From owner-freebsd-ipfw Mon Sep 16 22:50:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A78037B400 for ; Mon, 16 Sep 2002 22:50:39 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F1D143E6A for ; Mon, 16 Sep 2002 22:50:38 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (trilluser@osiris.amduat.net [10.0.0.128] (may be forged)) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g8H5obKr000863 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 16 Sep 2002 22:50:37 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3D86C25C.50104@amduat.net> Date: Mon, 16 Sep 2002 22:49:16 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: Re: MAC Layer Bandwidth Limiting References: <3D864865.2030607@amduat.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well, I finally got a box put together to test this. It seems to work. Here is what I have. router <--> dc0-[the box]-fxp0 <--> switch/clients net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.link.ether.bridge_cfg=fxp0,dc0 ifpw add 1000 pipe 1000 MAC 12:34:56:78:90:12 any all ipfw add 1001 pipe 1001 MAC any 12:34:56:78:90:12 all ipfw pipe 1000 config 512Kbit/s ipfw pipe 1001 config 128Kbit/s ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:34 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:34 all ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:56 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:56 all ipfw pipe 1010 config 768Kbit/s ipfw pipe 1011 config 256Kbit/s ipfw 65000 deny MAC any any all 12:34:56:78:90:12 limited to 512down/128up 12:34:56:78:90:34 and 12:34:56:78:90:56 share 768down/256up Like I said, this seems to work. I did some simple tests by upload and downloading and changing pipe configs. It would be nice to be able to specify a MAC mask on the pipes so I don't have to create 2 for each client. Also, digging through the source reveals no way to get and zero the counts in an atomic fashion. That would be a really nice feature to have in the future. It doesn't look like it would be too hard to hack in either. If I find time I will try to do it and submit a patch. -Jake Jacob S. Barrett wrote: > If I wanted to do MAC layer bandwidth limiting would I want to do > something like the following using IPFW2 or am I just way off? > > ipfw add 1000 pipe 1000 layer2 mac $MAC0 any > ipfw add 1001 pipe 1001 layer2 mac any $MAC0 > ipfw pipe 1000 bw 128Kbit/s > ipfw pipe 1001 bw 768Kbit/s > > ipfw add 1010 pipe 1010 layer2 mac $MAC1 any > ipfw add 1011 pipe 1011 layer2 mac any $MAC1 > ipfw pipe 1010 bw 256Kbit/s > ipfw pipe 1011 bw 512Kbit/s > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > > What I want is the ability to filter links at the MAC level as well as > limit the bandwidth that particular link has. Traffic may not always be > IP based so filtering on the IP address isn't sufficient. > > If this all makes sense and works then is it possible to use a MAC > address mask in the pipe/queue mask. What I mean is can the limits be > based on per MAC rather than per IP so that I can remove the need to > have two pipes for each MAC like I do now? Something like this? > > ipfw add 1000 pipe 1128 layer2 mac $MAC0 any > ipfw add 1001 pipe 2768 layer2 mac any $MAC0 > > ipfw add 1010 pipe 1256 layer2 mac $MAC0 any > ipfw add 1011 pipe 2512 layer2 mac any $MAC0 > > ipfw add 1020 pipe 1128 layer2 mac $MAC2 any > ipfw add 1021 pipe 2768 layer2 mac any $MAC2 > > ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff > > ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > MAC2 is limited to 128kbit/s out and 768kbit/s in > > Does any of this make sense or am I just way off in my own little world > here? > > Now if all this works then I assume that the byte count field for rules > xxx0 and xxx1 should be the total bytes in and out for the link. Is > this correct? If I was going to use that field for accounting to > determine the bytes transferred per month is there a way to read and > zero the counts at the same time, or am I going to just have to let the > few bytes that come in between read and zero just drop off? > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message