From owner-freebsd-net@FreeBSD.ORG Fri Aug 1 10:30:51 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D662106567F for ; Fri, 1 Aug 2008 10:30:51 +0000 (UTC) (envelope-from mtm@wubethiopia.com) Received: from dire.wubethiopia.com (j071.v.rootbsd.net [208.79.82.223]) by mx1.freebsd.org (Postfix) with ESMTP id DED418FC12 for ; Fri, 1 Aug 2008 10:30:50 +0000 (UTC) (envelope-from mtm@wubethiopia.com) Received: from rogue.mike.lan (unknown [213.55.82.136]) by dire.wubethiopia.com (Postfix) with ESMTPSA id 45EEE4FDA772; Fri, 1 Aug 2008 10:30:46 +0000 (UTC) Message-ID: <4892E735.1000105@wubethiopia.com> Date: Fri, 01 Aug 2008 13:36:37 +0300 From: Mike Makonnen User-Agent: Thunderbird 2.0.0.12 (X11/20080323) MIME-Version: 1.0 To: Patrick Tracanelli References: <48918DB5.7020201@wubethiopia.com> <4891CD13.20600@freebsdbrasil.com.br> In-Reply-To: <4891CD13.20600@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2008 10:30:51 -0000 Patrick Tracanelli wrote: > Mike Makonnen escreveu: >> Hi, >> >> An Internet Cafe I do some work for was recently having problems with >> very slow internet access. It turns out customers were running P2P >> file sharing applications which were hogging all the bandwidth. I >> looked for programs that would allow me to shape traffic according >> to the application layer protocol, but couldn't find any for FreeBSD. >> I found a couple: l7-filter and ipp2p, but these are Linux specific. >> So, I decided to write one. The result is ipfw-classifyd : >> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 >> >> As the name implies it uses ipfw(4) to implement a userland daemon >> that classifies TCP and UDP packets according to regular expression >> patterns for various protocols. It's intended to be used with >> divert(4) sockets and dummynet(4) so you can do traffic shaping >> depending on the application level protocol. The protocol patterns >> are from the l7-filter project. >> >> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It >> reads its configuration file for a list of protocols and ipfw(8) >> rules. Then, when it detects a matching session it re-injects the >> packet back at the specified rule number. The tarball has a sample >> configuration file and firewall script to get you started. >> >> While I have not done extensive testing, preliminary tests are >> encouraging and it seems to work, so I thought I'd announce it to the >> rest of the world in case anyone else is interested in this kind of >> application. >> >> Comments and suggestions highly appreciated. >> >> Cheers. > > Wont compile on RELENG_6 but is working perfectly on REL_7. I am > trying hard with ssh, soulseek and msn. Its working like a charm with > the suggested rc.firewall. Can you email me the compile error? > > I have configured ipfw-classfyd.conf changing the rules, for a number > of L7 patterns, and now I try to understand why the "diverted" rules > only match if the rule number is 1 after the configured, ie, I put > soulseek to 65530 and a rule wont match there, but the very same rule > matches 65531. I will read the code, but it seems that reinjection of > the packet is made +1, correct? > The application doesn't do that, it's the firewall that does that. Basically, when ipfw(4) diverts a packet to the application it includes the rule that caused the packet to be diverted (so that when it gets it back it knows where to continue processing from). When it gets the packet back it continues processing the packet at the rule *after* the one that caused it to be diverted (otherwise the packet would get diverted in an endless loop). In the sample script rule 1000 is the rule that passes the packets that do not get diverted, so I configured ipfw-classifyd to modify the information that comes with the packet to point to rule 1000 (in classifyd.conf). So, when ipfw(4) gets the packet back it continues processing it at the next rule after 1000, which is the rule that sends all diverted packets through the pipe. Hope that helps. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mtm @ FreeBSD.Org | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 FreeBSD | http://www.freebsd.org