From owner-freebsd-net@FreeBSD.ORG  Fri Jun 27 23:20:17 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 52EBF1065675
	for <freebsd-net@freebsd.org>; Fri, 27 Jun 2008 23:20:17 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from smtpoutm.mac.com (smtpoutm.mac.com [17.148.16.73])
	by mx1.freebsd.org (Postfix) with ESMTP id 41CC48FC14
	for <freebsd-net@freebsd.org>; Fri, 27 Jun 2008 23:20:17 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtp015-bge351000.mac.com (asmtp015-bge351000 [10.150.69.78])
	by smtpoutm.mac.com (Xserve/smtpout010/MantshX 4.0) with ESMTP id
	m5RNKH68012568
	for <freebsd-net@freebsd.org>; Fri, 27 Jun 2008 16:20:17 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Received: from cswiger1.apple.com ([17.227.140.124])
	by asmtp015.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03
	(built Mar
	14 2008; 32bit)) with ESMTPSA id <0K3500D2SA5RG930@asmtp015.mac.com> for
	freebsd-net@freebsd.org; Fri, 27 Jun 2008 16:20:16 -0700 (PDT)
Message-id: <C283B2D1-5193-4D32-8D38-9D72282F5876@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Freddie Cash <fjwcash@gmail.com>
In-reply-to: <b269bc570806271501if8ba221qf76b15d56e94e45b@mail.gmail.com>
Date: Fri, 27 Jun 2008 16:20:15 -0700
References: <b269bc570806271301x3ed43e54k5de0a1d71a9eb676@mail.gmail.com>
	<58383628-3A79-4271-B62D-C35CC06618F0@mac.com>
	<b269bc570806271501if8ba221qf76b15d56e94e45b@mail.gmail.com>
X-Mailer: Apple Mail (2.924)
Cc: freebsd-net@freebsd.org
Subject: Re: Understanding where dummynet fits into an ipfw ruleset
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2008 23:20:17 -0000

On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote:
[ ... ]
>> If net.inet.ip.fw.one_pass is true, then you definitely want to  
>> apply your
>> deny rules first, as once something matches a pipe rule, it's going  
>> to be
>> passed.  The tradeoff is that the accounting/fairness of traffic is  
>> less
>> accurate but the firewall ruleset runs faster...
>
> So, in this situation, the "allow" rules would be the queue rules?
>
> To add traffic shaping to the following, using one_pass=1:
>  100 allow ip from 1.1.1.1 to 2.2.2.2 in recv em0
>  200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
>  300 deny ip from any to 2.2.2.2 in recv em0
>
> Would be:
>  100 queue 1 ip from 1.1.1.1 to 2.2.2.2 in recv em0
>  200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
>  300 deny ip from any to 2.2.2.2 in recv em0
>
> Or am I way off here?  :)

Hmm.  If you have one_pass set, I believe that rule 200 would become  
superfluous.  If it was off, rule 200 would be needed to permit  
traffic through.  However, queue rulesets are used to classify traffic  
into different bins; then then get pulled out of the bins with packets  
waiting is proportion to the weights configured via something like:

   ipfw queue 1 config pipe 1 weight 10

ie, you have to attach queue(s) to a pipe for this classification or  
sorting to be meaningful.

-- 
-Chuck