From owner-freebsd-ipfw Sun Apr 28 4:16:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by hub.freebsd.org (Postfix) with ESMTP id BCC2D37B420 for ; Sun, 28 Apr 2002 04:15:53 -0700 (PDT) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by goliath.siemens.de (8.11.6/8.11.6) with ESMTP id g3SBFpR23082; Sun, 28 Apr 2002 13:15:52 +0200 (MEST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail1.siemens.de (8.11.6/8.11.6) with ESMTP id g3SBFpW27714; Sun, 28 Apr 2002 13:15:51 +0200 (MEST) Received: (from localhost) by curry.mchp.siemens.de (8.12.2/8.12.2) id g3SBFpRl022717; Date: Sun, 28 Apr 2002 13:15:50 +0200 From: Andre Albsmeier To: Luigi Rizzo Cc: Andre Albsmeier , freebsd-ipfw@FreeBSD.ORG Subject: Re: bandwith shaping only for big tcp packets Message-ID: <20020428131550.A53001@curry.mchp.siemens.de> References: <20020425095301.A18975@curry.mchp.siemens.de> <20020427231528.B63189@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020427231528.B63189@iguana.icir.org>; from rizzo@icir.org on Sat, Apr 27, 2002 at 11:15:28PM -0700 X-Echelon: BND CIA NSA Mossad KGB MI6 IRA detonator nuclear assault strike X-RAVMilter-Version: 8.3.1(snapshot 20020109) (curry.mchp.siemens.de) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 27-Apr-2002 at 23:15:28 -0700, Luigi Rizzo wrote: > On Thu, Apr 25, 2002 at 09:53:01AM +0200, Andre Albsmeier wrote: > > I would like to do something like: > > > > ipfw add 2000 pipe 1 tcp from 192.168.128.4/32 to any len gt 100 > > ipfw pipe 1 config bw 4KBytes/s queue 4KBytes > > > > This would mean that only packets which are bigger than 100 bytes > > will be fed to pipe 1. > > > > Any ideas? > > well you'd need to write the necessary extensions in the > ipfw matching code to implement the "gt NN" part. Done so :-). For the reference, I have attached my changes below; they are ugly and infexible but they do what I want. Thanks, -Andre > I can partly see the point of what you are asking > (e.g. differentiating interactive ssh sessions from scp and > other bulk transfers-over-ssh stuff) but: > 1) i wonder if, for the time being, you cannot achieve the same by e.g. > looking at the PSH flag in TCP packets; > 2) it is probably about time that someone implements the ability to > run BPF code segments for packet matching in ipfw rules! > > cheers > luigi --- sys/netinet/ip_fw.c.ORI Thu Apr 25 11:14:40 2002 +++ sys/netinet/ip_fw.c Fri Apr 26 07:58:31 2002 @@ -1273,6 +1273,10 @@ if (f->fw_ipopt != f->fw_ipnopt && !ipopts_match(ip, f)) continue; + /* Check bigger */ + if (f->fw_bigger && (ip_len <= f->fw_bigger) ) + continue; + /* Check protocol; if wildcard, and no [ug]id, match */ if (f->fw_prot == IPPROTO_IP) { if (!(f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID))) --- sys/netinet/ip_fw.h.ORI Thu Apr 25 11:12:34 2002 +++ sys/netinet/ip_fw.h Thu Apr 25 11:12:43 2002 @@ -155,6 +155,8 @@ #define DYN_DST_PORT 0x8 u_short conn_limit; /* # of connections for limit rule */ + + u_short fw_bigger; /* size to match against */ }; #define fw_divert_port fw_un.fu_divert_port --- sbin/ipfw/ipfw.c.ORI Thu Apr 25 10:15:12 2002 +++ sbin/ipfw/ipfw.c Thu Apr 25 11:23:19 2002 @@ -366,6 +366,10 @@ } } + if( chain->fw_bigger ) { + printf( " bigger %d", chain->fw_bigger); + } + if (chain->fw_flg & IP_FW_F_UID) { struct passwd *pwd = getpwuid(chain->fw_uid); @@ -1911,6 +1915,18 @@ " nonexistent", *av); rule.fw_gid = grp->gr_gid; ac--; av++; + } else if (!strncmp(*av, "bigger", strlen(*av))) { + char *end; + u_short len; + ac--; av++; + if (!ac) + errx(EX_USAGE, "``bigger'' requires argument"); + len = strtoul(*av, &end, 0); + ac--; av++; + if (*end != '\0') + errx(EX_DATAERR, "bigger \"%s\" is" + " no number", *av); + rule.fw_bigger = len; } else if (!strncmp(*av, "in", strlen(*av))) { rule.fw_flg |= IP_FW_F_IN; av++; ac--; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 30 3:28:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21]) by hub.freebsd.org (Postfix) with SMTP id EE9CF37B405 for ; Tue, 30 Apr 2002 03:28:43 -0700 (PDT) Received: (qmail 31536 invoked from network); 30 Apr 2002 10:28:41 -0000 Received: from unknown (HELO procreditbank.com) (212.95.171.78) by chicken.orbitel.bg with SMTP; 30 Apr 2002 10:28:41 -0000 Received: from itaush [172.16.248.203] by Proxy+; Tue, 30 Apr 2002 13:19:11 +0300 for From: "Ivailo Tanusheff" To: "Free BSD IPFW" Subject: Simple Question Date: Tue, 30 Apr 2002 13:19:10 +0300 Message-ID: <000001c1f030$78e0a810$cbf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <20020427231528.B63189@iguana.icir.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I'd like to ask you a simple question - which is better to use and why - ipfw or ipfilter. I'd like to use it with nat. Thanks, Ivailo Tanusheff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message