I am in need of a prepaid IP accounting scheme for FreeBSD. What I want to be
able to do is: I want to allocate a certain byte quota to an IP adress (or a
subnetwork) and have the kernel automatically block the adress as soon as the
quota has been used up, optionally generating a kernel message.
This can, of course, be implemented in user space by polling some ipfw
counters and adding the blocking rules as soon as the limit has been reached,
but somehow I'd like a kernel based solution better.
I'd want to have a few additions to "ipfw" which would work like this:
To set up a quota entry, one would use
ipfw quota <id> quota <bytecount> [ warn <warncount> ]
where <id> would be a alphanumeric identifier and <bytecount> would be the
quota allocated. <warncount> would be a byte count which would define at what
remaining byte quota the kernel would generate a warning message.
To actually use a quote set up like this, a new action for ipfw would be
defined which would deduct the packet being processed from a quota entry and
block the packet if the quota has been used up:
ipfw add quota <id> ip from A to B
Typically, this system would be used in conjunction with a program listening
for syslog messages and processing the quota-related messages.
My questions are: Would this be useful to anyone else? Are there any
suggestions? Is blocking the packet the only meaningful action which would be
taken when the quota has been used up? Should the blocking action be handled
from user mode instead?
finger email@example.com for details
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message