From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 8 04:40:51 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DC6816A418; Mon, 8 Oct 2007 04:40:51 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.freebsd.org (Postfix) with ESMTP id DB7E613C455; Mon, 8 Oct 2007 04:40:49 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:54734 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S4395012AbXJHEki (ORCPT + 2 others); Mon, 8 Oct 2007 08:40:38 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: bu7cher Message-ID: <4709B4BC.60708@yandex.ru> Date: Mon, 08 Oct 2007 08:40:28 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: edwin@FreeBSD.org References: <200710061138.l96BcKQp013208@freefall.freebsd.org> In-Reply-To: <200710061138.l96BcKQp013208@freefall.freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: bin/113803: [patch] bin/ipfw.8 - don't get bitten by the fwd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2007 04:40:51 -0000 edwin@FreeBSD.org wrote: > Maybe somebody from the mailinglist wants to comment on the PR. Yes, the packet forwarding may work only compiled within custom kernel. I think have a full chapter about ipfw-specific kernel options and a small howto about building a custom kld (without kernel rebuild) will be good. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 8 11:08:25 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE98916A417 for ; Mon, 8 Oct 2007 11:08:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D453513C45A for ; Mon, 8 Oct 2007 11:08:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l98B8PC3083314 for ; Mon, 8 Oct 2007 11:08:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l98B8OG9083310 for freebsd-ipfw@FreeBSD.org; Mon, 8 Oct 2007 11:08:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Oct 2007 11:08:24 GMT Message-Id: <200710081108.l98B8OG9083310@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2007 11:08:26 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 13 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/113803 ipfw [patch] bin/ipfw.8 - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from 28 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 10 12:32:25 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39BBA16A417 for ; Wed, 10 Oct 2007 12:32:25 +0000 (UTC) (envelope-from khozaima_shakir@nmss.com) Received: from [192.168.100.65] (namasmtp02.nmss.com [63.163.229.65]) by mx1.freebsd.org (Postfix) with SMTP id 0874913C46E for ; Wed, 10 Oct 2007 12:32:23 +0000 (UTC) (envelope-from khozaima_shakir@nmss.com) Received: from no.name.available by [192.168.100.65] via smtpd (for mx1.freebsd.org [69.147.83.52]) with SMTP; Wed, 10 Oct 2007 08:57:38 -0400 Received: from namaehub01.nmss.com (10.1.3.23) by namaedge01.nmss.com (10.1.3.28) with Microsoft SMTP Server (TLS) id 8.0.685.24; Wed, 10 Oct 2007 08:21:21 -0400 Received: from NAMAEMAIL.nmss.com ([10.1.3.25]) by namaehub01.nmss.com ([10.1.3.23]) with mapi; Wed, 10 Oct 2007 08:21:23 -0400 From: Khozaima Shakir To: "freebsd-ipfw@freebsd.org" Date: Wed, 10 Oct 2007 08:21:23 -0400 Thread-Topic: IPFW Dummynet Bridge Limiting Thread-Index: AcgHdxHoUVB7SZE8R/6SSTqCjeajUQ== Message-ID: <1F1EC49EFF760B498383EC1EF527F03E01C29C1AAC@NAMAEMAIL.nmss.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-puzzleid: {03A58958-B9D3-4DA1-8D69-82B0B5511800} x-cr-hashedpuzzle: B88E CpOO DpKU ECdF EQAY FQGQ FSFj Fdvz FytM F/Dg GER1 GPzn JK2L JMd7 KAUU KeY5; 1; ZgByAGUAZQBiAHMAZAAtAGkAcABmAHcAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {03A58958-B9D3-4DA1-8D69-82B0B5511800}; awBoAG8AegBhAGkAbQBhAF8AcwBoAGEAawBpAHIAQABuAG0AcwBzAC4AYwBvAG0A; Wed, 10 Oct 2007 12:21:12 GMT; SQBQAEYAVwAgAEQAdQBtAG0AeQBuAGUAdAAgAEIAcgBpAGQAZwBlACAATABpAG0AaQB0AGkAbgBnAA== acceptlanguage: en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW Dummynet Bridge Limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2007 12:32:25 -0000 Hello All, I am new to freeBSD/ipfw.... I am having similar problems as described below . I would like to know if t= here was a solution to it ... Thank you very much khozaima shakir Hey all, I have searched and searched and searched and can't seem to come up with the answer to this little mystery I have going on here. Maybe I could get some help from this large group of people who are much smarter than I am. I have a FreeBSD machine running 6.1-RC that has three NICs, two of which are acting as a bridge. It's a pretty standard setup. What I am attempting to accomplish is bandwidth limiting using dummynet over this bridge. Here's the network layout: INTERNET ---- Core Router ---- Bridge (limiter) ---- Border Router ---- Customer Base The reason for the bridge between two routers is because we also have our server farm between those routers. The customer base consists of multiple routed networks and they all get public IPs. The problem I'm having is that the bridge is not limiting any of the customer IPs. I see packets flowing through the IPFW rules but they're not being passed to the pipes. I will show the configuration momentarily. The weird thing is, I am able to unplug the Border Router from this whole setup and plug a laptop in to the bridge and set it up so the laptop IP is limited. This setup works fine and I can limit the laptop the way I expect the rest of the network to be. Here's my configuration with the Border Router plugged in and the 216.19.50.37 IP being used in the "Customer Base": ---Kernel Config--- options SMP # Symmetric MultiProcessor Kernel options IPFIREWALL # Firewall support options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET # Traffic limiting options BRIDGE options HZ=3D1000 # strongly recommended by dummynet(4) device apic # I/O APIC ---Sysctl--- net.inet.ip.fw.enable=3D1 net.inet.ip.fw.one_pass=3D1 net.link.ether.bridge_cfg=3Dem0,em1 net.link.ether.bridge.enable=3D1 net.link.ether.bridge_ipfw=3D1 net.inet.ip.fw.dyn_buckets=3D256 net.inet.ip.fw.curr_dyn_buckets=3D256 ---rc.conf--- defaultrouter=3D"[mydefaultrouter]" hostname=3D"[myhostname]" ifconfig_bge0=3D"[mymanagementinterface]" cloned_interfaces=3D"bridge0" ifconfig_bridge0=3D"addm em0 addm em1 up" ifconfig_em0=3D"up" ifconfig_em1=3D"up" sshd_enable=3D"YES" firewall_enable=3D"YES" firewall_script=3D"/etc/rc.firewall.bwmg" # this just runs ipfw with the rules supplied in custom_firewall below firewall_quiet=3D"NO" firewall_logging=3D"YES" firewall_flags=3D"" ---ifconfig---- -snip- em0: flags=3D8943 mtu 1500 options=3D8 ether 00:04:23:cb:60:aa media: Ethernet autoselect (100baseTX ) status: active em1: flags=3D8943 mtu 1500 options=3D8 ether 00:04:23:cb:60:ab media: Ethernet autoselect (100baseTX ) status: active lo0: flags=3D8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=3D8043 mtu 1500 ether ac:de:48:ce:fe:5c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: em1 flags=3D3 member: em0 flags=3D3 ---custom_firewall--- -q flush -q queue flush -q pipe flush add 1 allow all from any to any via lo0 add 2 deny all from any to 127.0.0.0/8 add 3 deny all from 127.0.0.0/8 to any add 4 skipto 65534 all from any to any via bge0 add 65534 allow all from any to any add 100 pipe 100 config bw 100Kbit/s add 10 pipe 100 all from any to 216.19.50.37 recv em0 # ipfw show 10 00010 11430 925353 pipe 100 all from any to 216.19.50.37 recv em0 # ipfw pipe show 100 00100: 100.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 icmp 216.109.112.135/0 216.19.50.37/0 11434 925679 0 0 0 I have tried many different configurations including changing net.inet.ip.fw.one_pass to 0, changing the ipfw rule to recv and xmit on BOTH devices of the bridge, changing the ipfw rule from all to tcp and ip, and changing the rule from "any to 216.19.50.37" to "216.19.50.37 to any" (recv and xmit on both interfaces). I've also tried the kernel without IPDIVERT and with if_bridge. As I stated before, the odd thing is that when I plug directly into it with an IP of 216.19.0.225 (can't use the other one here) and modify the rules to reflect the new IP, the limiting works just fine. I have a feeling this is where the problem is, but I can't quite think of any reason why this wouldn't work. Previously, I had a Linux machine running TC installed in place of this machine but I personally prefer FreeBSD and feel ipfw is easier to configure than tc. The Linux machine worked just fine. Could anyone possibly help with this little problem? I'm stuck. Also, if I forgot to include any information, I apologize. I'm a bit spacey when I write emails. Just let me know what I missed and I can explain further. Thanks. Adam From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 11 14:34:42 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50DBB16A41B for ; Thu, 11 Oct 2007 14:34:42 +0000 (UTC) (envelope-from skhozaima@yahoo.com) Received: from web31806.mail.mud.yahoo.com (web31806.mail.mud.yahoo.com [68.142.207.69]) by mx1.freebsd.org (Postfix) with SMTP id 191D113C447 for ; Thu, 11 Oct 2007 14:34:42 +0000 (UTC) (envelope-from skhozaima@yahoo.com) Received: (qmail 18867 invoked by uid 60001); 11 Oct 2007 14:08:01 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=1+0H6RJ+K02Q96ONaUH6hADqN6Zdi5o0bgjMz6Dz6bRxCQn9DSUIQeaqZtYjgBUsXh3KLJKYRLXNFF/YrFBG7pQkr5jn/hVY7MTbj0VkLJxU0MC+5yf2O3wDPCVsmKqENMuC+HC0Re11Iv3ONVk+qheuDtK8KJydBqZMvgH9+6o=; X-YMail-OSG: wM3UalUVM1liCU8JlEwQkLYq6B3_oKz5HjYwI1E1Q0m8OTmpu.jgpA.r5.Zw3p8BrrNqYMJW6fixPrdughrjPOAMEq45ohbBa1k4IvWI9OzihbETIuRF6zgExIrSXA-- Received: from [209.5.112.210] by web31806.mail.mud.yahoo.com via HTTP; Thu, 11 Oct 2007 07:08:01 PDT X-Mailer: YahooMailRC/814.05 YahooMailWebService/0.7.134.12 Date: Thu, 11 Oct 2007 07:08:01 -0700 (PDT) From: Khozaima Shakir To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <255902.18454.qm@web31806.mail.mud.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Packet forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2007 14:34:42 -0000 Hello All, =0A=0AI am new to ipfw. Basically, on my box, i have 3 nics, 1 f= or external Internet usage and 2 for internal lan usage : re0, re1. I want = to sent ip traffic to re0, pass it on to ipfw to apply QoS on IP stream and= route it through re1 (and viceversa). I don;t need to have any external IP= traffic on re0 and re1. I tried bridging re0 and re1 which for some unknow= n reason, only worked for 1 ip flow, pipe if you will. Thinking, there migh= t be some bridging L2 and ip L3 issues, I am thinking for turning the box i= nto a router, just to forward packets between re0 and re1 and then apply Qo= S on it. I am using fixed internal IP addresses on re0 and re1. I have turn= ed on ip forwarding. =0A=0Are0: flags=3D8843 mtu 1500=0A options=3D18=0A = inet 20.20.20.20 netmask 0xffffff00 broadcast 20.20.20.255=0A ethe= r 00:12:17:55:a4:ec=0A media: Ethernet autoselect (none)=0A s= tatus: no carrier=0Are1: flags=3D8843 mtu 1500=0A options=3D18=0A inet = 20.20.20.22 netmask 0xffffff00 broadcast 20.20.20.255=0A ether 00:12= :17:55:a3:fa=0A media: Ethernet autoselect (none)=0A status: = no carrier=0A=0AI am don;t understand on how to proceed with set of rules I= should be using to forward ip traffic. Once I have a basic setup that can = forward ip, i can then think of rule set for QoS via pipe and queues. syste= m I will have at least 2 streams of IP traffic via a switch to the freeBSD = box. Any help would be greatly appreciated. =0A=0AThanks in advance, =0Akho= zaima=0A=0A=0A=0A=0A =0A_____________________________________________= _______________________________________=0AMoody friends. Drama queens. Your= life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games.= =0Ahttp://sims.yahoo.com/