[isf-wifidog] throtting

Ian White ian.white at datamile-computers.com
Jeu 6 Oct 08:57:36 EDT 2005


The code does have the tc setup, but its fixed with a limited number of 
marks I think to point at the right group

http://www.publicip.org/mirror/dists/source/alpha/

I'm not sure on throtting per user, most system can be categorised as 
guest, user, power user with associated throttle rules.

If you have per user, then you have to setup a tc rule per user etc, 
and your rule chain could get pretty big.

I really like to set auth/client control to be expanded so that 
access/bandwidth/iptables can be controlled from the auth server. i.e. 
user commands back from the counters update, and server back on the 
pong response. In a mesh envirnoments, gateway throtting could be used 
to bring business owned gateways bandwidth into a mesh when out of 
business hours.
> 
> 
> Throttling is the next main feature to be implemented in the wifidog  
> client.
> 
> The code below looks okay, but it won't alone implement throttling.   
> It simply marks clients' packets to be throttled.  There still needs  
> to be a throttling framework, such as `tc`, to do the actual work.
> 
> Throttling, when implemented, will be much more concise than the  
> example below.  It will be per-user instead of clumped per class,  
> while taking into account the user's status, user's abuse history,  
> hotspot monthly limits etc :)
> 
> On 6-Oct-05, at 1:43 AM, Ian White wrote:
> 
> > Is throtting and user class on the list of changes. Public have  
> > already changed their wifidog to support this.
> >
> >
> >> From what I've seen they changed,
> >>
> >
> > auth.h
> >
> >
> >
> > /** @brief
> >
> > * This structure contains all the information returned by the  
> > authentication server
> >
> > */
> >
> > typedef struct _t_authresponse {
> >
> > t_authcode authcode; /**< @brief Authentication code returned by  
> > the server */
> >
> > t_fw_marks classcode; /**< @brief Class code returned by the 
server  
> > for dynamic fw mark */
> >
> > } t_authresponse;
> >
> >
> >
> > auth.c
> >
> > case AUTH_ALLOWED:
> >     client->fw_connection_state = auth_response.classcode;
> >        fw_allow(client->ip, client->mac, auth_response.classcode);
> >     _http_redirect(r->clientSock, "http://%s:%d%sportal/?gw_id=%s",
> >         config_get_config()->auth_servers->authserv_hostname,
> >      config_get_config()->auth_servers->authserv_http_port,
> >      config_get_config()->auth_servers->authserv_path,
> >      config_get_config()->gw_id);
> >     break;
> >
> >
> >
> > i.e. the class of the user comes back as a second item to the auth  
> > request.
> >
> > They have different rulesets in  fw_iptables
> >
> >
> >
> > iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET  
> > " -m mark --mark 0x%u -j " TABLE_WIFIDOG_SUPER, FW_MARK_SUPER);
> >   iptables_load_ruleset("super-users", TABLE_WIFIDOG_SUPER);
> >
> >                        iptables_do_command("-t filter -A "  
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "  
> > TABLE_WIFIDOG_TRUSTED, FW_MARK_TRUSTED);
> >                        iptables_load_ruleset("trusted-users",  
> > TABLE_WIFIDOG_TRUSTED);
> >
> >                        iptables_do_command("-t filter -A "  
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "  
> > TABLE_WIFIDOG_LIBERATED, FW_MARK_LIBERATED);
> >                        iptables_load_ruleset("liberated-users",  
> > TABLE_WIFIDOG_LIBERATED);
> >
> >                        iptables_do_command("-t filter -A "  
> > TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "  
> > TABLE_WIFIDOG_PROTECTED, FW_MARK_PROTECTED);
> >                        iptables_load_ruleset("protected-users",  
> > TABLE_WIFIDOG_PROTECTED);
> >
> >
> >
> > and marks set in
> >
> >
> >
> >
> > iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
> > {
> >    int rc;
> >
> >    fw_quiet = 0;
> >
> >    switch(type) {
> >        case FW_ACCESS_ALLOW:
> >            iptables_do_command("-t mangle -A "  
> > TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
 
> > mark %d", ip, mac, tag);
> >     iptables_do_command("-t mangle -A "TABLE_WIFIDOG_THROTTLE" -d % 
> > s -j MARK --set-mark %d",ip,tag);
> >            rc = iptables_do_command("-t mangle -A "  
> > TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> >            break;
> >        case FW_ACCESS_DENY:
> >            iptables_do_command("-t mangle -D "  
> > TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
 
> > mark %d", ip, mac, tag);
> >     iptables_do_command("-t mangle -D "TABLE_WIFIDOG_THROTTLE" -d % 
> > s -j MARK --set-mark %d",ip,tag);
> >            rc = iptables_do_command("-t mangle -D "  
> > TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> >            break;
> >        default:
> >            rc = -1;
> >            break;
> >    }
> >
> >    return rc;
> > }
> >
> >
> >
> > Look a fairly good solution to me.
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> >
> 
> 
> 

-- 



More information about the WiFiDog mailing list