Date: Fri, 27 Jun 2008 16:20:15 -0700 From: Chuck Swiger <cswiger@mac.com> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Understanding where dummynet fits into an ipfw ruleset Message-ID: <C283B2D1-5193-4D32-8D38-9D72282F5876@mac.com> In-Reply-To: <b269bc570806271501if8ba221qf76b15d56e94e45b@mail.gmail.com> References: <b269bc570806271301x3ed43e54k5de0a1d71a9eb676@mail.gmail.com> <58383628-3A79-4271-B62D-C35CC06618F0@mac.com> <b269bc570806271501if8ba221qf76b15d56e94e45b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote: [ ... ] >> If net.inet.ip.fw.one_pass is true, then you definitely want to >> apply your >> deny rules first, as once something matches a pipe rule, it's going >> to be >> passed. The tradeoff is that the accounting/fairness of traffic is >> less >> accurate but the firewall ruleset runs faster... > > So, in this situation, the "allow" rules would be the queue rules? > > To add traffic shaping to the following, using one_pass=1: > 100 allow ip from 1.1.1.1 to 2.2.2.2 in recv em0 > 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1 > 300 deny ip from any to 2.2.2.2 in recv em0 > > Would be: > 100 queue 1 ip from 1.1.1.1 to 2.2.2.2 in recv em0 > 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1 > 300 deny ip from any to 2.2.2.2 in recv em0 > > Or am I way off here? :) Hmm. If you have one_pass set, I believe that rule 200 would become superfluous. If it was off, rule 200 would be needed to permit traffic through. However, queue rulesets are used to classify traffic into different bins; then then get pulled out of the bins with packets waiting is proportion to the weights configured via something like: ipfw queue 1 config pipe 1 weight 10 ie, you have to attach queue(s) to a pipe for this classification or sorting to be meaningful. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C283B2D1-5193-4D32-8D38-9D72282F5876>