ipfw dscp support
alan yang
alancyang at gmail.com
Tue Dec 20 01:19:48 UTC 2011
Hi Marcelo,
Thanks for the modip work!
I am trying to see:
- ipfw rule to divert traffic for ipfw-classifyd
- ipfw-classifyd to classify specific traffic: ftp, sip, ...etc.
- ipfw-classifyd to reinject traffic with sin-port set according
to application flow (ftp == 1000, sip == 1001, ... )
- ipfw rule modip module to set DSCP
- ipfw rule to send traffic to appropriate ALTQ queue
with the following ipfw config:
1) pfctl to create ALTQ queue: pf.conf
altq on em0 cbq bandwidth 5Mb queue { ftp }
queue ftp bandwidth 10% cbq(default)
reload pf.conf: pfctl -f /etc/pf.conf
2) ipfw-classifyd
/usr/local/sbin/ipfw-classifyd p 7777
3) add ipfw rule
/* enable ALTQ */
ipfw enable ALTQ
ipfw add 100 divert 7777 tcp from any to any via em0
ipfw add 101 divert 7777 udp from any to any via em0
ipfw add 1010 modip dscp:AF11 ip from any to any out diverted
ipfw add 1020 allow altq ftp ip from any to any out diverted
ipfw add 64000 allow altq root_em0 ip from any to any via em0
(one_pass was enabled in above testing case. )
65535 deny ip from any to any
4) observe packet flow through ALTQ ftp queue
ipfw show - list the packets matched the firewall rule
pfctel -s queue -v - view the packet captured by ALTQ queue
With ICMP and FTP traffics:
1) icmp traffic matches rule 64000, traffic direct to root_em0 queue
2) ftp traffic matches rule 100, 1010, 1020, 64000 all match
Not sure how to configure ipfw rules so that ftp traffic would match
rule 100, 1010, 1020, but not 64000?
Thanks in advance!
alan
More information about the freebsd-ipfw
mailing list