Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Sep 2002 22:49:16 -0700
From:      "Jacob S. Barrett" <jbarrett@amduat.net>
To:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: MAC Layer Bandwidth Limiting
Message-ID:  <3D86C25C.50104@amduat.net>
References:  <3D864865.2030607@amduat.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Well, I finally got a box put together to test this.  It seems to work. 
  Here is what I have.

router <--> dc0-[the box]-fxp0 <--> switch/clients

net.link.ether.bridge=1
net.link.ether.bridge_ipfw=1
net.link.ether.bridge_cfg=fxp0,dc0

ifpw add 1000 pipe 1000 MAC 12:34:56:78:90:12 any all
ipfw add 1001 pipe 1001 MAC any 12:34:56:78:90:12 all
ipfw pipe 1000 config 512Kbit/s
ipfw pipe 1001 config 128Kbit/s
ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:34 any all
ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:34 all
ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:56 any all
ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:56 all
ipfw pipe 1010 config 768Kbit/s
ipfw pipe 1011 config 256Kbit/s

ipfw 65000 deny MAC any any all

12:34:56:78:90:12 limited to 512down/128up
12:34:56:78:90:34 and 12:34:56:78:90:56 share 768down/256up

Like I said, this seems to work.  I did some simple tests by upload and 
downloading and changing pipe configs.

It would be nice to be able to specify a MAC mask on the pipes so I 
don't have to create 2 for each client.

Also, digging through the source reveals no way to get and zero the 
counts in an atomic fashion.  That would be a really nice feature to 
have in the future.  It doesn't look like it would be too hard to hack 
in either.  If I find time I will try to do it and submit a patch.

-Jake

Jacob S. Barrett wrote:
> If I wanted to do MAC layer bandwidth limiting would I want to do 
> something like the following using IPFW2 or am I just way off?
> 
> ipfw add 1000 pipe 1000 layer2 mac $MAC0 any
> ipfw add 1001 pipe 1001 layer2 mac any $MAC0
> ipfw pipe 1000 bw 128Kbit/s
> ipfw pipe 1001 bw 768Kbit/s
> 
> ipfw add 1010 pipe 1010 layer2 mac $MAC1 any
> ipfw add 1011 pipe 1011 layer2 mac any $MAC1
> ipfw pipe 1010 bw 256Kbit/s
> ipfw pipe 1011 bw 512Kbit/s
> 
> MAC0 is limited to 128kbit/s out and 768kbit/s in
> MAC1 is limited to 256kbit/s out and 512kbit/s in
> 
> What I want is the ability to filter links at the MAC level as well as 
> limit the bandwidth that particular link has.  Traffic may not always be 
> IP based so filtering on the IP address isn't sufficient.
> 
> If this all makes sense and works then is it possible to use a MAC 
> address mask in the pipe/queue mask.  What I mean is can the limits be 
> based on per MAC rather than per IP so that I can remove the need to 
> have two pipes for each MAC like I do now?  Something like this?
> 
> ipfw add 1000 pipe 1128 layer2 mac $MAC0 any
> ipfw add 1001 pipe 2768 layer2 mac any $MAC0
> 
> ipfw add 1010 pipe 1256 layer2 mac $MAC0 any
> ipfw add 1011 pipe 2512 layer2 mac any $MAC0
> 
> ipfw add 1020 pipe 1128 layer2 mac $MAC2 any
> ipfw add 1021 pipe 2768 layer2 mac any $MAC2
> 
> ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff
> ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff
> ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff
> ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff
> 
> ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff
> ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff
> ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff
> ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff
> 
> MAC0 is limited to 128kbit/s out and 768kbit/s in
> MAC1 is limited to 256kbit/s out and 512kbit/s in
> MAC2 is limited to 128kbit/s out and 768kbit/s in
> 
> Does any of this make sense or am I just way off in my own little world 
> here?
> 
> Now if all this works then I assume that the byte count field for rules 
> xxx0 and xxx1 should be the total bytes in and out for the link.  Is 
> this correct?  If I was going to use that field for accounting to 
> determine the bytes transferred per month is there a way to read and 
> zero the counts at the same time, or am I going to just have to let the 
> few bytes that come in between read and zero just drop off?
> 

-- 
Jacob S. Barrett
jbarrett@amduat.net
www.amduat.net

"I don't suffer from insanity, I enjoy every minute of it."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?3D86C25C.50104>