[PATCH] New match module: byte rate match

[PATCH] New match module: byte rate match

[Chris Wilson]

Hi all,

NetServers.co.uk would like to submit a new module for your perusal and
hopefully for inclusion in Netfilter. It's based on ipt_limit, but matches
the number of bytes per second instead of the number of packets. This
means that it can be used for basic quality-of-service implementation,
thus:

# limit SMTP traffic from A to B to 4kbytes/s
iptables -A FORWARD -s A -d B -p tcp --dport 25 -m bytelimit --limit 
	4000/s -j ACCEPT
iptables -A FORWARD -s A -d B -p tcp --dport 25 -j DROP

# classify the first 8kbytes/s of SSH traffic as high priority
iptables -t mangle -A FORWARD -p tcp --dport 22 -m bytelimit --limit
        8000/s -j TOS --set-tos minimize-delay
iptables -t mangle -A FORWARD -p tcp --dport 22 -j TOS --set-tos normal

You can download the patches against iptables-1.2.7a userspace and kernel
2.4.19 here:

  'http://www.netservers.co.uk/gpl/iptables-bytelimit-030116.tar.gz'

And more information about us, including other GPL software, here:

  'http://www.netservers.co.uk/gpl/'

The module is licensed under the GPL, as it is based on ipt_limit. At this
stage, the module is only lightly tested, but it works for us. We hope it
will be useful to someone. 

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: [PATCH] New match module: byte rate match

[Nigel Kukard]

There is already a match like this, maintained by LBSD  (www.lbsd.net)
and can be found at   ftp://www.lbsd.net

This patch was rejected because it was said to be a copy of ipt_limit.

good luck!


On Mon, 20 Jan 2003, Chris Wilson wrote:

> Hi all,
> 
> NetServers.co.uk would like to submit a new module for your perusal and
> hopefully for inclusion in Netfilter. It's based on ipt_limit, but matches
> the number of bytes per second instead of the number of packets. This
> means that it can be used for basic quality-of-service implementation,
> thus:
> 
> # limit SMTP traffic from A to B to 4kbytes/s
> iptables -A FORWARD -s A -d B -p tcp --dport 25 -m bytelimit --limit 
> 	4000/s -j ACCEPT
> iptables -A FORWARD -s A -d B -p tcp --dport 25 -j DROP
> 
> # classify the first 8kbytes/s of SSH traffic as high priority
> iptables -t mangle -A FORWARD -p tcp --dport 22 -m bytelimit --limit
>         8000/s -j TOS --set-tos minimize-delay
> iptables -t mangle -A FORWARD -p tcp --dport 22 -j TOS --set-tos normal
> 
> You can download the patches against iptables-1.2.7a userspace and kernel
> 2.4.19 here:
> 
>   'http://www.netservers.co.uk/gpl/iptables-bytelimit-030116.tar.gz'
> 
> And more information about us, including other GPL software, here:
> 
>   'http://www.netservers.co.uk/gpl/'
> 
> The module is licensed under the GPL, as it is based on ipt_limit. At this
> stage, the module is only lightly tested, but it works for us. We hope it
> will be useful to someone. 
> 
> Cheers, Chris.
> 

-- 


Nigel Kukard  (Chief Executive Officer)
Lando Technologies Africa (Pty) Ltd
nigel@lando.co.za   www.lando.co.za
Tel: 083 399 5822  Fax: 086 1100036
Hoheisen Park Bellville,  Cape Town
National  Internet Service Provider


  The best language to use is the language that was designed for
         what you want to use it for - 1997


=====================================================================

Disclaimer
----------
The contents of this message and any attachments are intended 
solely for the addressee's use and may be legally privileged and/or 
confidential information. This message may not be retained, 
distributed, copied or used if you are not he addressee of this 
message. If this message was sent to you in error, please notify 
the sender immediately by reply e-mail and then destroy the message 
and any copies thereof.

Opinions, conclusions and other information in this message may be 
personal to the sender and is not that of Lando Technologies Africa 
or any of it's subsideries, associated companies or principals and 
is therefore not endorsed by any of the Lando groups of companies. 
Due to e-maill communication being insecure, Lando groups of 
companies do not guarantee confidentiality, security, accuracy or  
performance of the e-mail. Any liability for viruses is excluded 
to the fullest extent.

Re: [PATCH] New match module: byte rate match

[Laszlo Valko]

On Mon, Jan 20, 2003 at 03:58:19PM +0000, Chris Wilson wrote:
> Hi all,
> 
> NetServers.co.uk would like to submit a new module for your perusal and
> hopefully for inclusion in Netfilter. It's based on ipt_limit, but matches
> the number of bytes per second instead of the number of packets. This
> means that it can be used for basic quality-of-service implementation,
> thus:

Hi Chris!

Please consider fixing this structure:

struct ipt_bytelimit_info {
       /* Public parameters, supplied from user space */
       u_int32_t rate;       /* Number of bytes credited per second */
       u_int32_t credit_cap; /* Maximum credit which may accumulate */

       /* Used internally by the kernel */
       u_int32_t jiffy_rate; /* Number of bytes credited per jiffy */
       unsigned long prev;   /* Time of last match, in jiffies */
       u_int32_t credit;     /* Current balance */
};

Using unsigned long in there will make your code inoperable on 64bit
platforms with 32bit userspace. Please change it to something similar
to this one:

struct ipt_bytelimit_info {
       /* Public parameters, supplied from user space */
       u_int32_t rate;       /* Number of bytes credited per second */
       u_int32_t credit_cap; /* Maximum credit which may accumulate */ 

       /* Used internally by the kernel */
       u_int32_t jiffy_rate; /* Number of bytes credited per jiffy */
       u_int32_t credit;     /* Current balance */
       union {
             unsigned long prev;   /* Time of last match, in jiffies */
             u_int8_t padding[8];  /* Cover prev always */
       } u;
};
   
Moving credit field upwards one slot will make the structure more
compact on 64bit platforms (24 bytes instead of 28).

You might as well eliminate unsigned long totally, but I'm not sure
whether it's easy considering that jiffies is unsigned long.


Also this is incorrect as r->credit is not of type int,

               DEBUGP("ipt_bytelimit: accepted %d bytes, "
                       "remaining credit %d\n", packet_size, r->credit);

so you should use the appropriate format specifier (%lu for unsigned long).


I know ipt_limit (that your module is based on) is broken as well,
but it's not easy to fix it without breaking compatibility. On the other
hand, we should not replicating a broken interface...

Laszlo

Re: [PATCH] New match module: byte rate match

[Chris Wilson]

Hi Laszlo,

Thank you for your advice and comments, which I have followed. You can 
find the updated version at:

  'http://www.netservers.co.uk/gpl/iptables-bytelimit-030121.tar.gz'

> Using unsigned long in there will make your code inoperable on 64bit
> platforms with 32bit userspace. Please change it to something similar
> to this one:
> 
> struct ipt_bytelimit_info {
>        /* Public parameters, supplied from user space */
>        u_int32_t rate;       /* Number of bytes credited per second */
>        u_int32_t credit_cap; /* Maximum credit which may accumulate */ 
> 
>        /* Used internally by the kernel */
>        u_int32_t jiffy_rate; /* Number of bytes credited per jiffy */
>        u_int32_t credit;     /* Current balance */
>        union {
>              unsigned long prev;   /* Time of last match, in jiffies */
>              u_int8_t padding[8];  /* Cover prev always */
>        } u;
> };

OK, I made it exactly like the above.

> You might as well eliminate unsigned long totally, but I'm not sure
> whether it's easy considering that jiffies is unsigned long.

I think prev should be the same type as jiffies, otherwise it makes 
cross-platform compatibility worse, not better =(

> Also this is incorrect as r->credit is not of type int,
> 
>                DEBUGP("ipt_bytelimit: accepted %d bytes, "
>                        "remaining credit %d\n", packet_size, r->credit);
> 
> so you should use the appropriate format specifier (%lu for unsigned long).

r->credit is not an unsigned long either, it's u_int32_t, but I 
assume you know what you're doing so I changed that too.

> I know ipt_limit (that your module is based on) is broken as well,
> but it's not easy to fix it without breaking compatibility. On the other
> hand, we should not replicating a broken interface...

No, I certainly agree.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |