Date: Fri, 1 Aug 2008 17:50:17 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <ermal.luci@gmail.com> To: "Mike Makonnen" <mtm@wubethiopia.com> Cc: freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw Message-ID: <9a542da30808010850o22ebbe4er4e56e6f700a37c5e@mail.gmail.com> In-Reply-To: <4892E3BE.2030900@wubethiopia.com> References: <OFD29E8196.3986AFDB-ONC1257497.003DFC81-C1257497.003E0301@raiffeisen.al> <9a542da30807311344u34422adauade5c2b62b71804a@mail.gmail.com> <4892E3BE.2030900@wubethiopia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 1, 2008 at 12:21 PM, Mike Makonnen <mtm@wubethiopia.com> wrote: > Ermal Lu=E7i wrote: >>> >>> Hi, >>> >>> An Internet Cafe I do some work for was recently having problems with >>> very slow internet access. It turns out customers were running P2P file >>> sharing applications which were hogging all the bandwidth. I looked for >>> programs that would allow me to shape traffic according to the >>> application layer protocol, but couldn't find any for FreeBSD. I found = a >>> couple: l7-filter and ipp2p, but these are Linux specific. So, I decide= d >>> to write one. The result is ipfw-classifyd : >>> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 >>> >>> As the name implies it uses ipfw(4) to implement a userland daemon that >>> classifies TCP and UDP packets according to regular expression patterns >>> for various protocols. It's intended to be used with divert(4) sockets >>> and dummynet(4) so you can do traffic shaping depending on the >>> application level protocol. The protocol patterns are from the l7-filte= r >>> project. >>> >>> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It >>> reads its configuration file for a list of protocols and ipfw(8) rules. >>> Then, when it detects a matching session it re-injects the packet back >>> at the specified rule number. The tarball has a sample configuration >>> file and firewall script to get you started. >>> >>> While I have not done extensive testing, preliminary tests are >>> encouraging and it seems to work, so I thought I'd announce it to the >>> rest of the world in case anyone else is interested in this kind of >>> application. >>> >>> Comments and suggestions highly appreciated. >>> >> >> Thanks for this. >> I have a question, you remove a flow from if you see a FIN for the TCP >> case and only on overlapping flow for either TCP/UDP how do the other >> flows expire i am missing that part? >> >> > > No, you're not missing anything. It's on my TODO list. I wanted to get > this out and get feedback as early as possible, so I released it as soon = as > I had it basically working. I'm thinking of storing some session > information > for the flow (like a timestamp for the last packet seen) and implementing > a garbage collector thread that removes sessions that have been idle for > some period of time. > BTW, why not make it a port?! --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a542da30808010850o22ebbe4er4e56e6f700a37c5e>