Date: Fri, 01 Aug 2008 13:21:50 +0300 From: Mike Makonnen <mtm@wubethiopia.com> To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <ermal.luci@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw Message-ID: <4892E3BE.2030900@wubethiopia.com> In-Reply-To: <9a542da30807311344u34422adauade5c2b62b71804a@mail.gmail.com> References: <OFD29E8196.3986AFDB-ONC1257497.003DFC81-C1257497.003E0301@raiffeisen.al> <9a542da30807311344u34422adauade5c2b62b71804a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ermal Luçi wrote: >> Hi, >> >> An Internet Cafe I do some work for was recently having problems with >> very slow internet access. It turns out customers were running P2P file >> sharing applications which were hogging all the bandwidth. I looked for >> programs that would allow me to shape traffic according to the >> application layer protocol, but couldn't find any for FreeBSD. I found a >> couple: l7-filter and ipp2p, but these are Linux specific. So, I decided >> to write one. The result is ipfw-classifyd : >> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 >> >> As the name implies it uses ipfw(4) to implement a userland daemon that >> classifies TCP and UDP packets according to regular expression patterns >> for various protocols. It's intended to be used with divert(4) sockets >> and dummynet(4) so you can do traffic shaping depending on the >> application level protocol. The protocol patterns are from the l7-filter >> project. >> >> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It >> reads its configuration file for a list of protocols and ipfw(8) rules. >> Then, when it detects a matching session it re-injects the packet back >> at the specified rule number. The tarball has a sample configuration >> file and firewall script to get you started. >> >> While I have not done extensive testing, preliminary tests are >> encouraging and it seems to work, so I thought I'd announce it to the >> rest of the world in case anyone else is interested in this kind of >> application. >> >> Comments and suggestions highly appreciated. >> > > Thanks for this. > I have a question, you remove a flow from if you see a FIN for the TCP > case and only on overlapping flow for either TCP/UDP how do the other > flows expire i am missing that part? > > No, you're not missing anything. It's on my TODO list. I wanted to get this out and get feedback as early as possible, so I released it as soon as I had it basically working. I'm thinking of storing some session information for the flow (like a timestamp for the last packet seen) and implementing a garbage collector thread that removes sessions that have been idle for some period of time. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mtm @ FreeBSD.Org | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 FreeBSD | http://www.freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4892E3BE.2030900>