kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Mar 18 07:43:38 UTC 2008
Paolo Pisati wrote:
> On Thu, Mar 13, 2008 at 09:21:11AM +0000, Vadim Goncharov wrote:
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=80642
>> Yes, this is useful, but some minor changes are needed, I think. First, rename
>> it to "bytelimit" or somewhat. Second, allow this to use tablearg and possibly
>> ability to reference a counter to corresponding dynamic rule, to allow this to
>> act for a specific IP or connection without need to write many rules. Third,
>> add packet counter as well. That's all possible with one opcode, though...
>
> if anyone post an updated patch, i'll commit it.
So, updated patch is here:
http://butcher.heavennet.ru/patches/kernel/ipfw/ipfw_counterlimit.diff
Now this option divided into two "counterlimit-bytes" and
"counterlimit-packets".
Rules example:
add allow ip from any to 10.0.0.1 counterlimit-bytes 100M \
in recv external_if
add allow ip from any to 10.0.0.1 counterlimit-pakets 50 \
in recv external_if
About Vadim's prepositions:
1. tablearg: it's possible, but now we use u32 argument in
tables, but counterlimits are 64-bits values. First of we
should extend our current table argument to 64 bit.
2. dynamic rules: i think it should be implemented as extension
to current O_LIMIT opcode or something similar.
Also i have question about my current implementation. Does it
needed to have ability of "humanized" printing of limits, which
was implemented before?
--
WBR, Andrey V. Elsukov
More information about the freebsd-ipfw
mailing list