layer2 filtering and dummynet, bw reduced by half
Hello,
I am doing some simple tests in a specific enviroment where layer2
filtering and dummynet will work together. There is a complex set of FW
rules, which showed a behaviour where, whenever I turn layer2 filtering
on, dummynet configured pipes get the configured BW reduced by half. To
check it out I reduced the production ruleset into a few, simple and
clear set of rules in a testing enviroment.
The current rules are:
layer2() {
ipfw add skipto 400 all from any to any mac-type ip,arp layer2
ipfw add deny all from any to any layer2
}
countlog() {
ipfw add 400 count log all from any to any in
ipfw add 401 count log all from any to any out
}
pipe() {
ipfw add pipe 1 all from any to 172.16.52.254/32 in
ipfw add pipe 2 all from 172.16.52.254/32 to any out
ipfw pipe 1 config bw 64Kbps queue 5
ipfw pipe 2 config bw 64Kbps queue 5
}
Very simple, nothing special.
FYI, one_pass feature for ipfw is '1' (default).
When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP
address can only up/down at the configured speed. But when I turn
net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half,
just like if I had pipes configured at 32Kbps.
I have tested even without any layer2 rule loaded. The behaviour is just
the same.
I am not sure what might be causing this weird behaviour. Is there any
thing that should be tunned up? Any ideas on why it happens, and how to
deal with it instead of configuring bw by 2 to get the desired speed? If
there is a logical reason for that which I ignore, there is no problem
in * it by 2, but I would like to hear about it, technically, which is
the reason.
And specially, if it something I am doing wrong, I would appreciate if
someone could point it out.
Thank you a lot :-)
--
Patrick Tracanelli
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
you are passing traffic through the pipe twice.
you have to decide if your rules should apply tto
layer2 or not and write the rules accordingly
luigi
On Mon, Oct 03, 2005 at 01:07:56PM -0300, Patrick Tracanelli wrote:
Hello,
I am doing some simple tests in a specific enviroment where layer2
filtering and dummynet will work together. There is a complex set of FW
rules, which showed a behaviour where, whenever I turn layer2 filtering
on, dummynet configured pipes get the configured BW reduced by half. To
check it out I reduced the production ruleset into a few, simple and
clear set of rules in a testing enviroment.
The current rules are:
layer2() {
ipfw add skipto 400 all from any to any mac-type ip,arp layer2
ipfw add deny all from any to any layer2
}
countlog() {
ipfw add 400 count log all from any to any in
ipfw add 401 count log all from any to any out
}
pipe() {
ipfw add pipe 1 all from any to 172.16.52.254/32 in
ipfw add pipe 2 all from 172.16.52.254/32 to any out
ipfw pipe 1 config bw 64Kbps queue 5
ipfw pipe 2 config bw 64Kbps queue 5
}
Very simple, nothing special.
FYI, one_pass feature for ipfw is '1' (default).
When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP
address can only up/down at the configured speed. But when I turn
net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half,
just like if I had pipes configured at 32Kbps.
I have tested even without any layer2 rule loaded. The behaviour is just
the same.
I am not sure what might be causing this weird behaviour. Is there any
thing that should be tunned up? Any ideas on why it happens, and how to
deal with it instead of configuring bw by 2 to get the desired speed? If
there is a logical reason for that which I ignore, there is no problem
in * it by 2, but I would like to hear about it, technically, which is
the reason.
And specially, if it something I am doing wrong, I would appreciate if
someone could point it out.
Thank you a lot :-)
--
Patrick Tracanelli
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
Luigi Rizzo wrote:
you are passing traffic through the pipe twice.
you have to decide if your rules should apply tto
layer2 or not and write the rules accordingly
Why are they going twice through the pipe? When net.link.ether.ipfw=1
you pass it through all rules twice? first match wins does not apply?
How should it be made to do it passing only once? I have just tried:
ipfw add 400 count log all from any to any in layer2
ipfw add 401 count log all from any to any out layer2
Where hopefully it would be passed only once (when passing layer2 rules)
but it did not.
How could the rules be written to filter layer2 instead, in the given
circunstances? 'Cos you say it should be written to apply to layer2 or
not, and write the rules accordingly, but in the following circunstance:
0040054 4566 count log ip from any to any in
0040142 4300 count log ip from any to any out
0050116 1616 pipe 1 ip from any to 172.16.52.254 in
0060116 1428 pipe 2 ip from 172.16.52.254 to any out
65535 22052 10476881 allow ip from any to any
There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting
happens again. So it does not seem to be a matter of how to write the
rules, but instead, to have net.link.ether.ipfw=1 or not.
Or did I miss some point?
layer2() {
ipfw add skipto 400 all from any to any mac-type ip,arp layer2
ipfw add deny all from any to any layer2
}
countlog() {
ipfw add 400 count log all from any to any in
ipfw add 401 count log all from any to any out
}
pipe() {
ipfw add pipe 1 all from any to 172.16.52.254/32 in
ipfw add pipe 2 all from 172.16.52.254/32 to any out
ipfw pipe 1 config bw 64Kbps queue 5
ipfw pipe 2 config bw 64Kbps queue 5
}
--
Patrick Tracanelli
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
see the ipfw manpage near the eginning with the graph
showing the packet flow.
layer2 means the rule matches only on layer2.
not layer2 matches only on layer 3.
if you don't put anything, it matches both layer2 and layer3.
luigi
On Mon, Oct 03, 2005 at 01:27:39PM -0300, Patrick Tracanelli wrote:
Luigi Rizzo wrote:
you are passing traffic through the pipe twice.
you have to decide if your rules should apply tto
layer2 or not and write the rules accordingly
Why are they going twice through the pipe? When net.link.ether.ipfw=1
you pass it through all rules twice? first match wins does not apply?
How should it be made to do it passing only once? I have just tried:
ipfw add 400 count log all from any to any in layer2
ipfw add 401 count log all from any to any out layer2
Where hopefully it would be passed only once (when passing layer2 rules)
but it did not.
How could the rules be written to filter layer2 instead, in the given
circunstances? 'Cos you say it should be written to apply to layer2 or
not, and write the rules accordingly, but in the following circunstance:
0040054 4566 count log ip from any to any in
0040142 4300 count log ip from any to any out
0050116 1616 pipe 1 ip from any to 172.16.52.254 in
0060116 1428 pipe 2 ip from 172.16.52.254 to any out
65535 22052 10476881 allow ip from any to any
There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting
happens again. So it does not seem to be a matter of how to write the
rules, but instead, to have net.link.ether.ipfw=1 or not.
Or did I miss some point?
layer2() {
ipfw add skipto 400 all from any to any mac-type ip,arp layer2
ipfw add deny all from any to any layer2
}
countlog() {
ipfw add 400 count log all from any to any in
ipfw add 401 count log all from any to any out
}
pipe() {
ipfw add pipe 1 all from any to 172.16.52.254/32 in
ipfw add pipe 2 all from 172.16.52.254/32 to any out
ipfw pipe 1 config bw 64Kbps queue 5
ipfw pipe 2 config bw 64Kbps queue 5
}
--
Patrick Tracanelli
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
