Application layer classifier for ipfw

Ermal Luçi ermal.luci at
Thu Jul 31 21:09:27 UTC 2008

> Hi,
> An Internet Cafe I do some work for was recently having problems with
> very slow internet access. It turns out customers were running P2P file
> sharing applications which were hogging all the bandwidth. I looked for
>  programs that would allow me to shape traffic according to the
> application layer protocol, but couldn't find any for FreeBSD. I found a
> couple: l7-filter and ipp2p, but these are Linux specific. So, I decided
> to write one. The result is ipfw-classifyd :
> As the name implies it uses ipfw(4) to implement a userland daemon that
> classifies TCP and UDP packets according to regular expression patterns
> for various protocols. It's intended to be used with divert(4) sockets
> and dummynet(4) so you can do traffic shaping depending on the
> application level protocol. The protocol patterns are from the l7-filter
> project.
> Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It
> reads its configuration file for a list of protocols and ipfw(8) rules.
> Then, when it detects a matching session it re-injects the packet back
> at the specified rule number. The tarball has a sample configuration
> file and firewall script to get you started.
> While I have not done extensive testing, preliminary tests are
> encouraging and it seems to work, so I thought I'd announce it to the
> rest of the world in case anyone else is interested in this kind of
> application.
> Comments and suggestions highly appreciated.

Thanks for this.
I have a question, you remove a flow from if you see a FIN for the TCP
case and only on overlapping flow for either TCP/UDP how do the other
flows expire i am missing that part?

> Cheers.
> --
> Mike Makonnen       | GPG-KEY:
> mtm @ FreeBSD.Org   | AC7B 5672 2D11 F4D0 EBF8  5279 5359 2B82 7CD4 1F55
> FreeBSD             |
> _______________________________________________
> freebsd-net at mailing list
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at"


More information about the freebsd-net mailing list