IPFW DUMMYNET: Several pipes after each other

Sebastian Mellmann sebastian.mellmann at net.t-labs.tu-berlin.de
Mon Jan 26 02:16:20 PST 2009 

Ian Smith wrote:
On Thu, 22 Jan 2009 08:10:09 +0100 (CET)
>  >
>  > So far I've got those rules:
>  >
>  > in_if="em0"
>  > out_if="em1"
>  > management_if="em2"
>  > in_ip="100.100.100.1"
>  > out_ip="200.200.200.1"
>  > management_ip="172.16.0.201"
>  > client1_subnet="192.168.5.0/26"
>  > client2_subnet="192.168.6.0/26"
>  > server_subnet="192.168.7.0/24"
>  >
>  > download_bandwidth="6144Kbit/s"
>  > upload_bandwidth="1024Kbit/s"
>  > delay="0"
>  > queue_size="10"
>
> 10 slots ie packets is likely too small a queue size at these rates.
> You want to check the dropped packet stats from 'ipfw pipe show' re
> that; see the section in ipfw(8) about calculating sizes / delays.
>

I had a look at the ipfw howto on the freebsd site [1], but I'm not 100%
sure how to choose a "good" value for the queue size.

If I choose the default (50 packets) it means that it takes approx. 100ms
(600kbits / 6144kbits) to fill the queue.
So the question is: Which value to choose for the queue?

> I suggest using 'in recv' and 'out xmit' rather than via for these, for
> the sake of clarity.  'in recv' and 'in via' come to the same thing, as
> only the receive interface is known on inbound packets, but 'out via'
> applies to packets that were *received* on the specified interface as
> well as those going out on that interface after routing, which can lead
> to surprising results sometimes, and being more specific never hurts ..

Thanks for the hint.
I'll change that.

>  > But when I have a look at the pipes with 'ipfw show' I can only see
>  > packets go through the pipe 50 and nothing goes through the other pipes
>  > (which makes sense actually since IPFW work that way?).
>
> IPFW works that way if you (likely) have net.inet.ip.fw.one_pass=1 .. so
> that packets exiting from pipes aren't seen by the firewall again.  If
> you set one_pass=0, packets are reinjected into the firewall at the rule
> following the pipe (or queue) action, which is what you want to do here.

Actually this is also described in the manpage of ipfw(8).
Shame on me ;-)

> And you'll surely need a much larger queue for this pipe, at 100Mbit/s.
>

As already asked above:

How do I know the queue is large or small enough for my needs?


> cheers, Ian

Regards,
Sebastian

[1] http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO

More information about the freebsd-questions mailing list