Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 03 Oct 2005 13:27:39 -0300
From:      Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@freebsd.org
Subject:   Re: layer2 filtering and dummynet, bw reduced by half
Message-ID:  <43415BFB.1050800@freebsdbrasil.com.br>
In-Reply-To: <20051003091024.A92958@xorpc.icir.org>
References:  <4341575C.8080409@freebsdbrasil.com.br> <20051003091024.A92958@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Luigi Rizzo wrote:
> you are passing traffic through the pipe twice.
> you have to decide if your rules should apply tto
> layer2 or not and write the rules accordingly

Why are they going twice through the pipe? When net.link.ether.ipfw=1 
you pass it through all rules twice? "first match wins" does not apply? 
How should it be made to do it passing only once? I have just tried:

ipfw add 400 count log all from any to any in layer2
ipfw add 401 count log all from any to any out layer2

Where hopefully it would be passed only once (when passing layer2 rules) 
but it did not.

How could the rules be written to filter layer2 instead, in the given 
circunstances? 'Cos you say it should be written to apply to layer2 or 
not, and write the rules "accordingly", but in the following circunstance:

00400    54     4566 count log ip from any to any in
00401    42     4300 count log ip from any to any out
00501    16     1616 pipe 1 ip from any to 172.16.52.254 in
00601    16     1428 pipe 2 ip from 172.16.52.254 to any out
65535 22052 10476881 allow ip from any to any

There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting 
happens again. So it does not seem to be a matter of how to write the 
rules, but instead, to have net.link.ether.ipfw=1 or not.

Or did I miss some point?


>>layer2() {
>>         ipfw add skipto 400 all from any to any mac-type ip,arp layer2
>>         ipfw add deny all from any to any layer2
>>}
>>
>>countlog() {
>>         ipfw add 400 count log all from any to any in
>>         ipfw add 401 count log all from any to any out
>>}
>>
>>pipe() {
>>         ipfw add pipe 1 all from any to 172.16.52.254/32 in
>>         ipfw add pipe 2 all from 172.16.52.254/32 to any out
>>         ipfw pipe 1 config bw 64Kbps queue 5
>>         ipfw pipe 2 config bw 64Kbps queue 5
>>}


-- 
Patrick Tracanelli

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43415BFB.1050800>