From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 16:38:02 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E4CC16A41F for ; Mon, 3 Oct 2005 16:38:02 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14E3543D45 for ; Mon, 3 Oct 2005 16:38:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j93Gc1Bc095511; Mon, 3 Oct 2005 09:38:01 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j93Gc175095510; Mon, 3 Oct 2005 09:38:01 -0700 (PDT) (envelope-from rizzo) Date: Mon, 3 Oct 2005 09:38:01 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20051003093801.B92958@xorpc.icir.org> References: <4341575C.8080409@freebsdbrasil.com.br> <20051003091024.A92958@xorpc.icir.org> <43415BFB.1050800@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <43415BFB.1050800@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Mon, Oct 03, 2005 at 01:27:39PM -0300 Cc: ipfw@freebsd.org Subject: Re: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:38:02 -0000 see the ipfw manpage near the eginning with the graph showing the packet flow. "layer2" means the rule matches only on layer2. "not layer2" matches only on layer 3. if you don't put anything, it matches both layer2 and layer3. luigi On Mon, Oct 03, 2005 at 01:27:39PM -0300, Patrick Tracanelli wrote: > Luigi Rizzo wrote: > > you are passing traffic through the pipe twice. > > you have to decide if your rules should apply tto > > layer2 or not and write the rules accordingly > > Why are they going twice through the pipe? When net.link.ether.ipfw=1 > you pass it through all rules twice? "first match wins" does not apply? > How should it be made to do it passing only once? I have just tried: > > ipfw add 400 count log all from any to any in layer2 > ipfw add 401 count log all from any to any out layer2 > > Where hopefully it would be passed only once (when passing layer2 rules) > but it did not. > > How could the rules be written to filter layer2 instead, in the given > circunstances? 'Cos you say it should be written to apply to layer2 or > not, and write the rules "accordingly", but in the following circunstance: > > 00400 54 4566 count log ip from any to any in > 00401 42 4300 count log ip from any to any out > 00501 16 1616 pipe 1 ip from any to 172.16.52.254 in > 00601 16 1428 pipe 2 ip from 172.16.52.254 to any out > 65535 22052 10476881 allow ip from any to any > > There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting > happens again. So it does not seem to be a matter of how to write the > rules, but instead, to have net.link.ether.ipfw=1 or not. > > Or did I miss some point? > > > >>layer2() { > >> ipfw add skipto 400 all from any to any mac-type ip,arp layer2 > >> ipfw add deny all from any to any layer2 > >>} > >> > >>countlog() { > >> ipfw add 400 count log all from any to any in > >> ipfw add 401 count log all from any to any out > >>} > >> > >>pipe() { > >> ipfw add pipe 1 all from any to 172.16.52.254/32 in > >> ipfw add pipe 2 all from 172.16.52.254/32 to any out > >> ipfw pipe 1 config bw 64Kbps queue 5 > >> ipfw pipe 2 config bw 64Kbps queue 5 > >>} > > > -- > Patrick Tracanelli