Date: Mon, 1 Dec 2003 16:03:55 -0800 (PST) From: Jon Simola <jon@abccom.bc.ca> To: freebsd-ipfw@freebsd.org Subject: Re: MAN page example vs. this? Message-ID: <20031201154231.M38868-100000@tyberius.abccom.bc.ca> In-Reply-To: <3A04E74D-225C-11D8-98F0-003065F1EE08@edgefocus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 29 Nov 2003, Sean Hafeez wrote:
> the man pages has this example:
>
> ipfw add pipe 1 ip from 192.168.2.0/24 to any out
> ipfw add pipe 2 ip from any to 192.168.2.0/24 in
> ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
> ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
>
> the man page say this does:
>
> ...is limiting the outbound traffic on a net with per-host limits,
> rather than per-network limits...
>
> my first question is this just outbound? seem to me that pipe 1 is the
> outbound limit and pipe 2 is an inbound limit? so this is a symmetric
> link? am i reading this wrong?
You're right, there are 2 queues defined, one for each direction.
> second, the mask only applies to the last octet of the ip address (ff) -
> correct? so each host both out bound user and is upstream target (i.e.
> www.cnn.com)?
The host 192.168.2.3 would be limited to sending 200Kbits/sec and
receiving 200Kbits/sec total, without concern of what other IP's it is
talking to.
> now here is what i got from somewhere else. i am limiting each host (ip
> address) to 200kbits/s. rl1 is the internal interface to the users.
>
> ipfw add pipe 1 ip from any to any in recv rl1
> ipfw add pipe 2 ip from any to any out xmit rl1
> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
>
> are these 2 examples functionally the same? if not what is the
> difference?
You're forcing the interface. Be careful, as packets may flow through in
ways you don't expect.
> also in the first example, if the network was changed to
> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a
> reverse mask like a cisco, right?
That mask has nothing to do with a network mask. It's a simple bitmask,
used to pick out the bits in the src/dst ip/port combinations that are
used to hash the packets into a unique bucket.
If you used "mask src-ip 0x00000001" you would be sorting the packets into
buckets (and queues) based on whether the source IP's last octet was even
or odd.
My setup looks like (for doing traffic usage on a /24):
ipfw pipe 1 config mask src-ip 0xffffffff buckets 512
ipfw add 100 pipe 1 ip src-ip 192.168.0.0/24
ipfw pipe 2 config mask dst-ip 0xffffffff buckets 512
ipfw add 101 pipe 2 ip dst-ip 192.168.0.0/24
If I was curious about how much traffic each of my /28's was doing:
ipfw pipe 3 config mask src-ip 0xfffffff0 buckets 512
ipfw add 105 pipe 3 ip src-ip 192.168.4.0/24
ipfw pipe 4 config mask dst-ip 0xfffffff0 buckets 512
ipfw add 106 pipe 4 ip dst-ip 192.168.4.0/24
---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
Systems Administrator | reach out to the stars, electrons and light
ABC Communications | flow throughout the universe." -- GITS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031201154231.M38868-100000>