From owner-freebsd-net@FreeBSD.ORG Sat Aug 2 11:41:45 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B536A1065672 for ; Sat, 2 Aug 2008 11:41:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 3BF6F8FC08 for ; Sat, 2 Aug 2008 11:41:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so694512nfh.33 for ; Sat, 02 Aug 2008 04:41:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=UwzT2Qh+dLvPEHktJuiidW7pdKZDx0TRulpKMu+T7vk=; b=DlV17qgyTzzuxusmS4Xwr6cGpo7sQ+KmRtvH/jBvvY5xV7rPxi4vFKPdVxUwFErM12 1Se6DiKGbpc97mnV7jDyP+XTZRN+oU8uGidODvj5rQYMAgcUDjQTY1jiM11kwugRcgML TPSxOUn7c0pBWUeQKc6F/rr0rAImRc+JzIxqU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=aGFENQjRG7gw3+9ab+aQfaolrdB5VpWFDJDgFJRloahUPbLV3dIt9uZGO1Ccnfpz6t 4+y9ZJh4BNd3EIgWoPpzseufYoX2a14hqUtyECNVwSC4V1ONvrTHOy+KMK6CllCkY1xD Ce+810ycT4f2DZvMJIO447UcLuUGFFJOO7TcY= Received: by 10.210.43.10 with SMTP id q10mr12703415ebq.168.1217677303886; Sat, 02 Aug 2008 04:41:43 -0700 (PDT) Received: by 10.210.116.17 with HTTP; Sat, 2 Aug 2008 04:41:43 -0700 (PDT) Message-ID: <9a542da30808020441k300ce778kdb84f9d4914b6891@mail.gmail.com> Date: Sat, 2 Aug 2008 13:41:43 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Mike Makonnen" In-Reply-To: <9a542da30808020434w4954924dued75202ad34d44ba@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48918DB5.7020201@wubethiopia.com> <489224F2.3050508@yan.com.br> <4892E456.5080408@wubethiopia.com> <20080801094626.18943vxiypbkcts0@econet.encontacto.net> <48932D3E.7090709@freebsdbrasil.com.br> <489445F8.3080100@wubethiopia.com> <9a542da30808020434w4954924dued75202ad34d44ba@mail.gmail.com> Cc: Patrick Tracanelli , freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Aug 2008 11:41:45 -0000 One thing, can you please make the SYN/ACK table optional since on pf(4) you have the info from the state table when a tcp connection is established. On Sat, Aug 2, 2008 at 1:34 PM, Ermal Lu=E7i wrote: > On Sat, Aug 2, 2008 at 1:33 PM, Mike Makonnen wrote= : >> Patrick Tracanelli wrote: >>> >>> eculp escreveu: >>>> >>>> Quoting Mike Makonnen : >>>> >>>>> Daniel Dias Gon=E7alves wrote: >>>>>> >>>>>> You will go to develop a version to work with PF ? >>>>>> >>>>> I don't know what's needed to get it to work with pf, but if it's not >>>>> too >>>>> much work, sure. >>>> >>>> That would be great, Mike. I'm seeing more and more bandwidth being u= sed >>>> with p2p that I haven't been able to control with pf. The thought has >>>> entered my mind to change back to ipfw that I used for many years befo= re >>>> changing to pf maybe 3 years ago. I also found dummynet to be easy an= d >>>> practical to set up for both incoming and outgoing connections. Somet= hing >>>> else I haven't figured out how to do the same with altq, if even possi= ble. >>>> In fact, if I am able to control p2p with pf I may not even need >>>> bidirectional bandwidth limits. > > As for pf(4) i have mostly finished divert support on pf. The number > on the protocol means a dummynet queue/pipe instead of a rule number > for ipfw. > Surely with dummynet(4) support into pf(4) too. I will polish the > patch and post it later on. > >>>> >>>> Thanks for sharing your very practical solution to a real world proble= m. >>>> Have a great weekend. >>> >>> If it could be rewritten as a netgaph node, maybe it could tag the >>> classified packets, and tagging be compatible with both pf and ipfw (un= der >>> discretionary user choice with configuration switchs), so both ipfw or = pf >>> could be used. >> > > This means doing regex in kernel or just a daemon as mpd on top of netgra= ph? > >> I'll look into this when I have time. >>> >>> However a lot of work has to be done before. It works better on i386 th= an >>> amd64 right now, wont compile on RELENG_6 without modifying some gcc tw= eaks, >>> etc. >> >> Do you have a patch :-) ? Barring that, can you email me a copy of the b= uild >> output? >>> >>> I hope enhacing it can be a GSoC project in the future, or we (communit= y) >>> can raise some funds to make it happen faster. It is really a long-time >>> needed feature to FreeBSD. >>> >> >> Cheers. >> >> -- >> Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc >> mtm @ FreeBSD.Org | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 >> FreeBSD | http://www.freebsd.org >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > > > -- > Ermal > --=20 Ermal