[isf-wifidog] throtting
Ian White
ian.white at datamile-computers.com
Jeu 6 Oct 08:57:36 EDT 2005
The code does have the tc setup, but its fixed with a limited number of
marks I think to point at the right group
http://www.publicip.org/mirror/dists/source/alpha/
I'm not sure on throtting per user, most system can be categorised as
guest, user, power user with associated throttle rules.
If you have per user, then you have to setup a tc rule per user etc,
and your rule chain could get pretty big.
I really like to set auth/client control to be expanded so that
access/bandwidth/iptables can be controlled from the auth server. i.e.
user commands back from the counters update, and server back on the
pong response. In a mesh envirnoments, gateway throtting could be used
to bring business owned gateways bandwidth into a mesh when out of
business hours.
>
>
> Throttling is the next main feature to be implemented in the wifidog
> client.
>
> The code below looks okay, but it won't alone implement throttling.
> It simply marks clients' packets to be throttled. There still needs
> to be a throttling framework, such as `tc`, to do the actual work.
>
> Throttling, when implemented, will be much more concise than the
> example below. It will be per-user instead of clumped per class,
> while taking into account the user's status, user's abuse history,
> hotspot monthly limits etc :)
>
> On 6-Oct-05, at 1:43 AM, Ian White wrote:
>
> > Is throtting and user class on the list of changes. Public have
> > already changed their wifidog to support this.
> >
> >
> >> From what I've seen they changed,
> >>
> >
> > auth.h
> >
> >
> >
> > /** @brief
> >
> > * This structure contains all the information returned by the
> > authentication server
> >
> > */
> >
> > typedef struct _t_authresponse {
> >
> > t_authcode authcode; /**< @brief Authentication code returned by
> > the server */
> >
> > t_fw_marks classcode; /**< @brief Class code returned by the
server
> > for dynamic fw mark */
> >
> > } t_authresponse;
> >
> >
> >
> > auth.c
> >
> > case AUTH_ALLOWED:
> > client->fw_connection_state = auth_response.classcode;
> > fw_allow(client->ip, client->mac, auth_response.classcode);
> > _http_redirect(r->clientSock, "http://%s:%d%sportal/?gw_id=%s",
> > config_get_config()->auth_servers->authserv_hostname,
> > config_get_config()->auth_servers->authserv_http_port,
> > config_get_config()->auth_servers->authserv_path,
> > config_get_config()->gw_id);
> > break;
> >
> >
> >
> > i.e. the class of the user comes back as a second item to the auth
> > request.
> >
> > They have different rulesets in fw_iptables
> >
> >
> >
> > iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET
> > " -m mark --mark 0x%u -j " TABLE_WIFIDOG_SUPER, FW_MARK_SUPER);
> > iptables_load_ruleset("super-users", TABLE_WIFIDOG_SUPER);
> >
> > iptables_do_command("-t filter -A "
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> > TABLE_WIFIDOG_TRUSTED, FW_MARK_TRUSTED);
> > iptables_load_ruleset("trusted-users",
> > TABLE_WIFIDOG_TRUSTED);
> >
> > iptables_do_command("-t filter -A "
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> > TABLE_WIFIDOG_LIBERATED, FW_MARK_LIBERATED);
> > iptables_load_ruleset("liberated-users",
> > TABLE_WIFIDOG_LIBERATED);
> >
> > iptables_do_command("-t filter -A "
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> > TABLE_WIFIDOG_PROTECTED, FW_MARK_PROTECTED);
> > iptables_load_ruleset("protected-users",
> > TABLE_WIFIDOG_PROTECTED);
> >
> >
> >
> > and marks set in
> >
> >
> >
> >
> > iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
> > {
> > int rc;
> >
> > fw_quiet = 0;
> >
> > switch(type) {
> > case FW_ACCESS_ALLOW:
> > iptables_do_command("-t mangle -A "
> > TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
> > mark %d", ip, mac, tag);
> > iptables_do_command("-t mangle -A "TABLE_WIFIDOG_THROTTLE" -d %
> > s -j MARK --set-mark %d",ip,tag);
> > rc = iptables_do_command("-t mangle -A "
> > TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> > break;
> > case FW_ACCESS_DENY:
> > iptables_do_command("-t mangle -D "
> > TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
> > mark %d", ip, mac, tag);
> > iptables_do_command("-t mangle -D "TABLE_WIFIDOG_THROTTLE" -d %
> > s -j MARK --set-mark %d",ip,tag);
> > rc = iptables_do_command("-t mangle -D "
> > TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> > break;
> > default:
> > rc = -1;
> > break;
> > }
> >
> > return rc;
> > }
> >
> >
> >
> > Look a fairly good solution to me.
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> >
>
>
>
--
More information about the WiFiDog
mailing list