From owner-freebsd-ipfw Mon Nov 5 20:12: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from serv2.vsi.ru (serv2.vsi.ru [80.82.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 872C837B416 for ; Mon, 5 Nov 2001 20:12:01 -0800 (PST) Received: (from fido@localhost) by serv2.vsi.ru (8.9.3/8.9.3) with FTN id HAA28177; Tue, 6 Nov 2001 07:10:01 +0300 (MSK) (envelope-from fbsdlist-ipfw@f151.n5025.z2.fidonet.org) Received: by p128.f3.n5025.z2.fidonet.org (FIDOGATE 4.2.9) id AA26951; Tue, 06 Nov 2001 07:00:09 +0300 Date: Mon, 05 Nov 2001 21:51:28 +0300 From: fbsdlist-ipfw@f151.n5025.z2.fidonet.org (fbsdlist-ipfw) Subject: ipfw with RED Message-ID: To: freebsd-ipfw@freebsd.org Organization: VoronezhSvyazInform ISP News Server Lines: 41 X-Gateway: FIDO fido.vsi.ru [FIDOGATE 4.2.9] X-FTN-From: fbsdlist-ipfw @ 2:5025/151.0 X-FTN-To: UUCP @ 2:5025/128.0 X-FTN-Tearline: GoldED+/BSD 1.1.5 X-FTN-Via: 2:5025/151.1 @20011106.035046.UTC hpt 0.9.8/bsd 26-06-01 X-FTN-Via: 2:5025/151@fidonet @20011106.065050.UTC+3 itraxp 1.02/bsd 20-10-01 X-FTN-Via: Squish/386 1.11 2:5025/2, Tue Nov 06 2001 at 03:54 UTC X-FTN-Via: FIDOGATE/ftntoss 2:5025/3, Tue Nov 06 2001 at 07:00:05 MSK X-FTN-Domain: Z2@fidonet MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello! I have FreeBSD 4.4-STABLE cvsuped at Nov 4, two ethernet cards (xl and ed) The following my ipfw configuration causes kernel panic in sys/netinet/ip_dummynet.c:red_drops() after ~2 sec (depending of network load) ipfw pipe 1 config bw 3000bit/s queue 2kbyte ipfw queue 2 config pipe 1 queue 100 red 0.008/30/80/0.1 ipfw add 1 queue 2 ip from any to any out xmit ed0 Also any ipfw configuration with RED causes kernel panic. I found the following workaround: ===== -+- ip_dummynet.c.orig Sun Nov 4 18:44:49 2001 +++ ip_dummynet.c Sun Nov 4 21:44:51 2001 @@ -955,7 +955,7 @@ * XXX check wraps... */ if (q->avg) { - u_int t = (curr_time - q->q_time) / fs->lookup_step; + u_int t = (curr_time - q->q_time) / ( fs->lookup_step ? + fs->lookup_step : (fs->lookup_step=1) ); q->avg = (t < fs->lookup_depth) ? SCALE_MUL(q->avg, fs->w_q_lookup[t]) : 0; ===== This bug(?) is not related last dummynet changes, it also was in sources cvsup'ed at Oct 4 Does anybody use ipfw with RED or GRED without such troubles? Gennady Proskurin email: gpr@nvnpp.vrn.ru FIDO: 2:5025/151 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 7 9:52:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 82A6C37B419 for ; Wed, 7 Nov 2001 09:52:25 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fA7HmOI96543; Wed, 7 Nov 2001 09:48:24 -0800 (PST) (envelope-from rizzo) Date: Wed, 7 Nov 2001 09:48:24 -0800 From: Luigi Rizzo To: fbsdlist-ipfw Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw with RED Message-ID: <20011107094824.E96033@iguana.aciri.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, i have looked at the source but at least the fix you propose looks strange -- lookup_step is never 0 from userland, and so if you find it set to 0 it means that there is some other problem in initializing the queue descriptor. So I need to look at this code in more detail to find a proper fix. cheers luigi On Mon, Nov 05, 2001 at 09:51:28PM +0300, fbsdlist-ipfw wrote: > Hello! > > I have FreeBSD 4.4-STABLE cvsuped at Nov 4, two ethernet cards (xl and ed) > > The following my ipfw configuration causes kernel panic in > sys/netinet/ip_dummynet.c:red_drops() after ~2 sec (depending of network load) > > ipfw pipe 1 config bw 3000bit/s queue 2kbyte > ipfw queue 2 config pipe 1 queue 100 red 0.008/30/80/0.1 > ipfw add 1 queue 2 ip from any to any out xmit ed0 > > Also any ipfw configuration with RED causes kernel panic. > > I found the following workaround: > > ===== > -+- ip_dummynet.c.orig Sun Nov 4 18:44:49 2001 > +++ ip_dummynet.c Sun Nov 4 21:44:51 2001 > @@ -955,7 +955,7 @@ > * XXX check wraps... > */ > if (q->avg) { > - u_int t = (curr_time - q->q_time) / fs->lookup_step; > + u_int t = (curr_time - q->q_time) / ( fs->lookup_step ? > + fs->lookup_step : (fs->lookup_step=1) ); > > q->avg = (t < fs->lookup_depth) ? > SCALE_MUL(q->avg, fs->w_q_lookup[t]) : 0; > ===== > > > This bug(?) is not related last dummynet changes, it also was in sources > cvsup'ed at Oct 4 > > Does anybody use ipfw with RED or GRED without such troubles? > > > Gennady Proskurin > > email: gpr@nvnpp.vrn.ru > FIDO: 2:5025/151 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 7 17:20:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from free.wgops.com (dsl092-002-178.sfo1.dsl.speakeasy.net [66.92.2.178]) by hub.freebsd.org (Postfix) with ESMTP id CDFEE37B419 for ; Wed, 7 Nov 2001 17:20:44 -0800 (PST) Received: from wgops.com (dsl092-002-177.sfo1.dsl.speakeasy.net [66.92.2.177]) by free.wgops.com (8.11.3/8.11.3) with ESMTP id fA81KiN36153 for ; Wed, 7 Nov 2001 17:20:44 -0800 (PST) (envelope-from mloftis@wgops.com) Message-ID: <3BE9DDEC.14FBBC5@wgops.com> Date: Wed, 07 Nov 2001 17:20:44 -0800 From: Michael Loftis X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: IPF -- IPFILTER/IPNAT + DUMMYNET? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK :) HAte to bother this list with it but couldn't find out how the interaction would work but what I was wondering is could I stick a DUMMYNET rate limiter pipe in the path for output on a ipfilter based firewall... If so whats the logical diagram it would follow... IE is it soemthing like INPUT<->IPNAT<->IPF<->DUMMYNET/PIPE<->IFACE<->OUTPUT ? The reason I ask is I'd like to posibly utilise the rate limiter at some point. I've had 0 success making ipfw work in any configuration, and ipnat+ipf is a little strange but it works (NAT seems to happen before IPFilter, which is a little odd.... but hey, whatever.) Any clues/helps? The machine is a multi-homed and multi-ip-ed machine. Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 7 20:27:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from fallback.ipfnet.net (fallback.ipfnet.net [64.39.15.111]) by hub.freebsd.org (Postfix) with ESMTP id 7787237B41A for ; Wed, 7 Nov 2001 20:27:09 -0800 (PST) Received: from [192.168.2.94] (localhost.ipfnet.net [127.0.0.1]) by fallback.ipfnet.net (8.11.6/8.11.6) with ESMTP id fA84R6h80022; Wed, 7 Nov 2001 22:27:07 -0600 (CST) Date: Thu, 08 Nov 2001 05:27:05 +0100 From: alex Reply-To: alex To: Michael Loftis , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPF -- IPFILTER/IPNAT + DUMMYNET? Message-ID: <1627830.1005197225@[192.168.2.94]> In-Reply-To: <3BE9DDEC.14FBBC5@wgops.com> References: <3BE9DDEC.14FBBC5@wgops.com> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Michael, I'm new to ipfilter, but i use ipfw for bandwith limiting for a few months now. I compiled my Kernel with ipfw and ipfilter, now what I think i found out, is: packages run first through ipfilter, then ipfw (ifboth compiled into kernel, may vary if ipfw ist compiled in and ipfilter loaded as module) What I use, is: ipfw pipe 1 config bw 100KByte/s ipfw pipe 2 config bw 100KByte/s ipfw add pipe 1 ip from any to any out ipfw add pipe 2 ip from any to any in This is a nice duplex 100KB/sec pipe (100KB/sec in both directions) and works well, on my box :) Before this pipe rules i do some "allow all from x to y" for unlimited bandwith to our own network, i use the bandwith limiting rules just for the rest of packages for outgoing connections to the internet. if you want to limit bandwidth depend on device, let's say you want only 16KB/sec (dual ISDN) on rl0, this should work: ipfw pipe 1 config bw 16KByte/s ipfw pipe 2 config bw 16KByte/s ipfw add pipe 1 ip from any to any out xmit rl0 ipfw add pipe 2 ip from any to any in recv rl0 should limit bandwith on all packages entering system or leaving system via rl0 device. And you should have a "allow all from any to any" rule as the last rule in ipfw, otherwise the packages are droped by ipfw (assuming you do all the allow/deny filtering in ipfilter). Hope this helps, alex --On Mittwoch, 7. November 2001 17:20 -0800 Michael Loftis wrote: > OK :) HAte to bother this list with it but couldn't find out how the > interaction would work but what I was wondering is could I stick a > DUMMYNET rate limiter pipe in the path for output on a ipfilter based > firewall... If so whats the logical diagram it would follow... > > IE is it soemthing like > > INPUT<->IPNAT<->IPF<->DUMMYNET/PIPE<->IFACE<->OUTPUT > ? > > The reason I ask is I'd like to posibly utilise the rate limiter at some > point. I've had 0 success making ipfw work in any configuration, and > ipnat+ipf is a little strange but it works (NAT seems to happen before > IPFilter, which is a little odd.... but hey, whatever.) Any > clues/helps? The machine is a multi-homed and multi-ip-ed machine. > > Michael > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message