From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 7 22:48:09 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E00F5106566B for ; Wed, 7 Oct 2009 22:48:09 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 65E668FC12 for ; Wed, 7 Oct 2009 22:48:09 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 3A556730DA; Thu, 8 Oct 2009 00:54:52 +0200 (CEST) Date: Thu, 8 Oct 2009 00:54:52 +0200 From: Luigi Rizzo To: Joe R Message-ID: <20091007225452.GA37005@onelab2.iet.unipi.it> References: <286e18280910071246r33d33476ya9dd846cd1de6062@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <286e18280910071246r33d33476ya9dd846cd1de6062@mail.gmail.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org, julian@elischer.org Subject: Re: Extension of dummynet/ipfw to support userspace packet classification X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 22:48:10 -0000 On Wed, Oct 07, 2009 at 12:46:24PM -0700, Joe R wrote: > We at ironport have a requirement to do bandwidth management, but the > traffic classification (and selection of bandwidth pipes) is done in > userspace. The reason classification is done in userspace is because the > traffic classifications are something like streaming audio traffic, video > traffic, based on website categories etc. > > > > Our appliance is based on FreeBSD, and so we decided to look at dummynet to > support our requirement. We could not use dummynet as such because it uses > ipfw for packet classification, where packet classification (and pipe > selection) is done in kernel based on tcp/ip parameters like IP and port. > > > > So we decided to extended dummynet/ipfw to support packet classification in > userspace. > > Our idea is to extended socket structure to have a pipe number and have a > setsockoption to associate the pipe number to a socket structure. Then have > a new ipfw target (mappedpipe), which will pass the packet to dummynet > (similar to pipe target) but with the pipe number in the socket structure if > it is non-zero. > > > > I would like to know your comments on this proposal and if people are > interested, I will be happy to submit a patch on this. i think the feature is useful. However I would implement it as an ipfw 'option' called "sockarg" (or similar) as follows: ipfw pipe tablearg sockarg where 'sockarg' succeeds ONLY if the packet is associated to a socket for which the special setsockoption has been issued, and in this case sets the 'tablearg' to the value of the setsockopt. This is somewhat similar to the 'uid' and 'gid' options (except for setting tablearg). This way the mechanism can be very general (not limited to pipes) and the implementation is probably simpler than the one you propose. In terms of runtime costs, we can look at check_uidgid() function, and there are two ways to implement this feature: - as in check_uidgid() , actively lookup for a matching socket if one is not available. This is expensive but would allow the feature to match also incoming packets; - only match if the args->inp parameter is non-null, otherwise do not call in_pcblookup_hash(). This is cheaper but clearly only works for locally generated packets. Perhaps we could use an argument for 'sockarg' so we can decide whether to call or not the in_pcblookup_hash() on a case-by-case basis. cheers luigi