From owner-freebsd-net@FreeBSD.ORG Thu Jul 31 21:28:40 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 718091065685 for ; Thu, 31 Jul 2008 21:28:40 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outD.internet-mail-service.net (outd.internet-mail-service.net [216.240.47.227]) by mx1.freebsd.org (Postfix) with ESMTP id 5536D8FC17 for ; Thu, 31 Jul 2008 21:28:40 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 717DF24BB; Thu, 31 Jul 2008 14:29:07 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id D449F2D60C6; Thu, 31 Jul 2008 14:28:39 -0700 (PDT) Message-ID: <48922E9D.1020507@elischer.org> Date: Thu, 31 Jul 2008 14:29:01 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Patrick Tracanelli References: <48918DB5.7020201@wubethiopia.com> <4891CD13.20600@freebsdbrasil.com.br> In-Reply-To: <4891CD13.20600@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Mike Makonnen , freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 21:28:40 -0000 Patrick Tracanelli wrote: > Mike Makonnen escreveu: >> Hi, >> >> An Internet Cafe I do some work for was recently having problems with >> very slow internet access. It turns out customers were running P2P >> file sharing applications which were hogging all the bandwidth. I >> looked for programs that would allow me to shape traffic according to >> the application layer protocol, but couldn't find any for FreeBSD. I >> found a couple: l7-filter and ipp2p, but these are Linux specific. So, >> I decided to write one. The result is ipfw-classifyd : >> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 >> >> As the name implies it uses ipfw(4) to implement a userland daemon >> that classifies TCP and UDP packets according to regular expression >> patterns for various protocols. It's intended to be used with >> divert(4) sockets and dummynet(4) so you can do traffic shaping >> depending on the application level protocol. The protocol patterns are >> from the l7-filter project. >> >> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It >> reads its configuration file for a list of protocols and ipfw(8) >> rules. Then, when it detects a matching session it re-injects the >> packet back at the specified rule number. The tarball has a sample >> configuration file and firewall script to get you started. >> >> While I have not done extensive testing, preliminary tests are >> encouraging and it seems to work, so I thought I'd announce it to the >> rest of the world in case anyone else is interested in this kind of >> application. >> >> Comments and suggestions highly appreciated. >> >> Cheers. > > Wont compile on RELENG_6 but is working perfectly on REL_7. I am trying > hard with ssh, soulseek and msn. Its working like a charm with the > suggested rc.firewall. > > I have configured ipfw-classfyd.conf changing the rules, for a number of > L7 patterns, and now I try to understand why the "diverted" rules only > match if the rule number is 1 after the configured, ie, I put soulseek > to 65530 and a rule wont match there, but the very same rule matches > 65531. I will read the code, but it seems that reinjection of the packet > is made +1, correct? yes, the idea is: If you get the sockaddr for the received packet, and use it unmodified when reinjecting the packet, then it will continue on at the next rule. so since the rule number is "unchanged" we need to add 1 to it to say where to start from.. hope that helps.. > > > > > >