This patch enables setup of IPWF2 rules for traffic limitation using firewall
counter.
The patch consist of two parts:

* ipfw_bound.patch adds two option to IPFW2: "bound" and "check-bound".

- bound VALUE. Where VALUE is a number which points the limit for the rule
counter. The rule exceeding this VALUE stops to work. It is possible to assign
a
number of bytes using K, M, G, suffixes (for Kilo-, Mega-, Gigabytes
correspondingly). /sbin/ipfw tool shows the value _bound_ using suffix if it
possible. This kind of  screen-out can be canceled with -H option in command
line. Here is an example:

        # ipfw add 100 allow ip from any to any bound 10K
        # ipfw add 200 deny ip from any to any

The rule #100 works unless its byte counter doesnt exceed value of 10 kilobytes
.
If the value of 10K exceeded the rule would skip by ipfw.

- check-bound NUM. Where NUM is a firewall rule number containing _bound_ limit
.
When watching the rules firewall will check whether the counter of the rule NUM
exceeds its _bound_ limit.
NOTE. The rule NUM must be found after the rule with _check-bound_. It is
recommended to place _check-bound_ rule as closer as possible to _bound_ one to
lower a time of search. For example:

        # ipfw add 100 allow ip from A.B.C.D to any out xmit internet check-bou
nd 200
        # ipfw add 200 allow ip from any to A.B.C.D in recv internet bound 100M
        # ipfw add 300 deny ip from any to any via internet

In this example rules 100 and 200 work unless user A.B.C.D. gets 100Mb of
incoming traffic via interface _internet_. After 100Mb achievement both incomin
g
and outgoing access will be forbidden for the user.

* bound_change.patch  adds controlling call to modification the _bound_ limit t
o
IPFW2 without zeroing rule counters. ipfw_bound.patch must be applied first.
Syntax is following:

        # ipfw bound RULE_NUM [set N] change NEW_BOUND

RUL_NUM - rule number with _bound_ limit;
N - set of rules number. Zero set is used by default;
NEW_BOUND - new value for bound limit.

This patch is available for:
* FreeBSD-CURRENT (was checked for 23.05.2005).
* FreeBSD 5.4-STABLE (RELENG_5), (was checked 23.05.2005)
* FreeBSD 5.4-RELEASE (RELENG_5_4)

Install.
To install the patch download the relevant files for your system from the
location above then use standard procedure. If system sources can be found in
/usr/src do following:

        # cd /usr/src
        # patch < /path/to/ipfw_bound.patch
        # patch < /path/to/bound_change.patch

then compile. For bound_change patch the kernel must be recompiled. If ipfw use
d
as loadable module it is suffice to recompile it and ipfw utility for ipfw_boun
d.

When compiling ipfw utility it might be necessary to replace some headers files
or point addition path for searching headers files:
 # env CFLAGS=-I/usr/src/sys/netinet

List of modified files.
        sbin/ipfw/ipfw2.c
        sys/netinet/ip_fw.h
        sys/netinet/ip_fw2.c
        sys/netinet/in.h
        sys/netinet/raw_ip.c

PS. It is possible patches for CURRENT and STABLE will require revision as thes
e brunches is continuously changing.

(C) Andrey V. Elsukov, bu7cher[at]yandex.ru