Traffic quota features in IPFW

Chris Dionissopoulos dionch at freemail.gr
Sat Jul 16 15:02:43 GMT 2005 

Hi ppl, ( and sorry for cross posting)

I review Andrey's  Elsukov patch for adding "bound" support in ipfw, and i decide to  push a little forward this feature.

You can see the whole picture in there:
http://www.freebsd.org/cgi/query-pr.cgi?pr=80642
and there:
http://butcher.heavennet.ru/

In my patch, 3 new options are added:
1. "below <VALUE>" (which is the same option as Andrey's "bound" option, I just rename it)
2. "above <VALUE>" which is the oposite option of "below". Match rules when the counter is above <value>
3. "check-quota" (which is the same option as Andrey's "check-bound" , but now applies to both "above" and "below" options).

Notes:
1. Patch is against releng_6.
2. I also include a more compicated example which is (IMHO) a complete
traffic quota+shaping solution for a small (or not so small)  ISP.
3. For installation, follow the instructions Adrey publish in his webspace:
http://butcher.heavennet.ru/
4. Patch doesn't breaks ipfw ABI (today) , because  adds new options at the end of list. If you apply this patch in a month or so, I 
cannot guarantee success.
5. Please test, and send me your feedbacks.


 I 'll be happy if you find usefull these features and if any developer commits this patch in current or releng_6 branch.


Chris.


____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: releng6_ipfw_quota.patch
Type: application/octet-stream
Size: 10046 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20050716/8b681c5f/releng6_ipfw_quota.obj
-------------- next part --------------
Example:

We will enforce traffic shaping and traffic quota in a client's network behind a
freebsd gateway.


Definitions/policy:

1. clients network:  1.1.1.0/24.

2. Quota policy:
   unlimited        clients:  1.1.1.0/27  
   100MB/day        clients:  1.1.1.32/27 ipfw-set:2 ipfw-range:1000-9999
   1GB/week         clients:  1.1.1.64/26 ipfw-set:3 ipfw-range:10000-19999
   10GB/month 	    clients: 1.1.1.128/25 ipfw-set:4 ipfw-range:20000-29999

3. Shaping policy:
   1.1.1.0/27       unlimited
   1.1.1.32/27      100Mbps in/out
   1.1.1.64/26      10Mbps in/out
   1.1.1.128/25     1Mbps in/out
   quota exceeded   64Kbps in/out


ipfw.sh
=======

#!/bin/sh

ipfw = "/sbin/ipfw"
qos = "40000"
allow = "65000"
lan="em0"
wan="em1"

# ******************
# * QOS definition *
# ******************

# quota exceeded pipes:
${ipfw} pipe 1 config bw 64Kbit/s  mask dst-ip  0x000000ff
${ipfw} pipe 2 config bw 64Kbit/s  mask src-ip  0x000000ff

# 1MB pipes:
${ipfw} pipe 3 config bw 1Mbit/s   mask dst-ip  0x000000ff
${ipfw} pipe 4 config bw 1Mbit/s   mask src-ip  0x000000ff

# 10MB pipes:
${ipfw} pipe 5 config bw 10Mbit/s  mask dst-ip  0x000000ff
${ipfw} pipe 6 config bw 10Mbit/s  mask src-ip  0x000000ff

# 100MB pipes:
${ipfw} pipe 7 config bw 100Mbit/s mask dst-ip  0x000000ff
${ipfw} pipe 8 config bw 100Mbit/s mask src-ip  0x000000ff


# *************************
# * RECEIVE Without Quota *
# *************************

${ipfw} add 100 allow ip from any to any in recv ${lan}
${ipfw} add 200 allow ip from any to any in recv ${wan}


# ***********************
# * 100MB/DAY both ways *
# ***********************

${ipfw} add 1000 set 2 allow       ip from any         to 1.1.1.32/32 out xmit ${lan} check-quota 1001
${ipfw} add 1001 set 2 skipto ${qos} ip from 1.1.1.32/32 to any         out xmit ${wan} above 100M
 
${ipfw} add 1002 set 2 allow       ip from any         to 1.1.1.33/32 out xmit ${lan} check-quota 1003
${ipfw} add 1003 set 2 skipto ${qos} ip from 1.1.1.33/32 to any         out xmit ${wan} above 100M

....

${ipfw} add 1062 set 2 allow       ip from any         to 1.1.1.63/32 out xmit ${lan} check-quota 1063
${ipfw} add 1063 set 2 skipto ${qos} ip from 1.1.1.63/32 to any         out xmit ${wan} above 100M

${ipfw} add 9999 skipto ${allow} pipe 1 ip from any         to 1.1.1.32/27 out xmit ${lan}
${ipfw} add 9999 skipto ${allow} pipe 2 ip from 1.1.1.32/27 to any         out xmit ${wan}


# **********************
# * 1GB/WEEK both ways *
# **********************

${ipfw} add 10000 set 3 allow       ip from any          to 1.1.1.64/32  out xmit ${lan} check-quota 10001
${ipfw} add 10001 set 3 skipto ${qos} ip from 1.1.1.64/32  to any          out xmit ${wan} above 1G
 
${ipfw} add 10002 set 3 allow       ip from any          to 1.1.1.65/32  out xmit ${lan} check-quota 10003
${ipfw} add 10003 set 3 skipto ${qos} ip from 1.1.1.65/32  to any          out xmit ${wan} above 1G

....

${ipfw} add 10126 set 3 allow       ip from any          to 1.1.1.127/32 out xmit ${lan} check-quota 10063
${ipfw} add 10127 set 3 skipto ${qos} ip from 1.1.1.127/32 to any          out xmit ${wan} above 1G


${ipfw} add 19999 skipto ${allow} pipe 1 ip from any         to 1.1.1.64/26 out xmit ${lan}
${ipfw} add 19999 skipto ${allow} pipe 2 ip from 1.1.1.64/26 to any         out xmit ${wan}



# ***********************
# * 10GB/MONTH both ways*
# ***********************

${ipfw} add 20000 set 4 allow       ip from any           to 1.1.1.128/32  out xmit ${lan} check-quota 20001
${ipfw} add 20001 set 4 skipto ${qos} ip from 1.1.1.128/32  to any           out xmit ${wan} above 10G
 
${ipfw} add 20002 set 4 allow       ip from any           to 1.1.1.129/32  out xmit ${lan} check-quota 20003
${ipfw} add 20003 set 4 skipto ${qos} ip from 1.1.1.129/32  to any           out xmit ${wan} above 10G

....
 
${ipfw} add 20254 set 4 allow       ip from any           to 1.1.1.255/32  out xmit ${lan} check-quota 20255
${ipfw} add 20255 set 4 skipto ${qos} ip from 1.1.1.255/32  to any           out xmit ${wan} above 10G


${ipfw} add 29999 skipto ${allow} pipe 1 ip from any          to 1.1.1.128/25 out xmit ${lan}
${ipfw} add 29999 skipto ${allow} pipe 2 ip from 1.1.1.128/25 to any          out xmit ${wan}


# *************
# *    QOS    *
# *************

# 1.1.1.128/25  each of them has 1MBps in and 1Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 3 ip from any         to 1.1.1.128/25 out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 4 ip from 1.1.1.128/25 to any         out xmit ${wan}

# 1.1.1.64/26 each of them has 10MBps in and 10Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 5 ip from any         to 1.1.1.64/26  out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 6 ip from 1.1.1.64/26 to any          out xmit ${wan}

# 1.1.1.32/32 each of them has 100MBps in and 100Mbps out shaping
${ipfw} add ${qos} skipto ${allow} pipe 7 ip from any         to 1.1.1.32/27  out xmit ${lan}
${ipfw} add ${qos} skipto ${allow} pipe 8 ip from 1.1.1.32/27 to any          out xmit ${wan}


# *********
# * allow *
# *********

${ipfw} add ${allow} allow ip from any to any




/etc/crontab:
=============
# Perform daily/weekly/monthly ipfw counter reset.
0	0       *       *       *       root    /sbin/ipfw zero set 2
0	0	*	*	0	root    /sbin/ipfw zero set 3
0	0	0	*	*	root    /sbin/ipfw zero set 4

More information about the freebsd-net mailing list