From owner-cvs-all@FreeBSD.ORG Fri Jun 11 02:22:47 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 680) id C074116A4D0; Fri, 11 Jun 2004 02:22:47 +0000 (GMT) Date: Fri, 11 Jun 2004 02:22:47 +0000 From: Darren Reed To: Ruslan Ermilov Message-ID: <20040611022247.GA40799@hub.freebsd.org> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040610214059.GA3228@ip.net.ua> User-Agent: Mutt/1.4.1i cc: Max Laier cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org cc: cvs-src@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 02:22:47 -0000 On Fri, Jun 11, 2004 at 12:40:59AM +0300, Ruslan Ermilov wrote: > One nice difference (and I don't believe PF or IPFilter can do > this) is this optional 32-bit tag value with no special meaning. > For example, we have several thousands of client IPs, and each > client is allowed (through a Web form) to limit bandwidth to > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > Kbps to/from Ukrainian and foreign networks. We have this all > implemented using less than ten IPFW tables: I suppose I could shoe-horn that into 1 rule if I was using ipf and it had pipes. But ipf doesn't have pipe rules although it does have groups and you can use a pool for mapping ip#'s into groups. I see the logical extension of that meaning you should be able to put the bw param into each node of the table, no ? And extend the syntax of the tables to define an arbitrary arg...it's really a question of how well a particular parameter for a given rule matches being distinguishable for any given ip#/mask. > and so forth. And we have a small set of rules of the form: > > deny ip from table(1,0) to table(0) // bw=0 > pipe 1 ip from table(1,128) to table(0) // bw=128Kbps And what if I do: deny 1 ip from table(1,128) to table(0) or is that not allowed ? Darren