hacking on ipfw

23. August 06

I’ve been hacking on ipfw for last two days. I wanted to be able to set tos and dscp for packets matching rules and catch packets by dscp as well (it’s possible to catch packets by ToS value in ipfw already). I found a patch which did this for freebsd 5.x, though I had to rewrite most parts of it and added some additional features as well.

So now I’m able to do the following things:

dscp AF32 tcp from any to any in via fxp0 <- that’s a rule for setting dscp to ‘AF32’ for all incoming packets on fxp0

count tcp from any to any dscp AF11 in via fxp0 <- that’s a rule for counting packets with dscp = AF11

It’s also possible to change tos like ipfw add 100 iptos reliability all ….. Values for iptos are the same as descibed in ipfw(8). A list of values for dscp is here: http://www.iana.org/assignments/dscp-registry

If you’re interested, you can grab patch for 6-STABLE here: http://people.freebsd.org/~novel/patches/freebsd/ipfw_tos_dscp_20060823_1.diff

Update: http://people.freebsd.org/~novel/patches/freebsd/ipfw_tos_dscp_20060824_1.diff

Update 2:  kern/102471

Kategorie: ipfw, src     

11 Kommentare zu “hacking on ipfw”  

  1. 1 Thomas

    Awesome. Thanks. I will test it very soon in our lap. This feature is needed for if you like to use voip :)

  2. 2 Thomas

    Any plans to add other features like TCP MSS Adjustment and seting the DF bit? It’s very useful if you have adsl user. Some internet sites still have missconfigured there firewall and tcp path-mtu discovery does not work. So I have to set the mss size manualy.

  3. 3 novel

    Thomas, I have no plans about TCP MSS Adjustment and setting DF bit. Though, if you could give me docs that describes who it can be used, I will probably take a look at it if I find it useful. About the patch described in the post, I’ve submitted a PR: kern/102471.

  4. 4 Thomas

    Thanks. About your tos/dscp patch. Is there an option where i can reset alle tos/dscpt tags from a certain interface or ip address?
    Lets say you do QoS in your network but you don’t trust any external network traffic. So you want to reset/clean all QoS (tos/dscp) flags on the boarder “router”. Is this possible?

  5. 5 novel

    I think you can do something like: ipfw add dscp CS0 all from any to any via fxp1. That will set first 6 bits of ToS header to zero and will not touch ECN bits. I.e. dscp and tos will be 0 in this case. If tcpdump -vi fxp1 will show tos = 0×00, then everything is alright.

  6. 6 Aston

    I want to get the support for the freebsd 6.1 release. Can you provide me a pach for 6.1 release. I rewrite for the 6.1 but some wired problem exist like the added opcode O_SET_IPDSCP are not seen by the ipfw2.c file . While i compile ipfw2.c file it gives the error like,

    error: O_SET_IPTOS undeclared (first use in this function)
    error: O_SET_DSCP undeclared (first use in this function)
    error: O_IPDSCP undeclared (first use in this function)

    help me i need the urgent patch.

  7. 7 Novel

    Aston, I don’t have a patch for 6.1. However, it seems I know what’s wrong with it. You should compile it this way:

    1. Quick way

    1. cp /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/ip_fw.h
    2. cd /usr/src/sbin/ipfw && make

    (it’s assumed you have rebuilt and installed the patched kernel already)

    2. Slow way

    1. make buildworld installworld

    I hope it fixes the problem.

  8. 8 Aston

    Thanks i got It and already made it to run in freebsd 6.1.

    I have one question. If i used ipfw at bridge level.Could it work as it should work (setting tos and dscp bit for particlular traffic in bridge level).

    Need to know

  9. 9 novel

    Aston, I don’t use bridging so I cannot answer your question, you should find it out yourself.

  10. 10 Aston

    When i run the ipfw rule to set the tos bit .. the kernel generate the error like

    kernel:arp: unknown hardware address format (0×0002)

    The error log is generated from if_ether.c file.

    what is happening out there

    with regards

    aston

  11. 11 Gog

    is this patch working for freebsd 5.4 as well ?

Kommentar hinterlassen

Log-In | Wordpress | Cappuccino