From owner-freebsd-net@FreeBSD.ORG Thu Jul 31 09:56:33 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42BFE106564A for ; Thu, 31 Jul 2008 09:56:33 +0000 (UTC) (envelope-from mtm@wubethiopia.com) Received: from dire.wubethiopia.com (j071.v.rootbsd.net [208.79.82.223]) by mx1.freebsd.org (Postfix) with ESMTP id 6D7278FC15 for ; Thu, 31 Jul 2008 09:56:32 +0000 (UTC) (envelope-from mtm@wubethiopia.com) Received: from rogue.mike.lan (unknown [213.55.88.225]) by dire.wubethiopia.com (Postfix) with ESMTPSA id A17FB4FD990C for ; Thu, 31 Jul 2008 09:56:29 +0000 (UTC) Message-ID: <48918DB5.7020201@wubethiopia.com> Date: Thu, 31 Jul 2008 13:02:29 +0300 From: Mike Makonnen User-Agent: Thunderbird 2.0.0.12 (X11/20080323) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Application layer classifier for ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 09:56:33 -0000 Hi, An Internet Cafe I do some work for was recently having problems with very slow internet access. It turns out customers were running P2P file sharing applications which were hogging all the bandwidth. I looked for programs that would allow me to shape traffic according to the application layer protocol, but couldn't find any for FreeBSD. I found a couple: l7-filter and ipp2p, but these are Linux specific. So, I decided to write one. The result is ipfw-classifyd : http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 As the name implies it uses ipfw(4) to implement a userland daemon that classifies TCP and UDP packets according to regular expression patterns for various protocols. It's intended to be used with divert(4) sockets and dummynet(4) so you can do traffic shaping depending on the application level protocol. The protocol patterns are from the l7-filter project. Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It reads its configuration file for a list of protocols and ipfw(8) rules. Then, when it detects a matching session it re-injects the packet back at the specified rule number. The tarball has a sample configuration file and firewall script to get you started. While I have not done extensive testing, preliminary tests are encouraging and it seems to work, so I thought I'd announce it to the rest of the world in case anyone else is interested in this kind of application. Comments and suggestions highly appreciated. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mtm @ FreeBSD.Org | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 FreeBSD | http://www.freebsd.org