Notes on using dummynet with if_bridge

John Nielsen lists at jnielsen.net
Fri Apr 7 17:58:17 UTC 2006 

I spent some time yesterday figuring out how to use dummynet and if_bridge (on 
a FreeBSD 6.x system) together to create a standalone rate-limiting device 
for simulating various types of links.  I had some trouble and started to 
write a message asking for guidance, but was able to solve my problem as a 
result of describing it clearly.

So I'm posting my setup as a reference for anyone else in the same situation. 
(I admit to being self-serving by doing so, since I'll inevitably want this 
information again in the future when I don't have access to the system I'm 
working on currently.)  Comments are welcome but not needed (i.e. "it 
works").

### From the kernel config:
options IPFIREWALL
options DUMMYNET

### From /boot/loader.conf:
if_bridge_load="YES"

### From /etc/sysctl.conf
net.inet.ip.fw.one_pass=0
net.link.bridge.ipfw=1
# values below are defaults, included for reference
#net.inet.ip.fw.enable=1
#net.link.ether.ipfw=0
#net.link.bridge.pfil_member=0
#net.link.bridge.pfil_bridge=0
#net.link.bridge.pfil_onlyip=0

### From /etc/rc.conf:
ifconfig_rl0="DHCP"	# Admin interface
ifconfig_fxp0="up"	# "Client" side
ifconfig_xl0="up"		# "Server" side
cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm xl0 up"
firewall_enable="YES"
firewall_script="/etc/rc.firewall.jcn"

### /etc/rc.firewall.jcn
#!/bin/sh
ipfw -q /etc/ipfw.conf

### /etc/ipfw.conf
# flush old rules, queues and pipes.
flush
queue flush
pipe flush

# server->clients
pipe 1 config bw 30Kbit/s delay 150 mask dst-ip 0xffffffff

# clients->server
pipe 2 config bw 30Kbit/s delay 150 mask src-ip 0xffffffff

# Localhost
add allow all from any to any via lo0
add deny all from any to 127.0.0.0/8
add deny all from 127.0.0.0/8 to any

# Admin interface
add skipto 60000 all from any to any via rl0

# server->clients
add pipe 1 all from any to any out recv xl0
add skipto 60000 all from any to any out recv xl0

# clients->server
add pipe 2 all from any to any out xmit xl0
add skipto 60000 all from any to any out xmit xl0

# Allow everything through
add 60000 allow all from any to any

###

Simple, no? :)

JN

More information about the freebsd-ipfw mailing list