--- chapter.sgml.orig Mon Sep 24 00:38:28 2007
+++ chapter.sgml Mon Sep 24 02:02:55 2007
@@ -3355,7 +3355,160 @@
################ End of IPFW rules file ###############################
+
+
+ Using Dummy
+
+ Dummynet is a traffic shaper, bandwidth manager and delay emulator which may
+ be used to simulate different types of physical links. It can also be
+ "misused" as a traffic shaper.
+
+ Dummynet offers two objects. Pipes are an abstraction of a given link, having
+ a certain bandwidth, delay and loss. Queue are an abstraction used to implement
+ weighted fair queuing. In practice, pipes can be used to set hard limits to the
+ bandwidth that a flow can use, wheres queues can be used to determine how different
+ flows share that bandwidth.
+
+ Please note that, in order for dummynet to work correctly, it is highly recommended to
+ increase the system clock tick. This can be accomplished by adding the following kernel option:
+ options HZ=1000
+
+ Use the following command to configure a pipe which has 4Kbps
+ and a 100ms delay:
+ &prompt.root; ipfw pipe 10 config bw 4Kbit/s delay 100
+
+ To use this pipe, i.e. have some traffic go through it, use the following command:
+ &prompt.root; ipfw -q add pipe 10 all from 10.0.0.0/24 to any
+
+ Please note that to properly limit users, one should create separate pipes for download and upload.
+
+
+ Using the above pipe configuration, all LAN users compete for the
+ same bandwidth. If you would like to assign each of them 4Kbps
+ download and upload, you may create dynamic pipes based on the
+ source IP (for uplink) or destination IP (for downlink):
+ &prompt.root; ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff
+&prompt.root; ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff
+&prompt.root; ipfw -q add pipe 10 all from any to any recv $if_lan
+&prompt.root; ipfw -q add pipe 11 all from any to any xmit $if_lan
+
+
+
+
+ Using Tables
+
+ Tables are a way of refering to multiple IP addresses
+ using a single identifier. They are useful in the following
+ situations:
+
+
+
+ you must apply the same rule to a lot of IP addresses
+ (table lookups are fast)
+
+
+ you must apply a lot of rules to some IP addresses
+ (use tables to add / remove IP addresses from a single location
+ in the ruleset)
+
+
+
+ IP addresses contained in a table may also have an optional 32-bit unsigned value
+ assigned to it. A rule may be written in such a way that it will only match if the IP
+ found in a table has been assigned a specific value.
+
+ These are the commands used to manipulate tables from the shell:
+
+ Clear all IPs from a table:
+ &prompt.root; ipfw table 10 flush
+
+ Add a single IP address to a table:
+ &prompt.root; ipfw table 10 add 172.27.0.1
+
+ Add a CIDR network to a table:
+ &prompt.root; ipfw table 10 add 192.168.0.0/24
+
+ Add a CIDR network to a table and also assign a value to it:
+ &prompt.root; ipfw table 10 add 192.168.0.0/24 100
+
+ List the contents of a table:
+ &prompt.root; ipfw table 10 list
+
+ To use the table in a firewall rule, type something like this:
+ &prompt.root; ipfw -q add allow tcp from "table(10)" to any
+
+ Or, to use the table and the value in a firewall rule, type something like this:
+ &prompt.root; ipfw -q add allow tcp from "table(10,100)" to any
+
+ The following listing is an example of how one could use tables in a ruleset:
+
+ #!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+table="ipfw -q table"
+
+# Create a table with all IPs allowed to connect to SSH
+$table 1 flush # required
+$table 1 add 172.27.0.1 # single IP address
+$table 1 add 192.168.0.0/24 # CIDR network
+
+# Actual rule which allows SSH
+$cmd allow from "table(1)" to me 22 keep-state
+
+# Deny everything else
+$cmd deny from any to any
+
+ Here is another example, in which tables and values are used
+ to group clients into multiple bandwidth limitations
+ depending on their subscription:
+
+ #!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+table="ipfw -q table"
+pipe="ipfw -q pipe"
+if_net="em0"
+
+#
+# Pipes
+#
+
+# Please note that dynamic pipes will be created for each client.
+# In other words, clients DO NOT compete for the bandwidth.
+
+# First subscription rate.
+$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink
+$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink
+
+# Second subscription rate.
+$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink
+$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink
+
+# Create a table with all IPs allowed to have Internet connection.
+# Note that although it is not required, values are the same
+# as the bandwidth which will be given to the client.
+$table 1 flush # required
+$table 1 add 172.27.0.2 512 # 512Kbps client
+$table 1 add 172.27.0.3 768 # 768Kbps client
+$table 1 add 172.27.0.4 512 # 512Kbps client
+
+# Actual rules which classify the traffic
+$cmd pipe 10 all from "table(1,512)" to any xmit $if_net
+$cmd pipe 11 all from any to "table(1,512)" recv $if_net
+$cmd pipe 20 all from "table(1,768)" to any xmit $if_net
+$cmd pipe 21 all from any to "table(1,768)" recv $if_net
+
+# Deny everything else
+$cmd deny all from any to any
+
+