layer2 filtering and dummynet, bw reduced by half
Hello, I am doing some simple tests in a specific enviroment where layer2 filtering and dummynet will work together. There is a complex set of FW rules, which showed a behaviour where, whenever I turn layer2 filtering on, dummynet configured pipes get the configured BW reduced by half. To check it out I reduced the production ruleset into a few, simple and clear set of rules in a testing enviroment. The current rules are: layer2() { ipfw add skipto 400 all from any to any mac-type ip,arp layer2 ipfw add deny all from any to any layer2 } countlog() { ipfw add 400 count log all from any to any in ipfw add 401 count log all from any to any out } pipe() { ipfw add pipe 1 all from any to 172.16.52.254/32 in ipfw add pipe 2 all from 172.16.52.254/32 to any out ipfw pipe 1 config bw 64Kbps queue 5 ipfw pipe 2 config bw 64Kbps queue 5 } Very simple, nothing special. FYI, one_pass feature for ipfw is '1' (default). When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP address can only up/down at the configured speed. But when I turn net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half, just like if I had pipes configured at 32Kbps. I have tested even without any layer2 rule loaded. The behaviour is just the same. I am not sure what might be causing this weird behaviour. Is there any thing that should be tunned up? Any ideas on why it happens, and how to deal with it instead of configuring bw by 2 to get the desired speed? If there is a logical reason for that which I ignore, there is no problem in * it by 2, but I would like to hear about it, technically, which is the reason. And specially, if it something I am doing wrong, I would appreciate if someone could point it out. Thank you a lot :-) -- Patrick Tracanelli ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
you are passing traffic through the pipe twice. you have to decide if your rules should apply tto layer2 or not and write the rules accordingly luigi On Mon, Oct 03, 2005 at 01:07:56PM -0300, Patrick Tracanelli wrote: Hello, I am doing some simple tests in a specific enviroment where layer2 filtering and dummynet will work together. There is a complex set of FW rules, which showed a behaviour where, whenever I turn layer2 filtering on, dummynet configured pipes get the configured BW reduced by half. To check it out I reduced the production ruleset into a few, simple and clear set of rules in a testing enviroment. The current rules are: layer2() { ipfw add skipto 400 all from any to any mac-type ip,arp layer2 ipfw add deny all from any to any layer2 } countlog() { ipfw add 400 count log all from any to any in ipfw add 401 count log all from any to any out } pipe() { ipfw add pipe 1 all from any to 172.16.52.254/32 in ipfw add pipe 2 all from 172.16.52.254/32 to any out ipfw pipe 1 config bw 64Kbps queue 5 ipfw pipe 2 config bw 64Kbps queue 5 } Very simple, nothing special. FYI, one_pass feature for ipfw is '1' (default). When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP address can only up/down at the configured speed. But when I turn net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half, just like if I had pipes configured at 32Kbps. I have tested even without any layer2 rule loaded. The behaviour is just the same. I am not sure what might be causing this weird behaviour. Is there any thing that should be tunned up? Any ideas on why it happens, and how to deal with it instead of configuring bw by 2 to get the desired speed? If there is a logical reason for that which I ignore, there is no problem in * it by 2, but I would like to hear about it, technically, which is the reason. And specially, if it something I am doing wrong, I would appreciate if someone could point it out. Thank you a lot :-) -- Patrick Tracanelli ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
Luigi Rizzo wrote: you are passing traffic through the pipe twice. you have to decide if your rules should apply tto layer2 or not and write the rules accordingly Why are they going twice through the pipe? When net.link.ether.ipfw=1 you pass it through all rules twice? first match wins does not apply? How should it be made to do it passing only once? I have just tried: ipfw add 400 count log all from any to any in layer2 ipfw add 401 count log all from any to any out layer2 Where hopefully it would be passed only once (when passing layer2 rules) but it did not. How could the rules be written to filter layer2 instead, in the given circunstances? 'Cos you say it should be written to apply to layer2 or not, and write the rules accordingly, but in the following circunstance: 0040054 4566 count log ip from any to any in 0040142 4300 count log ip from any to any out 0050116 1616 pipe 1 ip from any to 172.16.52.254 in 0060116 1428 pipe 2 ip from 172.16.52.254 to any out 65535 22052 10476881 allow ip from any to any There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting happens again. So it does not seem to be a matter of how to write the rules, but instead, to have net.link.ether.ipfw=1 or not. Or did I miss some point? layer2() { ipfw add skipto 400 all from any to any mac-type ip,arp layer2 ipfw add deny all from any to any layer2 } countlog() { ipfw add 400 count log all from any to any in ipfw add 401 count log all from any to any out } pipe() { ipfw add pipe 1 all from any to 172.16.52.254/32 in ipfw add pipe 2 all from 172.16.52.254/32 to any out ipfw pipe 1 config bw 64Kbps queue 5 ipfw pipe 2 config bw 64Kbps queue 5 } -- Patrick Tracanelli ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: layer2 filtering and dummynet, bw reduced by half
see the ipfw manpage near the eginning with the graph showing the packet flow. layer2 means the rule matches only on layer2. not layer2 matches only on layer 3. if you don't put anything, it matches both layer2 and layer3. luigi On Mon, Oct 03, 2005 at 01:27:39PM -0300, Patrick Tracanelli wrote: Luigi Rizzo wrote: you are passing traffic through the pipe twice. you have to decide if your rules should apply tto layer2 or not and write the rules accordingly Why are they going twice through the pipe? When net.link.ether.ipfw=1 you pass it through all rules twice? first match wins does not apply? How should it be made to do it passing only once? I have just tried: ipfw add 400 count log all from any to any in layer2 ipfw add 401 count log all from any to any out layer2 Where hopefully it would be passed only once (when passing layer2 rules) but it did not. How could the rules be written to filter layer2 instead, in the given circunstances? 'Cos you say it should be written to apply to layer2 or not, and write the rules accordingly, but in the following circunstance: 0040054 4566 count log ip from any to any in 0040142 4300 count log ip from any to any out 0050116 1616 pipe 1 ip from any to 172.16.52.254 in 0060116 1428 pipe 2 ip from 172.16.52.254 to any out 65535 22052 10476881 allow ip from any to any There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting happens again. So it does not seem to be a matter of how to write the rules, but instead, to have net.link.ether.ipfw=1 or not. Or did I miss some point? layer2() { ipfw add skipto 400 all from any to any mac-type ip,arp layer2 ipfw add deny all from any to any layer2 } countlog() { ipfw add 400 count log all from any to any in ipfw add 401 count log all from any to any out } pipe() { ipfw add pipe 1 all from any to 172.16.52.254/32 in ipfw add pipe 2 all from 172.16.52.254/32 to any out ipfw pipe 1 config bw 64Kbps queue 5 ipfw pipe 2 config bw 64Kbps queue 5 } -- Patrick Tracanelli ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]