From owner-freebsd-ipfw Sun Sep 15 7:31:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CB7337B41F for ; Sun, 15 Sep 2002 07:31:35 -0700 (PDT) Received: from terra.inf.ufsc.br (terra.inf.ufsc.br [150.162.60.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF86843E6A for ; Sun, 15 Sep 2002 07:31:32 -0700 (PDT) (envelope-from maianeto@inf.ufsc.br) Received: from localhost (localhost [127.0.0.1]) by terra.inf.ufsc.br (Departamento de Informatica e Estatistica (INE/CTC/UFSC)) with ESMTP id 7C403174A9 for ; Sun, 15 Sep 2002 08:42:03 -0300 (BRT) Received: from screammer (inf185.inf.ufsc.br [150.162.60.185]) by terra.inf.ufsc.br (Departamento de Informatica e Estatistica (INE/CTC/UFSC)) with ESMTP id BF825175DB for ; Sun, 15 Sep 2002 08:41:56 -0300 (BRT) From: "Luiz Rodrigues Maia Neto" To: freebsd-ipfw@freebsd.org Date: Mon, 15 Sep 2003 11:45:16 -0300 MIME-Version: 1.0 Subject: subscribe Reply-To: maianeto@inf.ufsc.br Message-ID: <3F65A64C.30329.90871A4@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Virus-Scanned: by AMaViS 0.3.12pre5 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG subscribe maianeto@inf.ufsc.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Sep 15 16:42:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBBD537B400 for ; Sun, 15 Sep 2002 16:42:33 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4FF543E6E for ; Sun, 15 Sep 2002 16:42:29 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17qj21-0006OV-00 for freebsd-ipfw@freebsd.org; Sun, 15 Sep 2002 19:42:25 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17qj20-000Hnw-00 for freebsd-ipfw@freebsd.org; Sun, 15 Sep 2002 19:42:24 -0400 Date: Sun, 15 Sep 2002 19:42:24 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org Subject: Re: queues and firewalling Message-ID: <20020915234224.GB90537@smnolde.com> References: <20020913200408.GA90537@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020913200408.GA90537@smnolde.com> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Pebcak... Scott M. Nolde(scott@smnolde.com)@2002.09.13 16:04:08 +0000: > I'm trying to set up a firewall which has (at this moment) eight queues. > Four are input and four are output queues. Each queue has an associated > pipe and bandwidth limitation. > > This is, for the most part scripted so I can add a tcp or udp port and > rerun the script quickly to move things around. > -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Sep 15 17: 7:41 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F5A137B400 for ; Sun, 15 Sep 2002 17:07:40 -0700 (PDT) Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C9F543E72 for ; Sun, 15 Sep 2002 17:07:39 -0700 (PDT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA09295; Mon, 16 Sep 2002 10:07:36 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA28384; Mon, 16 Sep 2002 10:07:36 +1000 (EST) Message-Id: <200209160007.KAA28384@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: "Scott M. Nolde" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: queues and firewalling In-reply-to: Your message of Sun, 15 Sep 2002 19:42:24 -0400. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Sep 2002 10:07:36 +1000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Pebcak... Problem Exists Between Chair And Keyboard (or variants thereon). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Sep 15 18:14:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C01EA37B400 for ; Sun, 15 Sep 2002 18:14:45 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B0A243E3B for ; Sun, 15 Sep 2002 18:14:45 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17qkTN-0006el-00 for freebsd-ipfw@freebsd.org; Sun, 15 Sep 2002 21:14:45 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17qkTN-000HqX-00 for freebsd-ipfw@freebsd.org; Sun, 15 Sep 2002 21:14:45 -0400 Date: Sun, 15 Sep 2002 21:14:45 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org Subject: Fwd: Re: queues and firewalling Message-ID: <20020916011445.GD90537@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Gregory Bond(gnb@itga.com.au)@2002.09.16 10:07:36 +0000: > > Pebcak... > > Problem Exists Between Chair And Keyboard (or variants thereon). > Yes, definitely. I've been working on a huge firewall script which uses an inbound and outbound pipe and queues specified inbound and outbound flow. I backed up an punted from a known good firewall and returned to my journey. For the most part, it's automagical and the packet filtering is reminiscent of /etc/rc.firewall yet all the queues and pipes are set up automagically by a series of runtime variables. I plan on publishing it soon on http://bsdvault.net. Beta versions of the firewall script can be found here: http://www.smnolde.com:7080/ipfw/rc.ipfw-test ipfw show output is here: http://www.smnolde.com:7080/ipfw/rc.ipfw-test.show Feel free to comment. -- Scott Nolde GPG Key 0xD869AB48 ----- End forwarded message ----- -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 16 14: 9: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F5F337B400 for ; Mon, 16 Sep 2002 14:09:06 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D65D43E7B for ; Mon, 16 Sep 2002 14:09:05 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (nat-bhm1.attachmate.com [63.115.16.66]) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g8GL93Db045309 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 16 Sep 2002 14:09:04 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3D864865.2030607@amduat.net> Date: Mon, 16 Sep 2002 14:08:53 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: MAC Layer Bandwidth Limiting Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If I wanted to do MAC layer bandwidth limiting would I want to do something like the following using IPFW2 or am I just way off? ipfw add 1000 pipe 1000 layer2 mac $MAC0 any ipfw add 1001 pipe 1001 layer2 mac any $MAC0 ipfw pipe 1000 bw 128Kbit/s ipfw pipe 1001 bw 768Kbit/s ipfw add 1010 pipe 1010 layer2 mac $MAC1 any ipfw add 1011 pipe 1011 layer2 mac any $MAC1 ipfw pipe 1010 bw 256Kbit/s ipfw pipe 1011 bw 512Kbit/s MAC0 is limited to 128kbit/s out and 768kbit/s in MAC1 is limited to 256kbit/s out and 512kbit/s in What I want is the ability to filter links at the MAC level as well as limit the bandwidth that particular link has. Traffic may not always be IP based so filtering on the IP address isn't sufficient. If this all makes sense and works then is it possible to use a MAC address mask in the pipe/queue mask. What I mean is can the limits be based on per MAC rather than per IP so that I can remove the need to have two pipes for each MAC like I do now? Something like this? ipfw add 1000 pipe 1128 layer2 mac $MAC0 any ipfw add 1001 pipe 2768 layer2 mac any $MAC0 ipfw add 1010 pipe 1256 layer2 mac $MAC0 any ipfw add 1011 pipe 2512 layer2 mac any $MAC0 ipfw add 1020 pipe 1128 layer2 mac $MAC2 any ipfw add 1021 pipe 2768 layer2 mac any $MAC2 ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff MAC0 is limited to 128kbit/s out and 768kbit/s in MAC1 is limited to 256kbit/s out and 512kbit/s in MAC2 is limited to 128kbit/s out and 768kbit/s in Does any of this make sense or am I just way off in my own little world here? Now if all this works then I assume that the byte count field for rules xxx0 and xxx1 should be the total bytes in and out for the link. Is this correct? If I was going to use that field for accounting to determine the bytes transferred per month is there a way to read and zero the counts at the same time, or am I going to just have to let the few bytes that come in between read and zero just drop off? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 16 22:50:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A78037B400 for ; Mon, 16 Sep 2002 22:50:39 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F1D143E6A for ; Mon, 16 Sep 2002 22:50:38 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (trilluser@osiris.amduat.net [10.0.0.128] (may be forged)) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g8H5obKr000863 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 16 Sep 2002 22:50:37 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3D86C25C.50104@amduat.net> Date: Mon, 16 Sep 2002 22:49:16 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: Re: MAC Layer Bandwidth Limiting References: <3D864865.2030607@amduat.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well, I finally got a box put together to test this. It seems to work. Here is what I have. router <--> dc0-[the box]-fxp0 <--> switch/clients net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.link.ether.bridge_cfg=fxp0,dc0 ifpw add 1000 pipe 1000 MAC 12:34:56:78:90:12 any all ipfw add 1001 pipe 1001 MAC any 12:34:56:78:90:12 all ipfw pipe 1000 config 512Kbit/s ipfw pipe 1001 config 128Kbit/s ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:34 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:34 all ifpw add 1010 pipe 1010 MAC 12:34:56:78:90:56 any all ipfw add 1011 pipe 1011 MAC any 12:34:56:78:90:56 all ipfw pipe 1010 config 768Kbit/s ipfw pipe 1011 config 256Kbit/s ipfw 65000 deny MAC any any all 12:34:56:78:90:12 limited to 512down/128up 12:34:56:78:90:34 and 12:34:56:78:90:56 share 768down/256up Like I said, this seems to work. I did some simple tests by upload and downloading and changing pipe configs. It would be nice to be able to specify a MAC mask on the pipes so I don't have to create 2 for each client. Also, digging through the source reveals no way to get and zero the counts in an atomic fashion. That would be a really nice feature to have in the future. It doesn't look like it would be too hard to hack in either. If I find time I will try to do it and submit a patch. -Jake Jacob S. Barrett wrote: > If I wanted to do MAC layer bandwidth limiting would I want to do > something like the following using IPFW2 or am I just way off? > > ipfw add 1000 pipe 1000 layer2 mac $MAC0 any > ipfw add 1001 pipe 1001 layer2 mac any $MAC0 > ipfw pipe 1000 bw 128Kbit/s > ipfw pipe 1001 bw 768Kbit/s > > ipfw add 1010 pipe 1010 layer2 mac $MAC1 any > ipfw add 1011 pipe 1011 layer2 mac any $MAC1 > ipfw pipe 1010 bw 256Kbit/s > ipfw pipe 1011 bw 512Kbit/s > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > > What I want is the ability to filter links at the MAC level as well as > limit the bandwidth that particular link has. Traffic may not always be > IP based so filtering on the IP address isn't sufficient. > > If this all makes sense and works then is it possible to use a MAC > address mask in the pipe/queue mask. What I mean is can the limits be > based on per MAC rather than per IP so that I can remove the need to > have two pipes for each MAC like I do now? Something like this? > > ipfw add 1000 pipe 1128 layer2 mac $MAC0 any > ipfw add 1001 pipe 2768 layer2 mac any $MAC0 > > ipfw add 1010 pipe 1256 layer2 mac $MAC0 any > ipfw add 1011 pipe 2512 layer2 mac any $MAC0 > > ipfw add 1020 pipe 1128 layer2 mac $MAC2 any > ipfw add 1021 pipe 2768 layer2 mac any $MAC2 > > ipfw pipe 1128 bw 128Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1256 bw 256Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1512 bw 512Kbit/s mask mac-src 0xffffffffffff > ipfw pipe 1768 bw 768Kbit/s mask mac-src 0xffffffffffff > > ipfw pipe 2128 bw 128Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2256 bw 256Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2512 bw 512Kbit/s mask mac-dst 0xffffffffffff > ipfw pipe 2768 bw 768Kbit/s mask mac-dst 0xffffffffffff > > MAC0 is limited to 128kbit/s out and 768kbit/s in > MAC1 is limited to 256kbit/s out and 512kbit/s in > MAC2 is limited to 128kbit/s out and 768kbit/s in > > Does any of this make sense or am I just way off in my own little world > here? > > Now if all this works then I assume that the byte count field for rules > xxx0 and xxx1 should be the total bytes in and out for the link. Is > this correct? If I was going to use that field for accounting to > determine the bytes transferred per month is there a way to read and > zero the counts at the same time, or am I going to just have to let the > few bytes that come in between read and zero just drop off? > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 16 23: 3: 4 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A3FD37B400 for ; Mon, 16 Sep 2002 23:03:03 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id E340543E4A for ; Mon, 16 Sep 2002 23:03:02 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8H62xIb051929; Mon, 16 Sep 2002 23:02:59 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8H62xfv051928; Mon, 16 Sep 2002 23:02:59 -0700 (PDT) (envelope-from rizzo) Date: Mon, 16 Sep 2002 23:02:59 -0700 From: Luigi Rizzo To: "Jacob S. Barrett" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: MAC Layer Bandwidth Limiting Message-ID: <20020916230259.A51851@iguana.icir.org> References: <3D864865.2030607@amduat.net> <3D86C25C.50104@amduat.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D86C25C.50104@amduat.net>; from jbarrett@amduat.net on Mon, Sep 16, 2002 at 10:49:16PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Sep 16, 2002 at 10:49:16PM -0700, Jacob S. Barrett wrote: ... > It would be nice to be able to specify a MAC mask on the pipes so I > don't have to create 2 for each client. yes... in fact, the implementation of masks should be slightly revised so one can use more or less arbitrary fields instead of just the ip addresses. Next feature i guess... > Also, digging through the source reveals no way to get and zero the > counts in an atomic fashion. That would be a really nice feature to this is close to impossible to get right, because the success of reading the counts depends on the size of the buffer passed to the getsockopt(). Given that one can compute the deltas in userland, i think the feature is not very useful anyways. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 16 23:44:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C36C37B400 for ; Mon, 16 Sep 2002 23:44:18 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A22E43E65 for ; Mon, 16 Sep 2002 23:44:16 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (trilluser@osiris.amduat.net [10.0.0.128] (may be forged)) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g8H6iFKr001069 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 16 Sep 2002 23:44:15 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3D86CEEB.2010100@amduat.net> Date: Mon, 16 Sep 2002 23:42:51 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: freebsd-ipfw Subject: Re: MAC Layer Bandwidth Limiting References: <3D864865.2030607@amduat.net> <3D86C25C.50104@amduat.net> <20020916230259.A51851@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: >>It would be nice to be able to specify a MAC mask on the pipes so I >>don't have to create 2 for each client. > > yes... in fact, the implementation of masks should be slightly revised > so one can use more or less arbitrary fields instead of just the > ip addresses. Next feature i guess... I would love for this to be a new feature soon. >>Also, digging through the source reveals no way to get and zero the >>counts in an atomic fashion. That would be a really nice feature to > > this is close to impossible to get right, because the success of reading > the counts depends on the size of the buffer passed to the getsockopt(). > Given that one can compute the deltas in userland, i think > the feature is not very useful anyways. Should I just take snapshots every so often and calculate deltas from that. I also need to be aware of counter roll over events. What is the max value of the byte counter in the rules and pipes stats? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 17 0:16:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51FC137B400 for ; Tue, 17 Sep 2002 00:16:57 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id F394D43E4A for ; Tue, 17 Sep 2002 00:16:56 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8H7GrIb052426; Tue, 17 Sep 2002 00:16:53 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8H7Grtr052425; Tue, 17 Sep 2002 00:16:53 -0700 (PDT) (envelope-from rizzo) Date: Tue, 17 Sep 2002 00:16:53 -0700 From: Luigi Rizzo To: "Jacob S. Barrett" Cc: freebsd-ipfw Subject: Re: MAC Layer Bandwidth Limiting Message-ID: <20020917001653.A52387@iguana.icir.org> References: <3D864865.2030607@amduat.net> <3D86C25C.50104@amduat.net> <20020916230259.A51851@iguana.icir.org> <3D86CEEB.2010100@amduat.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D86CEEB.2010100@amduat.net>; from jbarrett@amduat.net on Mon, Sep 16, 2002 at 11:42:51PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Sep 16, 2002 at 11:42:51PM -0700, Jacob S. Barrett wrote: ... > > yes... in fact, the implementation of masks should be slightly revised > > so one can use more or less arbitrary fields instead of just the > > ip addresses. Next feature i guess... > > I would love for this to be a new feature soon. well, if you like to spend time on it, my idea is to accumulate bits from the packet into an opaque mask field (say a total of 128 bits) which is then used to identify the flow. This should be done somewhere in ip_dummynet() when the processing of the mask is done. > Should I just take snapshots every so often and calculate deltas from yes, in userland. Make sure that the rulesets do not change from one snapshot to the other (this includes dynamic rules) or that you correctly match rules between the two snapshots. > that. I also need to be aware of counter roll over events. What is the > max value of the byte counter in the rules and pipes stats? they are 64 bit counters. It still takes "a few years" before they overflow, even counting bits at gigabit speeds. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 18 1:22:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A572637B401 for ; Wed, 18 Sep 2002 01:22:25 -0700 (PDT) Received: from mailhost.nxad.com (lan.ext.nxad.com [66.250.180.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D54043E81 for ; Wed, 18 Sep 2002 01:22:25 -0700 (PDT) (envelope-from sean@nxad.com) Received: from perrin.int.nxad.com (perrin.int.nxad.com [192.168.1.251]) by mailhost.nxad.com (Postfix) with ESMTP id E41DD212F00 for ; Wed, 18 Sep 2002 01:22:18 -0700 (PDT) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id 9B36B20F03; Wed, 18 Sep 2002 01:22:18 -0700 (PDT) Date: Wed, 18 Sep 2002 01:22:18 -0700 From: Sean Chittenden To: freebsd-ipfw@FreeBSD.org Subject: Increasing the hash table sizes for dummynet... Message-ID: <20020918082218.GJ99484@perrin.int.nxad.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="81JctsDUVPekGcy+" Content-Disposition: inline User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 6CEB 1B06 BFD3 70F6 95BE 7E4D 8E85 2E0A 5F5B 3ECB X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --81JctsDUVPekGcy+ Content-Type: multipart/mixed; boundary="y9PDtDHaFrXNoMPU" Content-Disposition: inline --y9PDtDHaFrXNoMPU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The attached patch updates the max size for dummynet pipes to 65K instead of 1024. Comments? -sc --=20 Sean Chittenden --y9PDtDHaFrXNoMPU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch Content-Transfer-Encoding: quoted-printable Index: sys/netinet/ip_dummynet.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.c,v retrieving revision 1.52 diff -u -r1.52 ip_dummynet.c --- sys/netinet/ip_dummynet.c 15 Aug 2002 16:53:43 -0000 1.52 +++ sys/netinet/ip_dummynet.c 18 Sep 2002 08:20:24 -0000 @@ -1463,8 +1463,8 @@ l =3D dn_hash_size; if (l < 4) l =3D 4; - else if (l > 1024) - l =3D 1024; + else if (l > DN_MAX_HASH_SIZE) + l =3D DN_MAX_HASH_SIZE; x->rq_size =3D l; } else /* one is enough for null mask */ x->rq_size =3D 1; Index: sys/netinet/ip_dummynet.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.h,v retrieving revision 1.22 diff -u -r1.22 ip_dummynet.h --- sys/netinet/ip_dummynet.h 15 Aug 2002 16:53:43 -0000 1.22 +++ sys/netinet/ip_dummynet.h 18 Sep 2002 08:20:24 -0000 @@ -77,6 +77,12 @@ #define OFFSET_OF(type, field) ((int)&( ((type *)0)->field) ) =20 /* + * The maximum hash table size for queues. This value must be a power + * of 2. + */ +#define DN_MAX_HASH_SIZE 65536 + +/* * A heap entry is made of a key and a pointer to the actual * object stored in the heap. * The heap is an array of dn_heap_entry entries, dynamically allocated. Index: sbin/ipfw/ipfw.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.112 diff -u -r1.112 ipfw.8 --- sbin/ipfw/ipfw.8 8 Sep 2002 09:01:08 -0000 1.112 +++ sbin/ipfw/ipfw.8 18 Sep 2002 08:20:24 -0000 @@ -1347,7 +1347,7 @@ .Xr sysctl 8 variable .Em net.inet.ip.dummynet.hash_size , -allowed range is 16 to 1024. +allowed range is 16 to 65536. .Pp .It Cm mask Ar mask-specifier The --y9PDtDHaFrXNoMPU-- --81JctsDUVPekGcy+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iD8DBQE9iDe6joUuCl9bPssRAmTHAJwPpCHfH9HxoCtOTA0eeurZR13oxgCgwExx 2JuTmmYm4WD9ULGSSp0QNTg= =PNuV -----END PGP SIGNATURE----- --81JctsDUVPekGcy+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 19 10:50:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA67837B401 for ; Thu, 19 Sep 2002 10:50:54 -0700 (PDT) Received: from mail44.fg.online.no (mail44-s.fg.online.no [148.122.161.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5B9743E42 for ; Thu, 19 Sep 2002 10:50:53 -0700 (PDT) (envelope-from soppscum@online.no) Received: from spam.no (ti400720a080-2077.bb.online.no [80.212.168.29]) by mail44.fg.online.no (8.9.3/8.9.3) with SMTP id TAA05306 for ; Thu, 19 Sep 2002 19:50:49 +0200 (MEST) Date: Thu, 19 Sep 2002 19:50:54 +0200 From: MIchael To: freebsd-ipfw@FreeBSD.ORG Subject: OUCH! Cannot remove rules, count 1 Message-Id: <20020919195054.4040d14a.soppscum@online.no> X-Mailer: Sylpheed version 0.8.2 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm getting alot of "OUCH! cannot remove rules, count 1" in my logs laitly Does anyone know what this means? Searching google it seems that it's related to the limit option in ipfw. I'm running FreeBSD 4.6.2 on a Cyrix166 with 49ram rules with limit in my firewall script : $cmd 00641 allow tcp from any to any 2001 in via $oif setup keep-state limit src-addr 4 $cmd 00642 allow udp from any to any 2001 in via $oif keep-state limit src-addr 4 $cmd 00643 allow tcp from any to any 2002 in via $oif setup keep-state limit src-addr 4 $cmd 00644 allow udp from any to any 2002 in via $oif keep-state limit src-addr 4 $cmd 00645 allow tcp from any to any 2003 in via $oif setup keep-state limit src-addr 4 $cmd 00646 allow udp from any to any 2003 in via $oif keep-state limit src-addr 4 $cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 $cmd 00621 allow log tcp from any to me 9000 in via $oif setup keep-state limit src-addr 4 $cmd 00640 reset log tcp from any to me 113 in via $oif limit src-addr 4 Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 19 11:56:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24A9A37B401 for ; Thu, 19 Sep 2002 11:56:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB43F43E6A for ; Thu, 19 Sep 2002 11:56:48 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8JIumIb081724; Thu, 19 Sep 2002 11:56:48 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8JIulMl081723; Thu, 19 Sep 2002 11:56:47 -0700 (PDT) (envelope-from rizzo) Date: Thu, 19 Sep 2002 11:56:47 -0700 From: Luigi Rizzo To: MIchael Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: OUCH! Cannot remove rules, count 1 Message-ID: <20020919115647.A81653@iguana.icir.org> References: <20020919195054.4040d14a.soppscum@online.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020919195054.4040d14a.soppscum@online.no>; from soppscum@online.no on Thu, Sep 19, 2002 at 07:50:54PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Sep 19, 2002 at 07:50:54PM +0200, MIchael wrote: > I'm getting alot of "OUCH! cannot remove rules, count 1" in my logs laitly > Does anyone know what this means? it is a bug in the ipfw1 code. But also you have a bug in your ruleset too, because you must not specify both "keep-state" and "limit". All this is fixed in ipfw2 (which properly flags the invalid rules), so i suggest you to upgrade your firewall code to ipfw2 cheers luigi > Searching google it seems that it's related to the limit option in ipfw. > > I'm running FreeBSD 4.6.2 on a Cyrix166 with 49ram > rules with limit in my firewall script : > > $cmd 00641 allow tcp from any to any 2001 in via $oif setup keep-state limit src-addr 4 > $cmd 00642 allow udp from any to any 2001 in via $oif keep-state limit src-addr 4 > $cmd 00643 allow tcp from any to any 2002 in via $oif setup keep-state limit src-addr 4 > $cmd 00644 allow udp from any to any 2002 in via $oif keep-state limit src-addr 4 > $cmd 00645 allow tcp from any to any 2003 in via $oif setup keep-state limit src-addr 4 > $cmd 00646 allow udp from any to any 2003 in via $oif keep-state limit src-addr 4 > $cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 > $cmd 00621 allow log tcp from any to me 9000 in via $oif setup keep-state limit src-addr 4 > $cmd 00640 reset log tcp from any to me 113 in via $oif limit src-addr 4 > > Thanks > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 19 13:28:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7191F37B4B3 for ; Thu, 19 Sep 2002 13:28:29 -0700 (PDT) Received: from degas.artisan.calpoly.edu (degas.artisan.calpoly.edu [129.65.60.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2993543E42 for ; Thu, 19 Sep 2002 13:28:29 -0700 (PDT) (envelope-from mbenadib@calpoly.edu) Received: from localhost (root@localhost) by degas.artisan.calpoly.edu (8.9.3 (PHNE_25183)/8.9.3) with ESMTP id NAA06553; Thu, 19 Sep 2002 13:27:50 -0700 (PDT) From: mbenadib@calpoly.edu X-OpenMail-Hops: 1 Date: Thu, 19 Sep 2002 13:27:49 -0700 Message-Id: Subject: RE: Re: OUCH! Cannot remove rules, count 1 MIME-Version: 1.0 To: rizzo@icir.org, soppscum@online.no Cc: freebsd-ipfw@FreeBSD.ORG Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline; filename="BDY.TXT" ;Creation-Date="Thu, 19 Sep 2002 13:27:49 -0700" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm not sure why I'm on this listing, can someone please remove me.. Thanks. -----Original Message----- From: rizzo [mailto:rizzo@icir.org] Sent: Thursday, September 19, 2002 11:57 AM To: soppscum Cc: rizzo; freebsd-ipfw Subject: Re: OUCH! Cannot remove rules, count 1 On Thu, Sep 19, 2002 at 07:50:54PM +0200, MIchael wrote: > I'm getting alot of "OUCH! cannot remove rules, count 1" in my logs laitly > Does anyone know what this means? it is a bug in the ipfw1 code. But also you have a bug in your ruleset too, because you must not specify both "keep-state" and "limit". All this is fixed in ipfw2 (which properly flags the invalid rules), so i suggest you to upgrade your firewall code to ipfw2 cheers luigi > Searching google it seems that it's related to the limit option in ipfw. > > I'm running FreeBSD 4.6.2 on a Cyrix166 with 49ram > rules with limit in my firewall script : > > $cmd 00641 allow tcp from any to any 2001 in via $oif setup keep-state limit src-addr 4 > $cmd 00642 allow udp from any to any 2001 in via $oif keep-state limit src-addr 4 > $cmd 00643 allow tcp from any to any 2002 in via $oif setup keep-state limit src-addr 4 > $cmd 00644 allow udp from any to any 2002 in via $oif keep-state limit src-addr 4 > $cmd 00645 allow tcp from any to any 2003 in via $oif setup keep-state limit src-addr 4 > $cmd 00646 allow udp from any to any 2003 in via $oif keep-state limit src-addr 4 > $cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 > $cmd 00621 allow log tcp from any to me 9000 in via $oif setup keep-state limit src-addr 4 > $cmd 00640 reset log tcp from any to me 113 in via $oif limit src-addr 4 > > Thanks > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message