[ previous ] [ next ] [ threads ]
 From:  Rob Parker <rob dot parker at keycom dot co dot uk>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  IPFW2 ruleset for per-user bandwidth restriction
 Date:  Mon, 22 Nov 2004 16:23:02 -0000
Hi All,

I'm currently writing some patches to Dinesh's radius authentication code
which will allow our m0n0walls to authenticate against RADIUS and receive a
series of attributes in return, namely Nomadix-Bw-Up and Nomadix-Bw-Down
(although it can receive any number of standard or VSA attributes too). Once
these attributes are received, I'd like to use them to restrict the user to
the bandwidth specified in them. I have the RADIUS patches completed
successfully, if a little rushed, but they work quite well...

However. I'm now at the stage of writing the code to add the rules to create
the pipes for each user when they log in, and delete the rules when they log
out/expire. I've never used the multiple-set ability of IPFW2 before, so I'm
slightly at a loss. If anyone has any 'examples' of how this could be
achieved, I'd be very greatful, or can tell me which ruleset I should be
updating, and how, etc. I've scoured the relevant code and I'm now more
confused :) Obviously once I have completed these patches I'll be submitting
them to Kasper as I believe they'll be quite useful for others :) The rules
I've been trying to use so far (without much success), are as follows.

	exec("/sbin/ipfw add pipe $up_rule_number ip from $clientip to any
	exec("/sbin/ipfw pipe $up_rule_number config bw " . $bw_down .
"Kbit/s queue 10");
	exec("/sbin/ipfw add pipe $down_rule_number ip from any to $clientip
	exec("/sbin/ipfw pipe $down_rule_number config bw " . $bw_up .
"Kbit/s queue 10");

Any help or pointers greatfully received :)