hacking on ipfw
I’ve been hacking on ipfw for last two days. I wanted to be able to set tos and dscp for packets matching rules and catch packets by dscp as well (it’s possible to catch packets by ToS value in ipfw already). I found a patch which did this for freebsd 5.x, though I had to rewrite most parts of it and added some additional features as well.
So now I’m able to do the following things:
dscp AF32 tcp from any to any in via fxp0 <- that’s a rule for setting dscp to ‘AF32’ for all incoming packets on fxp0
count tcp from any to any dscp AF11 in via fxp0 <- that’s a rule for counting packets with dscp = AF11
It’s also possible to change tos like ipfw add 100 iptos reliability all ….. Values for iptos are the same as descibed in ipfw(8). A list of values for dscp is here: http://www.iana.org/assignments/dscp-registry
If you’re interested, you can grab patch for 6-STABLE here: http://people.freebsd.org/~novel/patches/freebsd/ipfw_tos_dscp_20060823_1.diff
Update: http://people.freebsd.org/~novel/patches/freebsd/ipfw_tos_dscp_20060824_1.diff
Update 2: kern/102471
Awesome. Thanks. I will test it very soon in our lap. This feature is needed for if you like to use voip :)
Any plans to add other features like TCP MSS Adjustment and seting the DF bit? It’s very useful if you have adsl user. Some internet sites still have missconfigured there firewall and tcp path-mtu discovery does not work. So I have to set the mss size manualy.
Thomas, I have no plans about TCP MSS Adjustment and setting DF bit. Though, if you could give me docs that describes who it can be used, I will probably take a look at it if I find it useful. About the patch described in the post, I’ve submitted a PR: kern/102471.
Thanks. About your tos/dscp patch. Is there an option where i can reset alle tos/dscpt tags from a certain interface or ip address?
Lets say you do QoS in your network but you don’t trust any external network traffic. So you want to reset/clean all QoS (tos/dscp) flags on the boarder “router”. Is this possible?
I think you can do something like: ipfw add dscp CS0 all from any to any via fxp1. That will set first 6 bits of ToS header to zero and will not touch ECN bits. I.e. dscp and tos will be 0 in this case. If tcpdump -vi fxp1 will show tos = 0×00, then everything is alright.
I want to get the support for the freebsd 6.1 release. Can you provide me a pach for 6.1 release. I rewrite for the 6.1 but some wired problem exist like the added opcode O_SET_IPDSCP are not seen by the ipfw2.c file . While i compile ipfw2.c file it gives the error like,
error: O_SET_IPTOS undeclared (first use in this function)
error: O_SET_DSCP undeclared (first use in this function)
error: O_IPDSCP undeclared (first use in this function)
help me i need the urgent patch.
Aston, I don’t have a patch for 6.1. However, it seems I know what’s wrong with it. You should compile it this way:
1. Quick way
(it’s assumed you have rebuilt and installed the patched kernel already)
2. Slow way
I hope it fixes the problem.
Thanks i got It and already made it to run in freebsd 6.1.
I have one question. If i used ipfw at bridge level.Could it work as it should work (setting tos and dscp bit for particlular traffic in bridge level).
Need to know
Aston, I don’t use bridging so I cannot answer your question, you should find it out yourself.
When i run the ipfw rule to set the tos bit .. the kernel generate the error like
kernel:arp: unknown hardware address format (0×0002)
The error log is generated from if_ether.c file.
what is happening out there
with regards
aston
is this patch working for freebsd 5.4 as well ?