cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c

Ruslan Ermilov ru at FreeBSD.org
Thu Jun 10 21:41:28 GMT 2004 

On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote:
> On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote:
> > ru          2004-06-09 20:10:38 UTC
> >
> >   FreeBSD src repository
> >
> >   Modified files:
> >     sbin/ipfw            ipfw.8 ipfw2.c
> >     sys/netinet          in.h ip_fw.h ip_fw2.c raw_ip.c
> >   Log:
> >   Introduce a new feature to IPFW2: lookup tables.  These are useful
> >   for handling large sparse address sets.  Initial implementation by
> >   Vsevolod Lobko <seva at ip.net.ua>, refined by me.
> 
> Idea from: pf ;)
> Nice!
> 
I've asked Vsevolod, and yes, the original idea attributes to PF.

Do PF tables allow addr/mask entries as IPFW tables do (I could
not intuit it from reading the pfctl(8) manpage)?

One nice difference (and I don't believe PF or IPFilter can do
this) is this optional 32-bit tag value with no special meaning.
For example, we have several thousands of client IPs, and each
client is allowed (through a Web form) to limit bandwidth to
some discrete values (0, 64, 128, 256, 512, and "unlimited") in
Kbps to/from Ukrainian and foreign networks.  We have this all
implemented using less than ten IPFW tables:

- table 0 lists Ukrainian networks;

- table 1 lists all clients and their setting for incoming
  Ukrainian traffic;

- table 2 lists all clients and their setting for outgoing
  Ukrainian traffic;

and so forth.  And we have a small set of rules of the form:

deny ip from table(1,0) to table(0)	// bw=0
pipe 1 ip from table(1,128) to table(0)	// bw=128Kbps
pipe 2 ip from table(1,256) to table(0)	// bw=256Kbps
...

where pipes 1 and 2 are configured for a bandwidth of 128
and 256 Kbps, respectively.

Tables are continuously updated while rulesets stay the same.


Cheers,
-- 
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20040611/a0cefbfc/attachment.bin

More information about the cvs-src mailing list