From owner-freebsd-net@FreeBSD.ORG  Mon Nov  1 12:09:03 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E32D416A4CE
	for <freebsd-net@freebsd.org>; Mon,  1 Nov 2004 12:09:03 +0000 (GMT)
Received: from amsfep13-int.chello.nl
	(nl-ams-slo-l4-01-pip-6.chellonetwork.com [213.46.243.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D3A7543D53
	for <freebsd-net@freebsd.org>; Mon,  1 Nov 2004 12:09:02 +0000 (GMT)
	(envelope-from joost@jodocus.org)
Received: from bps.jodocus.org ([80.57.157.16]) by amsfep13-int.chello.nl
	ESMTP
	<20041101120901.RZYY16509.amsfep13-int.chello.nl@bps.jodocus.org>;
	Mon, 1 Nov 2004 13:09:01 +0100
Received: from jodocus.org (localhost [127.0.0.1])
	by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id iA1C90Hu037068;
	Mon, 1 Nov 2004 13:09:00 +0100 (CET)
	(envelope-from joost@jodocus.org)
Received: (from joost@localhost)
	by jodocus.org (8.13.1/8.13.1/Submit) id iA1C90ch037067;
	Mon, 1 Nov 2004 13:09:00 +0100 (CET)
	(envelope-from joost)
Date: Mon, 1 Nov 2004 13:09:00 +0100
From: Joost Bekkers <joost@jodocus.org>
To: Vincent Poy <vincepoy@gmail.com>
Message-ID: <20041101120900.GA36917@bps.jodocus.org>
Mail-Followup-To: Joost Bekkers <joost@jodocus.org>,
	Vincent Poy <vincepoy@gmail.com>, freebsd-net@freebsd.org
References: <200410300927.51286.ari@suutari.iki.fi>
	<429af92e04103118435b35f235@mail.gmail.com>
	<016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com>
	<429af92e041101021638e8598e@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <429af92e041101021638e8598e@mail.gmail.com>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-net@freebsd.org
Subject: Re: ipfw and ipsec processing order for outgoing packets wrong
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2004 12:09:04 -0000

On Mon, Nov 01, 2004 at 02:16:42AM -0800, Vincent Poy wrote:
> 63004      667879    129410867 queue 1 tcp from any to any tcpflags ack out
> 63005           1           40 queue 2 tcp from any to any dst-port 22,23 out
> 63006       38782      3364689 queue 2 udp from any to any not
> dst-port 80,443 out
> 63007       43021      2194871 queue 3 ip from any to any dst-port 80,443 out
> 63008        5467       405319 queue 4 ip from any to any out
> 
> The counters for queue 1 keeps increasing when I do a ftp out even for
> non-ACK packets but the other counters for queue 2-4 doesn't move at
> all so it seems like everything is going out one queue instead of what
> the rules actually say.  I have one pipe configured as 480Kbit/sec
> which is what rules 63005-63008 does.
> 

How do you define 'non-ack' packets in yopur mind? Your ipfw rule
seems to define it as 'having the ack flag set' which is for all
intents and purpouses every tcp packet. Only the very first SYN
packet doesn't have the ack flag set.

-- 
greetz Joost
joost@jodocus.org