From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 18 07:43:38 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBF5A106566B for ; Tue, 18 Mar 2008 07:43:38 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp10.yandex.ru (smtp10.yandex.ru [213.180.223.92]) by mx1.freebsd.org (Postfix) with ESMTP id 0CCF68FC2B for ; Tue, 18 Mar 2008 07:43:37 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:21231 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S5866902AbYCRHne (ORCPT ); Tue, 18 Mar 2008 10:43:34 +0300 X-Yandex-Spam: 1 X-Yandex-Front: smtp10 X-Yandex-TimeMark: 1205826214 X-MsgDayCount: 3 X-Comment: RFC 2476 MSA function at smtp10.yandex.ru logged sender identity as: bu7cher Message-ID: <47DF72A3.4030502@yandex.ru> Date: Tue, 18 Mar 2008 10:43:31 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Paolo Pisati References: <200803122100.m2CL0t7V088955@freefall.freebsd.org> <20080313094356.GA9219@tin.it> In-Reply-To: <20080313094356.GA9219@tin.it> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Vadim Goncharov , freebsd-ipfw@FreeBSD.org Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2008 07:43:38 -0000 Paolo Pisati wrote: > On Thu, Mar 13, 2008 at 09:21:11AM +0000, Vadim Goncharov wrote: >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 >> Yes, this is useful, but some minor changes are needed, I think. First, rename >> it to "bytelimit" or somewhat. Second, allow this to use tablearg and possibly >> ability to reference a counter to corresponding dynamic rule, to allow this to >> act for a specific IP or connection without need to write many rules. Third, >> add packet counter as well. That's all possible with one opcode, though... > > if anyone post an updated patch, i'll commit it. So, updated patch is here: http://butcher.heavennet.ru/patches/kernel/ipfw/ipfw_counterlimit.diff Now this option divided into two "counterlimit-bytes" and "counterlimit-packets". Rules example: add allow ip from any to 10.0.0.1 counterlimit-bytes 100M \ in recv external_if add allow ip from any to 10.0.0.1 counterlimit-pakets 50 \ in recv external_if About Vadim's prepositions: 1. tablearg: it's possible, but now we use u32 argument in tables, but counterlimits are 64-bits values. First of we should extend our current table argument to 64 bit. 2. dynamic rules: i think it should be implemented as extension to current O_LIMIT opcode or something similar. Also i have question about my current implementation. Does it needed to have ability of "humanized" printing of limits, which was implemented before? -- WBR, Andrey V. Elsukov