Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Dec 2011 17:19:46 -0800
From:      alan yang <alancyang@gmail.com>
To:        araujo@freebsd.org
Cc:        freebsd-ipfw@freebsd.org, Ian Smith <smithi@nimnet.asn.au>, Sergey Matveychuk <sem@freebsd.org>
Subject:   Re: ipfw dscp support
Message-ID:  <CAPATHO3_piwPxS6tC0yZ2MMJWGkR+gPgJa585m+0BM9mTAcF9A@mail.gmail.com>
In-Reply-To: <CAOfEmZj5+ChnMr_sqoiyncbVGgb9YVUC5L_nDMnPEcknJNwKNQ@mail.gmail.com>
References:  <CAPATHO3yFKkYHrhpe-DHf97GMfpzFc43Y8_4k4kJ-oXO0H+y-w@mail.gmail.com> <4EDE2739.1040104@FreeBSD.org> <CAPATHO2e2Mi=LbPRkkCFmpwUj9zvKbhqqyK6x46uBFW1OAcK6w@mail.gmail.com> <20111208132002.R16498@sola.nimnet.asn.au> <CAOfEmZieG=AKzv-x9XAKjEqUjnPYdkw9+mkdBgp_YnB9EnPa3Q@mail.gmail.com> <20111209021345.Y11090@sola.nimnet.asn.au> <CAOfEmZj5+ChnMr_sqoiyncbVGgb9YVUC5L_nDMnPEcknJNwKNQ@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Marcelo,

Thanks for the modip work!

I am trying to see:

     -  ipfw rule to divert traffic for ipfw-classifyd
     -  ipfw-classifyd to classify specific traffic: ftp, sip, ...etc.
     -  ipfw-classifyd to reinject traffic with sin-port set according
to application flow (ftp == 1000, sip == 1001, ... )
     -  ipfw rule modip module to set DSCP
     -  ipfw rule to send traffic to appropriate ALTQ queue

with the following ipfw config:

     1)  pfctl to create ALTQ queue: pf.conf
               altq on em0 cbq bandwidth 5Mb queue { ftp }
               queue ftp bandwidth 10% cbq(default)

          reload pf.conf: pfctl -f /etc/pf.conf

     2)  ipfw-classifyd

          /usr/local/sbin/ipfw-classifyd p 7777

     3)  add ipfw rule

          /* enable ALTQ */
          ipfw enable ALTQ

     ipfw add 100 divert 7777 tcp from any to any via em0
     ipfw add 101 divert 7777 udp from any to any via em0

     ipfw add 1010 modip dscp:AF11 ip from any to any out diverted
     ipfw add 1020 allow altq ftp ip from any to any out diverted
     ipfw add 64000 allow altq root_em0 ip from any to any via em0

     (one_pass was enabled in above testing case. )
     65535 deny ip from any to any

     4)  observe packet flow through ALTQ ftp queue

          ipfw show - list the packets matched the firewall rule
          pfctel -s queue -v - view the packet captured by ALTQ queue

With ICMP and FTP traffics:

          1)  icmp traffic matches rule 64000, traffic direct to root_em0 queue
          2)  ftp traffic matches rule 100, 1010, 1020, 64000 all match

Not sure how to configure ipfw rules so that ftp traffic would match
rule 100, 1010, 1020, but not 64000?

Thanks in advance!

alan



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAPATHO3_piwPxS6tC0yZ2MMJWGkR+gPgJa585m+0BM9mTAcF9A>