cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h
ip_fw.h ip_fw2.c raw_ip.c
ru at FreeBSD.org
Thu Jun 10 21:41:28 GMT 2004
On Thu, Jun 10, 2004 at 04:45:37AM +0200, Max Laier wrote:
> On Wednesday 09 June 2004 22:10, Ruslan Ermilov wrote:
> > ru 2004-06-09 20:10:38 UTC
> > FreeBSD src repository
> > Modified files:
> > sbin/ipfw ipfw.8 ipfw2.c
> > sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c
> > Log:
> > Introduce a new feature to IPFW2: lookup tables. These are useful
> > for handling large sparse address sets. Initial implementation by
> > Vsevolod Lobko <seva at ip.net.ua>, refined by me.
> Idea from: pf ;)
I've asked Vsevolod, and yes, the original idea attributes to PF.
Do PF tables allow addr/mask entries as IPFW tables do (I could
not intuit it from reading the pfctl(8) manpage)?
One nice difference (and I don't believe PF or IPFilter can do
this) is this optional 32-bit tag value with no special meaning.
For example, we have several thousands of client IPs, and each
client is allowed (through a Web form) to limit bandwidth to
some discrete values (0, 64, 128, 256, 512, and "unlimited") in
Kbps to/from Ukrainian and foreign networks. We have this all
implemented using less than ten IPFW tables:
- table 0 lists Ukrainian networks;
- table 1 lists all clients and their setting for incoming
- table 2 lists all clients and their setting for outgoing
and so forth. And we have a small set of rules of the form:
deny ip from table(1,0) to table(0) // bw=0
pipe 1 ip from table(1,128) to table(0) // bw=128Kbps
pipe 2 ip from table(1,256) to table(0) // bw=256Kbps
where pipes 1 and 2 are configured for a bandwidth of 128
and 256 Kbps, respectively.
Tables are continuously updated while rulesets stay the same.
ru at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20040611/a0cefbfc/attachment.bin
More information about the cvs-src