cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c

Darren Reed darrenr at
Fri Jun 11 02:22:47 GMT 2004

On Fri, Jun 11, 2004 at 12:40:59AM +0300, Ruslan Ermilov wrote:
> One nice difference (and I don't believe PF or IPFilter can do
> this) is this optional 32-bit tag value with no special meaning.
> For example, we have several thousands of client IPs, and each
> client is allowed (through a Web form) to limit bandwidth to
> some discrete values (0, 64, 128, 256, 512, and "unlimited") in
> Kbps to/from Ukrainian and foreign networks.  We have this all
> implemented using less than ten IPFW tables:

I suppose I could shoe-horn that into 1 rule if I was using ipf
and it had pipes.

But ipf doesn't have pipe rules although it does have groups and
you can use a pool for mapping ip#'s into groups.  I see the logical
extension of that meaning you should be able to put the bw param
into each node of the table, no ?  And extend the syntax of the
tables to define an arbitrary's really a question of
how well a particular parameter for a given rule matches being
distinguishable for any given ip#/mask.

> and so forth.  And we have a small set of rules of the form:
> deny ip from table(1,0) to table(0)	// bw=0
> pipe 1 ip from table(1,128) to table(0)	// bw=128Kbps

And what if I do:
deny 1 ip from table(1,128) to table(0)
or is that not allowed ?


More information about the cvs-src mailing list