Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 01 Aug 2008 13:21:50 +0300
From:      Mike Makonnen <mtm@wubethiopia.com>
To:        =?ISO-8859-1?Q?Ermal_Lu=E7i?= <ermal.luci@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Application layer classifier for ipfw
Message-ID:  <4892E3BE.2030900@wubethiopia.com>
In-Reply-To: <9a542da30807311344u34422adauade5c2b62b71804a@mail.gmail.com>
References:  <OFD29E8196.3986AFDB-ONC1257497.003DFC81-C1257497.003E0301@raiffeisen.al> <9a542da30807311344u34422adauade5c2b62b71804a@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ermal Luçi wrote:
>> Hi,
>>
>> An Internet Cafe I do some work for was recently having problems with
>> very slow internet access. It turns out customers were running P2P file
>> sharing applications which were hogging all the bandwidth. I looked for
>>  programs that would allow me to shape traffic according to the
>> application layer protocol, but couldn't find any for FreeBSD. I found a
>> couple: l7-filter and ipp2p, but these are Linux specific. So, I decided
>> to write one. The result is ipfw-classifyd :
>> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2
>>
>> As the name implies it uses ipfw(4) to implement a userland daemon that
>> classifies TCP and UDP packets according to regular expression patterns
>> for various protocols. It's intended to be used with divert(4) sockets
>> and dummynet(4) so you can do traffic shaping depending on the
>> application level protocol. The protocol patterns are from the l7-filter
>> project.
>>
>> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It
>> reads its configuration file for a list of protocols and ipfw(8) rules.
>> Then, when it detects a matching session it re-injects the packet back
>> at the specified rule number. The tarball has a sample configuration
>> file and firewall script to get you started.
>>
>> While I have not done extensive testing, preliminary tests are
>> encouraging and it seems to work, so I thought I'd announce it to the
>> rest of the world in case anyone else is interested in this kind of
>> application.
>>
>> Comments and suggestions highly appreciated.
>>     
>
> Thanks for this.
> I have a question, you remove a flow from if you see a FIN for the TCP
> case and only on overlapping flow for either TCP/UDP how do the other
> flows expire i am missing that part?
>
>   

No, you're not missing anything.  It's on my TODO list. I wanted to get
this out and get feedback as early as possible, so I released it as soon as
I had it basically working.  I'm thinking of storing some session 
information
for the flow (like a timestamp for the last packet seen) and implementing
a garbage collector thread that removes sessions that have been idle for
some period of time.

Cheers.

-- 
Mike Makonnen       | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc
mtm @ FreeBSD.Org   | AC7B 5672 2D11 F4D0 EBF8  5279 5359 2B82 7CD4 1F55
FreeBSD             | http://www.freebsd.org




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4892E3BE.2030900>