cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h
ip_fw.h ip_fw2.c raw_ip.c
Darren Reed
darrenr at hub.freebsd.org
Fri Jun 11 02:22:47 GMT 2004
On Fri, Jun 11, 2004 at 12:40:59AM +0300, Ruslan Ermilov wrote:
> One nice difference (and I don't believe PF or IPFilter can do
> this) is this optional 32-bit tag value with no special meaning.
> For example, we have several thousands of client IPs, and each
> client is allowed (through a Web form) to limit bandwidth to
> some discrete values (0, 64, 128, 256, 512, and "unlimited") in
> Kbps to/from Ukrainian and foreign networks. We have this all
> implemented using less than ten IPFW tables:
I suppose I could shoe-horn that into 1 rule if I was using ipf
and it had pipes.
But ipf doesn't have pipe rules although it does have groups and
you can use a pool for mapping ip#'s into groups. I see the logical
extension of that meaning you should be able to put the bw param
into each node of the table, no ? And extend the syntax of the
tables to define an arbitrary arg...it's really a question of
how well a particular parameter for a given rule matches being
distinguishable for any given ip#/mask.
> and so forth. And we have a small set of rules of the form:
>
> deny ip from table(1,0) to table(0) // bw=0
> pipe 1 ip from table(1,128) to table(0) // bw=128Kbps
And what if I do:
deny 1 ip from table(1,128) to table(0)
or is that not allowed ?
Darren
More information about the cvs-src
mailing list