From owner-freebsd-net  Fri Sep  8  4:25:32 2000
Delivered-To: freebsd-net@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id C1D6C37B424
	for <freebsd-net@FreeBSD.ORG>; Fri,  8 Sep 2000 04:25:26 -0700 (PDT)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id NAA33256;
	Fri, 8 Sep 2000 13:26:13 +0200 (CEST)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200009081126.NAA33256@info.iet.unipi.it>
Subject: Re: useripacct
In-Reply-To: <Pine.BSF.4.21.0009081300020.327-100000@bagabeedaboo.security.at12.de>
 from Paul Herman at "Sep 8, 2000 01:18:13 pm"
To: Paul Herman <pherman@frenchfries.net>
Date: Fri, 8 Sep 2000 13:26:13 +0200 (CEST)
Cc: Ramses Smeyers <fatman@khk.org>, freebsd-net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> ipfw doesn't implement quotas, but yes you would have to have a
> separate rule for each uid/gid -- agreed, not so efficient for ipfw to
> do.

Not really.
There are several pieces now in ipfw/dummynet which can generate
rules and pipes from a template, (see the keep-state rules and the
"mask" specifier in dummynet pipes), so the implementation of
per-uid quotas would be efficient and rather trivial (basically a
small modification to dynamic pipes where you just check the quota).

> Other than that, I can imagine an optional external daemon similar to
> natd(8) which enforces network quotas via a "divert" ipfw rule.  

killing performance in the meantime...

	cheers	
	luigi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message