Date: Fri, 11 Jun 2004 02:22:47 +0000 From: Darren Reed <darrenr@hub.freebsd.org> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: cvs-src@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c Message-ID: <20040611022247.GA40799@hub.freebsd.org> In-Reply-To: <20040610214059.GA3228@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 11, 2004 at 12:40:59AM +0300, Ruslan Ermilov wrote: > One nice difference (and I don't believe PF or IPFilter can do > this) is this optional 32-bit tag value with no special meaning. > For example, we have several thousands of client IPs, and each > client is allowed (through a Web form) to limit bandwidth to > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > Kbps to/from Ukrainian and foreign networks. We have this all > implemented using less than ten IPFW tables: I suppose I could shoe-horn that into 1 rule if I was using ipf and it had pipes. But ipf doesn't have pipe rules although it does have groups and you can use a pool for mapping ip#'s into groups. I see the logical extension of that meaning you should be able to put the bw param into each node of the table, no ? And extend the syntax of the tables to define an arbitrary arg...it's really a question of how well a particular parameter for a given rule matches being distinguishable for any given ip#/mask. > and so forth. And we have a small set of rules of the form: > > deny ip from table(1,0) to table(0) // bw=0 > pipe 1 ip from table(1,128) to table(0) // bw=128Kbps And what if I do: deny 1 ip from table(1,128) to table(0) or is that not allowed ? Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040611022247.GA40799>