From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 1 16:03:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B35C16A4CE for ; Mon, 1 Dec 2003 16:03:35 -0800 (PST) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id CBF2143F75 for ; Mon, 1 Dec 2003 16:03:33 -0800 (PST) (envelope-from jon@abccom.bc.ca) Received: (qmail 51033 invoked by uid 1000); 2 Dec 2003 00:03:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Dec 2003 00:03:55 -0000 Date: Mon, 1 Dec 2003 16:03:55 -0800 (PST) From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <3A04E74D-225C-11D8-98F0-003065F1EE08@edgefocus.com> Message-ID: <20031201154231.M38868-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: MAN page example vs. this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 00:03:35 -0000 On Sat, 29 Nov 2003, Sean Hafeez wrote: > the man pages has this example: > > ipfw add pipe 1 ip from 192.168.2.0/24 to any out > ipfw add pipe 2 ip from any to 192.168.2.0/24 in > ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes > ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes > > the man page say this does: > > ...is limiting the outbound traffic on a net with per-host limits, > rather than per-network limits... > > my first question is this just outbound? seem to me that pipe 1 is the > outbound limit and pipe 2 is an inbound limit? so this is a symmetric > link? am i reading this wrong? You're right, there are 2 queues defined, one for each direction. > second, the mask only applies to the last octet of the ip address (ff) - > correct? so each host both out bound user and is upstream target (i.e. > www.cnn.com)? The host 192.168.2.3 would be limited to sending 200Kbits/sec and receiving 200Kbits/sec total, without concern of what other IP's it is talking to. > now here is what i got from somewhere else. i am limiting each host (ip > address) to 200kbits/s. rl1 is the internal interface to the users. > > ipfw add pipe 1 ip from any to any in recv rl1 > ipfw add pipe 2 ip from any to any out xmit rl1 > ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s > > are these 2 examples functionally the same? if not what is the > difference? You're forcing the interface. Be careful, as packets may flow through in ways you don't expect. > also in the first example, if the network was changed to > 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a > reverse mask like a cisco, right? That mask has nothing to do with a network mask. It's a simple bitmask, used to pick out the bits in the src/dst ip/port combinations that are used to hash the packets into a unique bucket. If you used "mask src-ip 0x00000001" you would be sorting the packets into buckets (and queues) based on whether the source IP's last octet was even or odd. My setup looks like (for doing traffic usage on a /24): ipfw pipe 1 config mask src-ip 0xffffffff buckets 512 ipfw add 100 pipe 1 ip src-ip 192.168.0.0/24 ipfw pipe 2 config mask dst-ip 0xffffffff buckets 512 ipfw add 101 pipe 2 ip dst-ip 192.168.0.0/24 If I was curious about how much traffic each of my /28's was doing: ipfw pipe 3 config mask src-ip 0xfffffff0 buckets 512 ipfw add 105 pipe 3 ip src-ip 192.168.4.0/24 ipfw pipe 4 config mask dst-ip 0xfffffff0 buckets 512 ipfw add 106 pipe 4 ip dst-ip 192.168.4.0/24 --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS