IPFW Dummynet Bridge Limiting
vladone
vladone at spaingsm.com
Wed Jul 12 22:48:34 UTC 2006
Hello Adam,
Wednesday, July 12, 2006, 9:13:11 PM, you wrote:
> Hey all,
>
> I have searched and searched and searched and can't seem to
> come up with the answer to this little mystery I have going on here.
> Maybe I could get some help from this large group of people who are much
> smarter than I am. I have a FreeBSD machine running 6.1-RC that has
> three NICs, two of which are acting as a bridge. It's a pretty standard
> setup. What I am attempting to accomplish is bandwidth limiting using
> dummynet over this bridge. Here's the network layout:
>
> INTERNET ---- Core Router ---- Bridge (limiter) ---- Border Router ----
> Customer Base
>
> The reason for the bridge between two routers is because we
> also have our server farm between those routers. The customer base
> consists of multiple routed networks and they all get public IPs. The
> problem I'm having is that the bridge is not limiting any of the
> customer IPs. I see packets flowing through the IPFW rules but they're
> not being passed to the pipes. I will show the configuration
> momentarily. The weird thing is, I am able to unplug the Border Router
> from this whole setup and plug a laptop in to the bridge and set it up
> so the laptop IP is limited. This setup works fine and I can limit the
> laptop the way I expect the rest of the network to be. Here's my
> configuration with the Border Router plugged in and the 216.19.50.37 IP
> being used in the "Customer Base":
>
> ---Kernel Config---
> options SMP # Symmetric MultiProcessor
> Kernel
> options IPFIREWALL # Firewall support
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPDIVERT
> options DUMMYNET # Traffic limiting
> options BRIDGE
> options HZ=1000 # strongly recommended by
> dummynet(4)
> device apic # I/O APIC
>
> ---Sysctl---
> net.inet.ip.fw.enable=1
> net.inet.ip.fw.one_pass=1
> net.link.ether.bridge_cfg=em0,em1
> net.link.ether.bridge.enable=1
> net.link.ether.bridge_ipfw=1
> net.inet.ip.fw.dyn_buckets=256
> net.inet.ip.fw.curr_dyn_buckets=256
>
> ---rc.conf---
> defaultrouter="[mydefaultrouter]"
> hostname="[myhostname]"
> ifconfig_bge0="[mymanagementinterface]"
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm em0 addm em1 up"
> ifconfig_em0="up"
> ifconfig_em1="up"
> sshd_enable="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall.bwmg" # this just runs ipfw with
> the rules supplied in custom_firewall below
> firewall_quiet="NO"
> firewall_logging="YES"
> firewall_flags=""
>
> ---ifconfig----
> -snip-
> em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> ether 00:04:23:cb:60:aa
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> ether 00:04:23:cb:60:ab
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
> bridge0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> ether ac:de:48:ce:fe:5c
> priority 32768 hellotime 2 fwddelay 15 maxage 20
> member: em1 flags=3<LEARNING,DISCOVER>
> member: em0 flags=3<LEARNING,DISCOVER>
>
> ---custom_firewall---
> -q flush
> -q queue flush
> -q pipe flush
> add 1 allow all from any to any via lo0
> add 2 deny all from any to 127.0.0.0/8
> add 3 deny all from 127.0.0.0/8 to any
> add 4 skipto 65534 all from any to any via bge0
> add 65534 allow all from any to any
> add 100 pipe 100 config bw 100Kbit/s
> add 10 pipe 100 all from any to 216.19.50.37 recv em0
>
> # ipfw show 10
> 00010 11430 925353 pipe 100 all from any to 216.19.50.37
> recv em0
>
> # ipfw pipe show 100
> 00100: 100.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 0 icmp 216.109.112.135/0 216.19.50.37/0 11434 925679 0
> 0 0
>
> I have tried many different configurations including
> changing net.inet.ip.fw.one_pass to 0, changing the ipfw rule to recv
> and xmit on BOTH devices of the bridge, changing the ipfw rule from all
> to tcp and ip, and changing the rule from "any to 216.19.50.37" to
> "216.19.50.37 to any" (recv and xmit on both interfaces). I've also
> tried the kernel without IPDIVERT and with if_bridge. As I stated
> before, the odd thing is that when I plug directly into it with an IP of
> 216.19.0.225 (can't use the other one here) and modify the rules to
> reflect the new IP, the limiting works just fine. I have a feeling this
> is where the problem is, but I can't quite think of any reason why this
> wouldn't work. Previously, I had a Linux machine running TC installed in
> place of this machine but I personally prefer FreeBSD and feel ipfw is
> easier to configure than tc. The Linux machine worked just fine.
>
> Could anyone possibly help with this little problem? I'm
> stuck. Also, if I forgot to include any information, I apologize. I'm a
> bit spacey when I write emails. Just let me know what I missed and I can
> explain further. Thanks.
>
> Adam
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
> "freebsd-ipfw-unsubscribe at freebsd.org"
I dont't use it bridge but some thinks that can help u:
1. use corect syctl variables form: net.link.ether.bridge.ipfw
instead net.link.ether.bridge_ipfw (probably an wrong typing)
2. read the end from man page about bridge, and
net.inet.ip.fw.one_pass variable.
"Also remember that bridged packets are accepted after the first pass
through the firewall irrespective of the setting of the sysctl variable
net.inet.ip.fw.one_pass, and that some ipfw(8) actions such as divert do
not apply to bridged packets. It might be useful to have a rule of the
form
skipto 20000 ip from any to any bridged
"
3. Luigi Rizzo say in his
documentation: "there is always one pass for bridged packets"
--
Best regards,
vladone mailto:vladone at spaingsm.com
More information about the freebsd-ipfw
mailing list