Hi ppl, ( and sorry for cross posting) I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i decide to push a little forward this feature.
You can see the whole picture in there: http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 and there: http://butcher.heavennet.ru/ In my patch, 3 new options are added: 1. "below <VALUE>" (which is the same option as Andrey's "bound" option, I just rename it) 2. "above <VALUE>" which is the oposite option of "below". Match rules when the counter is above <value> 3. "check-quota" (which is the same option as Andrey's "check-bound" , but now applies to both "above" and "below" options). Notes: 1. Patch is against releng_6. 2. I also include a more compicated example which is (IMHO) a complete traffic quota+shaping solution for a small (or not so small) ISP. 3. For installation, follow the instructions Adrey publish in his webspace: http://butcher.heavennet.ru/4. Patch doesn't breaks ipfw ABI (today) , because adds new options at the end of list. If you apply this patch in a month or so, I cannot guarantee success.
5. Please test, and send me your feedbacks. I 'll be happy if you find usefull these features and if any developer commits this patch in current or releng_6 branch. Chris. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking.
releng6_ipfw_quota.patch
Description: Binary data
Example: We will enforce traffic shaping and traffic quota in a client's network behind a freebsd gateway. Definitions/policy: 1. clients network: 1.1.1.0/24. 2. Quota policy:unlimited clients: 1.1.1.0/27 100MB/day clients: 1.1.1.32/27 ipfw-set:2 ipfw-range:1000-9999
1GB/week clients: 1.1.1.64/26 ipfw-set:3 ipfw-range:10000-19999
10GB/month clients: 1.1.1.128/25 ipfw-set:4 ipfw-range:20000-29999
3. Shaping policy:
1.1.1.0/27 unlimited
1.1.1.32/27 100Mbps in/out
1.1.1.64/26 10Mbps in/out
1.1.1.128/25 1Mbps in/out
quota exceeded 64Kbps in/out
ipfw.sh
=======
#!/bin/sh
ipfw = "/sbin/ipfw"
qos = "40000"
allow = "65000"
lan="em0"
wan="em1"
# ******************
# * QOS definition *
# ******************
# quota exceeded pipes:
${ipfw} pipe 1 config bw 64Kbit/s mask dst-ip 0x000000ff
${ipfw} pipe 2 config bw 64Kbit/s mask src-ip 0x000000ff
# 1MB pipes:
${ipfw} pipe 3 config bw 1Mbit/s mask dst-ip 0x000000ff
${ipfw} pipe 4 config bw 1Mbit/s mask src-ip 0x000000ff
# 10MB pipes:
${ipfw} pipe 5 config bw 10Mbit/s mask dst-ip 0x000000ff
${ipfw} pipe 6 config bw 10Mbit/s mask src-ip 0x000000ff
# 100MB pipes:
${ipfw} pipe 7 config bw 100Mbit/s mask dst-ip 0x000000ff
${ipfw} pipe 8 config bw 100Mbit/s mask src-ip 0x000000ff
# *************************
# * RECEIVE Without Quota *
# *************************
${ipfw} add 100 allow ip from any to any in recv ${lan}
${ipfw} add 200 allow ip from any to any in recv ${wan}
# ***********************
# * 100MB/DAY both ways *
# ***********************
${ipfw} add 1000 set 2 allow ip from any to 1.1.1.32/32 out xmit
${lan} check-quota 1001
${ipfw} add 1001 set 2 skipto ${qos} ip from 1.1.1.32/32 to any out
xmit ${wan} above 100M
${ipfw} add 1002 set 2 allow ip from any to 1.1.1.33/32 out xmit
${lan} check-quota 1003
${ipfw} add 1003 set 2 skipto ${qos} ip from 1.1.1.33/32 to any out
xmit ${wan} above 100M
....
${ipfw} add 1062 set 2 allow ip from any to 1.1.1.63/32 out xmit
${lan} check-quota 1063
${ipfw} add 1063 set 2 skipto ${qos} ip from 1.1.1.63/32 to any out
xmit ${wan} above 100M
${ipfw} add 9999 skipto ${allow} pipe 1 ip from any to 1.1.1.32/27 out
xmit ${lan}
${ipfw} add 9999 skipto ${allow} pipe 2 ip from 1.1.1.32/27 to any out
xmit ${wan}
# **********************
# * 1GB/WEEK both ways *
# **********************
${ipfw} add 10000 set 3 allow ip from any to 1.1.1.64/32 out
xmit ${lan} check-quota 10001
${ipfw} add 10001 set 3 skipto ${qos} ip from 1.1.1.64/32 to any out
xmit ${wan} above 1G
${ipfw} add 10002 set 3 allow ip from any to 1.1.1.65/32 out
xmit ${lan} check-quota 10003
${ipfw} add 10003 set 3 skipto ${qos} ip from 1.1.1.65/32 to any out
xmit ${wan} above 1G
....
${ipfw} add 10126 set 3 allow ip from any to 1.1.1.127/32 out
xmit ${lan} check-quota 10063
${ipfw} add 10127 set 3 skipto ${qos} ip from 1.1.1.127/32 to any out
xmit ${wan} above 1G
${ipfw} add 19999 skipto ${allow} pipe 1 ip from any to 1.1.1.64/26 out
xmit ${lan}
${ipfw} add 19999 skipto ${allow} pipe 2 ip from 1.1.1.64/26 to any out
xmit ${wan}
# ***********************
# * 10GB/MONTH both ways*
# ***********************
${ipfw} add 20000 set 4 allow ip from any to 1.1.1.128/32 out
xmit ${lan} check-quota 20001
${ipfw} add 20001 set 4 skipto ${qos} ip from 1.1.1.128/32 to any
out xmit ${wan} above 10G
${ipfw} add 20002 set 4 allow ip from any to 1.1.1.129/32 out
xmit ${lan} check-quota 20003
${ipfw} add 20003 set 4 skipto ${qos} ip from 1.1.1.129/32 to any
out xmit ${wan} above 10G
....
${ipfw} add 20254 set 4 allow ip from any to 1.1.1.255/32 out
xmit ${lan} check-quota 20255
${ipfw} add 20255 set 4 skipto ${qos} ip from 1.1.1.255/32 to any
out xmit ${wan} above 10G
${ipfw} add 29999 skipto ${allow} pipe 1 ip from any to 1.1.1.128/25
out xmit ${lan}
${ipfw} add 29999 skipto ${allow} pipe 2 ip from 1.1.1.128/25 to any
out xmit ${wan}
# *************
# * QOS *
# *************
# 1.1.1.128/25 each of them has 1MBps in and 1Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 3 ip from any to 1.1.1.128/25
out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 4 ip from 1.1.1.128/25 to any
out xmit ${wan}
# 1.1.1.64/26 each of them has 10MBps in and 10Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 5 ip from any to 1.1.1.64/26
out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 6 ip from 1.1.1.64/26 to any
out xmit ${wan}
# 1.1.1.32/32 each of them has 100MBps in and 100Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 7 ip from any to 1.1.1.32/27
out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 8 ip from 1.1.1.32/27 to any
out xmit ${wan}
# *********
# * allow *
# *********
${ipfw} add ${allow} allow ip from any to any
/etc/crontab:
=============
# Perform daily/weekly/monthly ipfw counter reset.
0 0 * * * root /sbin/ipfw zero set 2
0 0 * * 0 root /sbin/ipfw zero set 3
0 0 0 * * root /sbin/ipfw zero set 4
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
