From owner-cvs-all@FreeBSD.ORG Thu Jun 10 21:41:28 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E8C916A4CE; Thu, 10 Jun 2004 21:41:28 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9556443D2D; Thu, 10 Jun 2004 21:41:27 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5ALktLI070118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2004 00:46:57 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5ALex8a003317; Fri, 11 Jun 2004 00:40:59 +0300 (EEST) (envelope-from ru) Date: Fri, 11 Jun 2004 00:40:59 +0300 From: Ruslan Ermilov To: Max Laier Message-ID: <20040610214059.GA3228@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: <200406100445.44763.max@love2party.net> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 21:41:28 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote: > On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote: > > ru 2004-06-09 20:10:38 UTC > > > > FreeBSD src repository > > > > Modified files: > > sbin/ipfw ipfw.8 ipfw2.c > > sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c > > Log: > > Introduce a new feature to IPFW2: lookup tables. These are useful > > for handling large sparse address sets. Initial implementation by > > Vsevolod Lobko , refined by me. >=20 > Idea from: pf ;) > Nice! >=20 I've asked Vsevolod, and yes, the original idea attributes to PF. Do PF tables allow addr/mask entries as IPFW tables do (I could not intuit it from reading the pfctl(8) manpage)? One nice difference (and I don't believe PF or IPFilter can do this) is this optional 32-bit tag value with no special meaning. For example, we have several thousands of client IPs, and each client is allowed (through a Web form) to limit bandwidth to some discrete values (0, 64, 128, 256, 512, and "unlimited") in Kbps to/from Ukrainian and foreign networks. We have this all implemented using less than ten IPFW tables: - table 0 lists Ukrainian networks; - table 1 lists all clients and their setting for incoming Ukrainian traffic; - table 2 lists all clients and their setting for outgoing Ukrainian traffic; and so forth. And we have a small set of rules of the form: deny ip from table(1,0) to table(0) // bw=3D0 pipe 1 ip from table(1,128) to table(0) // bw=3D128Kbps pipe 2 ip from table(1,256) to table(0) // bw=3D256Kbps =2E.. where pipes 1 and 2 are configured for a bandwidth of 128 and 256 Kbps, respectively. Tables are continuously updated while rulesets stay the same. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyNVrqRfpzJluFF4RArt8AJ94ix+IS2vRIiAyjHKKuBb2CI57TwCfePZi zz7PPPVSIx6QfwcSOt3YKmc= =peii -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx--