Date: Tue, 4 Nov 2014 17:44:43 -0200 From: Evandro Nunes <evandronunes12@gmail.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: netmap-ipfw on em0 em1 Message-ID: <CAG4HiT5fVCpmJ8uDh4SvVown7-vLCMKJP8-QcaW9LQfpWZEiBA@mail.gmail.com> In-Reply-To: <CA%2BhQ2%2BjOnHX-x=k5=iZtR3=OWfcFBD8WTD_d_VicicJzPevcSw@mail.gmail.com> References: <CAG4HiT4KHG%2Bb2um6-p4szWio8qmxN%2BadO5hO9J5UGPmsa%2BZC5g@mail.gmail.com> <CA%2BhQ2%2BhAJZk-Y1Yw2xmHmxSMHpFN_byX94Bq33-th2vrp7q2JA@mail.gmail.com> <CAG4HiT7Mtedoxvc69nEyKp1ZYBidZTBcEKG1L9Mkj_Rqeh4bpA@mail.gmail.com> <CA%2BhQ2%2BjOnHX-x=k5=iZtR3=OWfcFBD8WTD_d_VicicJzPevcSw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 4, 2014 at 5:26 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > > > On Tue, Nov 4, 2014 at 11:09 AM, Evandro Nunes <evandronunes12@gmail.com> > wrote: > >> so, running em1 and em2 only should work? >> >> because I have the same behavior: >> >> # ps wauxw | grep kipfw >> root 61484 0.0 0.0 14648 1824 2 S 5:06PM 0:02.9= 5 >> ./kipfw em1 em2 >> root 61518 0.0 0.0 18804 1864 2 S+ 5:07PM 0:00.0= 0 >> grep kipfw >> >> >> # /usr/src/tools/tools/netmap/netmap-7e9e5e7602f5/examples/pkt-gen -i em= 1 >> -f tx -l 60 -d 172.16.250.10 >> 112.372344 main [1649] interface is em1 >> 112.372597 extract_ip_range [287] range is 10.0.0.1:0 to 10.0.0.1:0 >> 112.372622 extract_ip_range [287] range is 172.16.250.10:0 to >> 172.16.250.10:0 >> 112.388845 main [1840] mapped 334980KB at 0x801800000 >> Sending on netmap:em1: 1 queues, 1 threads and 1 cpus. >> 10.0.0.1 -> 172.16.250.10 (00:00:00:00:00:00 -> ff:ff:ff:ff:ff:ff) >> 112.388956 main [1924] Sending 512 packets every 0.000000000 s >> 112.388966 main [1926] Wait 2 secs for phy reset >> 114.389236 main [1928] Ready... >> 114.389473 nm_open [456] overriding ifname em1 ringid 0x0 flags 0x1 >> 114.389765 sender_body [1014] start, fd 4 main_fd 3 >> 115.055243 sender_body [1083] drop copy >> 115.390425 main_thread [1446] 149790 pps (149900 pkts in 1000735 usec) >> 116.391480 main_thread [1446] 148815 pps (148972 pkts in 1001056 usec) >> 117.392243 main_thread [1446] 148798 pps (148912 pkts in 1000763 usec) >> 118.393766 main_thread [1446] 148462 pps (148688 pkts in 1001523 usec) >> 119.394256 main_thread [1446] 8252 pps (8256 pkts in 1000491 usec) >> Sent 604728 packets, 60 bytes each, in 4.06 seconds. >> Speed: 148.80 Kpps Bandwidth: 71.42 Mbps (raw 99.99 Mbps) >> >> ^C >> >> # ipfw/ipfw show >> connected to 127.0.0.1:5555 >> nalloc 2248 nbytes 112 ptr 0x0 >> 00100 0 0 count ip from any to any >> 65535 0 0 allow ip from any to any >> >> i gues I am missing a piece of the architecture... >> > > =E2=80=8Bprobably yes :) > > kipfw em1 em2 connects the two interfaces to each other, keeping the > rest =E2=80=8B > > =E2=80=8Bof the host stack completely out of the game. > got it however it's still not counting any packets coming in or out of the interfaces > =E2=80=8BI am not sure where you are running pkt-gen (is it on a separate > machine ?) and what the 'em1' used in =E2=80=8B > =E2=80=8B > =E2=80=8Bpkt-gen is connected to. > I am running one pkt-gen in TX mode on the same machine, and another one in RX mode in a separate machine, but this is just for reference, to make sure packets are actually getting transmitted, and it is... > Also (not in the above case but in general) you might need to > put the interfaces used in kipfw in promisc mode so you receive > all traffic. > good to mention that I just did it, however, the scenario stills the same those are my steps: # ifconfig "em1" | grep flags em1: flags=3D28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 # ifconfig "em2" | grep flags em2: flags=3D28d02<BROADCAST,PROMISC,OACTIVE,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 Both are promisc # killall -9 kipfw [1] + Killed ./kipfw em1 em2 >& /tmp/kipfw.log # ./kipfw em1 em2 > & /tmp/kipfw.log & [1] 64218 kipfw running again # ipfw/ipfw add count all from any to any connected to 127.0.0.1:5555 00100 count ip from any to any we have a second rule now # /usr/src/tools/tools/netmap/netmap-7e9e5e7602f5/examples/pkt-gen -i em1 -f tx -l 60 -d 172.16.250.10 977.772859 main [1649] interface is em1 977.773117 extract_ip_range [287] range is 10.0.0.1:0 to 10.0.0.1:0 977.773141 extract_ip_range [287] range is 172.16.250.10:0 to 172.16.250.10:0 977.789890 main [1840] mapped 334980KB at 0x801800000 Sending on netmap:em1: 1 queues, 1 threads and 1 cpus. 10.0.0.1 -> 172.16.250.10 (00:00:00:00:00:00 -> ff:ff:ff:ff:ff:ff) 977.790009 main [1924] Sending 512 packets every 0.000000000 s 977.790018 main [1926] Wait 2 secs for phy reset 979.790699 main [1928] Ready... 979.790932 nm_open [456] overriding ifname em1 ringid 0x0 flags 0x1 979.791216 sender_body [1014] start, fd 4 main_fd 3 980.456540 sender_body [1083] drop copy 980.791786 main_thread [1446] 149840 pps (149935 pkts in 1000634 usec) 981.793169 main_thread [1446] 148767 pps (148973 pkts in 1001383 usec) 982.793710 main_thread [1446] 148815 pps (148896 pkts in 1000541 usec) 983.794835 main_thread [1446] 148841 pps (149008 pkts in 1001125 usec) 984.796039 main_thread [1446] 148830 pps (149008 pkts in 1001194 usec) 985.796801 main_thread [1446] 148785 pps (148900 pkts in 1000772 usec) ^C986.798156 main_thread [1446] 134857 pps (135040 pkts in 1001355 usec) Sent 1029760 packets, 60 bytes each, in 6.92 seconds. Speed: 148.81 Kpps Bandwidth: 71.43 Mbps (raw 100.00 Mbps) Some packets transmitted to another machine o IP 172.16.250.10 # ping 172.16.250.10 PING 172.16.250.10 (172.16.250.10): 56 data bytes 64 bytes from 172.16.250.3: icmp_seq=3D0 ttl=3D64 time=3D0.296 ms 64 bytes from 172.16.250.3: icmp_seq=3D1 ttl=3D64 time=3D0.141 ms 64 bytes from 172.16.250.3: icmp_seq=3D2 ttl=3D64 time=3D0.144 ms 64 bytes from 172.16.250.3: icmp_seq=3D3 ttl=3D64 time=3D0.176 ms 64 bytes from 172.16.250.3: icmp_seq=3D4 ttl=3D64 time=3D0.109 ms ^C --- 172.16.250.10 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev =3D 0.109/0.173/0.296/0.065 ms Remote machine also available outside netmap # ipfw/ipfw show connected to 127.0.0.1:5555 nalloc 2248 nbytes 112 ptr 0x0 00100 0 0 count ip from any to any 65535 0 0 allow ip from any to any still, no packets counted... neither from host stack (ping) nor netmap (pkt-gen)... > > cheers > =E2=80=8Bluigi=E2=80=8B > > >> >> On Tue, Nov 4, 2014 at 5:02 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: >> >>> =E2=80=8Bthe user space netmap-ipfw only supports two interfaces, >>> >>> The hard problem in moving to 3+ interfaces is not much the code but >>> deciding where to send a packet once it has passed the filter. >>> >>> Basically, passing things through the kernel stack is simple >>> but performance is going to be no better than with the standard firewal= l >>> (except for much better behaviour in blocking incoming attacks). >>> >>> cheers >>> luigi >>> >>> >>> On Tue, Nov 4, 2014 at 5:56 AM, Evandro Nunes <evandronunes12@gmail.com= > >>> wrote: >>> >>>> hello, >>>> I am trying to do some basic stateless filtering with netmap-ipfw. >>>> >>>> what i have running is: >>>> >>>> ./kipfw em1 em2 lo0 >>>> >>>> and when i do ipfw/ipfw show: >>>> >>>> ipfw/ipfw show >>>> connected to 127.0.0.1:5555 >>>> nalloc 2248 nbytes 136 ptr 0x0 >>>> 00100 0 0 allow ip from any to any via lo0 >>>> 65535 0 0 allow ip from any to any >>>> >>>> it's not counting any packet, including loopback >>>> >>>> i have seem people using something similar but with ix(4) driver, what >>>> I am >>>> doing wrong? >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> >>> >>> >>> >>> -- >>> -----------------------------------------+-----------------------------= -- >>> Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazion= e >>> http://www.iet.unipi.it/~luigi/ . Universita` di Pisa >>> TEL +39-050-2211611 . via Diotisalvi 2 >>> Mobile +39-338-6809875 . 56122 PISA (Italy) >>> -----------------------------------------+-----------------------------= -- >>> >> >> > > > -- > -----------------------------------------+------------------------------- > Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL +39-050-2211611 . via Diotisalvi 2 > Mobile +39-338-6809875 . 56122 PISA (Italy) > -----------------------------------------+------------------------------- >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG4HiT5fVCpmJ8uDh4SvVown7-vLCMKJP8-QcaW9LQfpWZEiBA>