Date: Mon, 16 Sep 2002 22:49:16 -0700 From: "Jacob S. Barrett" <jbarrett@amduat.net> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: MAC Layer Bandwidth Limiting Message-ID: <3D86C25C.50104@amduat.net> References: <3D864865.2030607@amduat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, I finally got a box put together to test this. It seems to work. Here is what I have. router <--> dc0-[the box]-fxp0 <--> switch/clients net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.link.ether.bridge_cfg=fxp0,dc0 ifpw add 1000 pipe 1000 MAC 12:34:56:78:90:12 any all ipfw add 1001 pipe 1001 MAC any 12:34:56:78:90:12 all ipfw pipe 1000 config 512Kbit/s ipfw pipe 1001 config 128Kbit/s ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:34 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:34 all ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:56 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:56 all ipfw pipe 1010 config 768Kbit/s ipfw pipe 1011 config 256Kbit/s ipfw 65000 deny MAC any any all 12:34:56:78:90:12 limited to 512down/128up 12:34:56:78:90:34 and 12:34:56:78:90:56 share 768down/256up Like I said, this seems to work. I did some simple tests by upload and downloading and changing pipe configs. It would be nice to be able to specify a MAC mask on the pipes so I don't have to create 2 for each client. Also, digging through the source reveals no way to get and zero the counts in an atomic fashion. That would be a really nice feature to have in the future. It doesn't look like it would be too hard to hack in either. If I find time I will try to do it and submit a patch. -Jake Jacob S. Barrett wrote: > If I wanted to do MAC layer bandwidth limiting would I want to do > something like the following using IPFW2 or am I just way off? > > ipfw add 1000 pipe 1000 layer2 mac $MAC0 any > ipfw add 1001 pipe 1001 layer2 mac any $MAC0 > ipfw pipe 1000 bw 128Kbit/s > ipfw pipe 1001 bw 768Kbit/s > > ipfw add 1010 pipe 1010 layer2 mac $MAC1 any > ipfw add 1011 pipe 1011 layer2 mac any $MAC1 > ipfw pipe 1010 bw 256Kbit/s > ipfw pipe 1011 bw 512Kbit/s > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > > What I want is the ability to filter links at the MAC level as well as > limit the bandwidth that particular link has. Traffic may not always be > IP based so filtering on the IP address isn't sufficient. > > If this all makes sense and works then is it possible to use a MAC > address mask in the pipe/queue mask. What I mean is can the limits be > based on per MAC rather than per IP so that I can remove the need to > have two pipes for each MAC like I do now? Something like this? > > ipfw add 1000 pipe 1128 layer2 mac $MAC0 any > ipfw add 1001 pipe 2768 layer2 mac any $MAC0 > > ipfw add 1010 pipe 1256 layer2 mac $MAC0 any > ipfw add 1011 pipe 2512 layer2 mac any $MAC0 > > ipfw add 1020 pipe 1128 layer2 mac $MAC2 any > ipfw add 1021 pipe 2768 layer2 mac any $MAC2 > > ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff > > ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > MAC2 is limited to 128kbit/s out and 768kbit/s in > > Does any of this make sense or am I just way off in my own little world > here? > > Now if all this works then I assume that the byte count field for rules > xxx0 and xxx1 should be the total bytes in and out for the link. Is > this correct? If I was going to use that field for accounting to > determine the bytes transferred per month is there a way to read and > zero the counts at the same time, or am I going to just have to let the > few bytes that come in between read and zero just drop off? > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D86C25C.50104>