= e: > http://butcher.heavennet.ru/ > 4. Patch doesn't breaks ipfw ABI (today) , because adds new options at t= he > end of list. If you apply this patch in a month or so, I cannot guarantee > success. > 5. Please test, and send me your feedbacks. > > > I 'll be happy if you find usefull these features and if any developer > commits this patch in current or releng_6 branch. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1851428.8rYmtsePCh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC2Sp2XyyEoT62BG0RArgxAJ0ZAB+WwLvgiDOEP3Wc7pf2nbO4/gCfUkW5 1bXjQ6ki49j111y8WoclRNo= =uE28 -----END PGP SIGNATURE----- --nextPart1851428.8rYmtsePCh-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 16 16:23:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B42F516A41C; Sat, 16 Jul 2005 16:23:49 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 203F443D46; Sat, 16 Jul 2005 16:23:48 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 3C6D8BC0AF; Sat, 16 Jul 2005 19:23:45 +0300 (EEST) Received: from R3B (unknown [62.38.168.175])by smtp.freemail.gr (Postfix) with ESMTP id 0FB84BC0A6; Sat, 16 Jul 2005 19:23:43 +0300 (EEST) Message-ID: <006901c58a22$b37e30c0$0100000a@R3B> From: "Chris Dionissopoulos" To: "Max Laier" , References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> Date: Sat, 16 Jul 2005 19:23:27 +0300 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="utf-8";reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-net@freebsd.org Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 16:23:49 -0000 >> Hi ppl, ( and sorry for cross posting) >> >> I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i >> decide to push a little forward this feature. >Sorry to be blunt, but I don't see the point in this feature nor do I think >it's a good idea. All it does is adding overhead to every packet that is >processed by IPFW. You might argue that this overhead is fairly little, but >if you combine the last ten "neat to have though not really necessary" >features this adds up. Also the code is getting more and more hacked up. If your rules are not using this option it doesn't adds any overhead. If your rules using it , it adds as much overhead as any other option you use. Yes, we see too much patching in ipfw the last 2 months, but I think that ipfw code still remains plain and clear. >Your feature might be nicely done, but it adds to the main switch-loops >making them more and more unreadable until it all falls over and nobody is >willing to touch the code anymore. I have seen (too) much ipfw code lately >while tieing together lose ends in the IPv6-import and it's already messy >enough. This is the way ipfw is written all these years. I dont know if my codind skills are not enough, but right now I cannot see any other way to add new features in ipfw, without using this huge switch checks. IMHO, ipfw must be hardly rewriten to remove these switch checks. But again, my opinion is that ipfw's checking is fast enough as is. Maybe I'm wrong. >I urge you to reconsider if we really need this. If you think we can't live >without it, it'd be nice if you could come up with a clean(er) way to extend >IPFW with additional stuff like this without impact to performance and >maintainability for the common case (without the magic foobar-option of the >day). Thanks. I agree with you, a good reason to drop this patch is if it is useless to the most of the ipfw users. If I 'm the only one (and Andrey) who need this, just ignore it. That's why I post it here. >BTW: This function can be done with a three line awk-skript without any effect >on performance. Of course you will lose some precision, but I don't see >applications where you have to be *that* percise. Hmm, do you have a small example. I 'm really intrested for this, and I can't think any. TIA, Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 16 16:53:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2F5E16A41C; Sat, 16 Jul 2005 16:53:54 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 986B543D45; Sat, 16 Jul 2005 16:53:54 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j6GGrscD090514; Sat, 16 Jul 2005 09:53:54 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j6GGrswm090513; Sat, 16 Jul 2005 09:53:54 -0700 (PDT) (envelope-from rizzo) Date: Sat, 16 Jul 2005 09:53:54 -0700 From: Luigi Rizzo To: Max Laier Message-ID: <20050716095353.B86993@xorpc.icir.org> References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200507161740.38234.max@love2party.net>; from max@love2party.net on Sat, Jul 16, 2005 at 05:40:32PM +0200 Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, Chris Dionissopoulos Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 16:53:55 -0000 On Sat, Jul 16, 2005 at 05:40:32PM +0200, Max Laier wrote: > On Saturday 16 July 2005 17:02, Chris Dionissopoulos wrote: > > Hi ppl, ( and sorry for cross posting) > > > > I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i > > decide to push a little forward this feature. > > Sorry to be blunt, but I don't see the point in this feature nor do I think > it's a good idea. All it does is adding overhead to every packet that is > processed by IPFW. You might argue that this overhead is fairly little, but max, you are entitled to dislike the idea, but you should present your arguments correctly and not in a misleading way. There is no extra per-packet overhead in the common case introduced by this particular option (and in practically all new options added to ipfw2) because all it adds is a few entries to the main switch. Re. readability, you surely know very well (and it's widely documented through the ip_fw2.[ch] code) that each IPFW2 opcode is independent of others, so to understand the main function you just need to understand the code outside the switch (which grabs the packets' data), and the individual case you are looking at - which does a 'break, break 2 or break 3' depending on the case (and not having the 'break n' construct in C we are forced to use gotos). Surely the more opcodes you have, the bigger the switch becomes, but i don't see readability suffering too much. In any case it would be trivial to move to a different structure where each opcode handler is called through an indirect function and depending on the return value one does a break, break2 or break 3. I don't have a particular interest in this patch, i think it could be done in a better way (e.g. by using a single opcode for below/above, and a more efficient check-state perhaps) but none of your criticism really applies to the code as it has been submitted. "sorry to be blunt" :) cheers luifgi > if you combine the last ten "neat to have though not really necessary" > features this adds up. Also the code is getting more and more hacked up. > Your feature might be nicely done, but it adds to the main switch-loops > making them more and more unreadable until it all falls over and nobody is > willing to touch the code anymore. I have seen (too) much ipfw code lately > while tieing together lose ends in the IPv6-import and it's already messy > enough. > > I urge you to reconsider if we really need this. If you think we can't live > without it, it'd be nice if you could come up with a clean(er) way to extend > IPFW with additional stuff like this without impact to performance and > maintainability for the common case (without the magic foobar-option of the > day). Thanks. > > BTW: This function can be done with a three line awk-skript without any effect > on performance. Of course you will lose some precision, but I don't see > applications where you have to be *that* percise. > > > You can see the whole picture in there: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 > > and there: > > http://butcher.heavennet.ru/ > > > > In my patch, 3 new options are added: > > 1. "below " (which is the same option as Andrey's "bound" option, I > > just rename it) 2. "above " which is the oposite option of "below". > > Match rules when the counter is above 3. "check-quota" (which is > > the same option as Andrey's "check-bound" , but now applies to both "above" > > and "below" options). > > > > Notes: > > 1. Patch is against releng_6. > > 2. I also include a more compicated example which is (IMHO) a complete > > traffic quota+shaping solution for a small (or not so small) ISP. > > 3. For installation, follow the instructions Adrey publish in his webspace: > > http://butcher.heavennet.ru/ > > 4. Patch doesn't breaks ipfw ABI (today) , because adds new options at the > > end of list. If you apply this patch in a month or so, I cannot guarantee > > success. > > 5. Please test, and send me your feedbacks. > > > > > > I 'll be happy if you find usefull these features and if any developer > > commits this patch in current or releng_6 branch. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 16 17:24:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FA6E16A41C for ; Sat, 16 Jul 2005 17:24:16 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89F1443D45 for ; Sat, 16 Jul 2005 17:24:15 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] (nbr.matik.com.br [200.152.82.190]) by msrv.matik.com.br (8.13.1/8.13.1) with ESMTP id j6GHOHJJ077638; Sat, 16 Jul 2005 14:24:17 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik To: freebsd-ipfw@freebsd.org, Chris Dionissopoulos Date: Sat, 16 Jul 2005 14:24:06 -0300 User-Agent: KMail/1.8.1 References: <001c01c58a17$5dbe4a40$0100000a@R3B> <200507161740.38234.max@love2party.net> <006901c58a22$b37e30c0$0100000a@R3B> In-Reply-To: <006901c58a22$b37e30c0$0100000a@R3B> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200507161424.07966.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Cc: Subject: Re: Traffic quota features in IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 17:24:16 -0000 On Saturday 16 July 2005 13:23, Chris Dionissopoulos wrote: > codind skills are not enough, but right now I cannot see any other > way to add new features in ipfw ... IMO ipfw do not need new feature right now but some housekeeping. I think there are some issues outstanding before adding anything and also ipfw is still very sympathic because it has not so much confusing options. p.s. this is not about your patch it is my general opinion > Hmm, do you have a small example. I 'm really intrested for this, > and I can't think any. > you can write count rules, awk and sum the numbers and inject a deny rule when coming to the limit, I believe still less complicated and more individual then an ipfw integrated option. Hans -- Infomatik Internet Technology http://www.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br