?????? Re: ipfw+dummynet bandwidth control for multi-ip jail

Jeremie Le Hen jeremie at le-hen.org
Sat Jul 23 09:35:44 GMT 2005 

Hi,

> I get this from the ifpw(8) man page:
> "whereas when dynamic queues are used, each flow will share the
> parent's pipe bandwidth evenly with other flows generated by the same
> queue".
>
> Can we use different weight for the queues, so that the share is not 
> even?

Yes, it is possible indeed, but I think this would require to manually
set each queue since dynamic one will always have the same parameters.

> And, why not use the jail id (prisonID)? How to use the jail IP?
> I am confused about the mask src-ip/dst-ip. Can you explaint it for me?

The example rules I gave you use the IP addresses because you can't
simply use dynamic queues with the prison ID since the "mask" keyword
only support source and destination IP address (and ports).  If you
really want to use prison ID, you will have to manually set each queue
again.

To understand how the "mask" keyword works, try to conceive you are
building a router for multiple /24 subnets.  You want to assign a
symmetrical bandwidth of 1 MBits/s to each.  In order to be as complete
as possible, let's say we are routing 10 subnets but we only have
a symmetrical 8 MBits/s link :

%%%
    # Upload
    ipfw pipe 1 config bw 8 MBits/s
    ipfw queue 1 config weight 12 pipe 1 mask src-ip 0xffffff00

    # Download
    ipfw pipe 2 config bw 8 MBits/s
    ipfw queue 2 config weight 12 pipe 2 mask dst-ip 0xffffff00

    # fxp0 is the interface on the Internet side, these rule won't work
    # if you use them after NAT'ing packets, in which case you should
    # use them on the routed subnet's side.
    ipfw add queue 1 all from any to any xmit fxp0
    ipfw add queue 2 all from any to any recv fxp0
%%%

With the 0xffffff00 mask (corresponding to a /24), only the network
part will be used to identify the queue to use.

Which means :

    152.17.111.15, 152.17.111.24 and 152.17.111.232 will use the same
    dynamic queue.

    152.17.112.72, 152.17.112.99 and 152.17.112.187 will use the same
    dynamic queue too, but not the same one as above.

    And so on.

Note that we use a weight of 12 be cause this is about 1/8 of 100,
thus each client will be assigned about 1/8 of 8 MBits/s, or in other
words : 1 MBits/s.  When all of the 10 subnets will be in use, the pipe
will limit the whole bandwidth to 8 MBits/s, limiting almost equally
all subnets.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

More information about the freebsd-ipfw mailing list