Date: Fri, 5 Jun 2020 16:04:24 +0200 From: Peter <pmc@citylink.dinoex.sub.org> To: Stefan.Erl@dlr.de Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet, pipes and VNET jails Message-ID: <20200605140424.GA2945@gate.oper.dinoex.org> In-Reply-To: <B24A086E5029304E81DE2631F7F67DB18322D6B1@DLDEFFMIMP04EXC.intra.dlr.de> References: <B24A086E5029304E81DE2631F7F67DB18322D6B1@DLDEFFMIMP04EXC.intra.dlr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Stefan, I experience the same issue as You describe. I suppose You have configured net.inet.ip.dummynet.io_fast=1 This means, packets that get immediately delivered do not even traverse the pipe - therefore You see no problem when no delay is on the pipe. If You switch net.inet.ip.dummynet.io_fast off, then you will see packets always disappear. And, in fact, these packets do NOT disappear. They get correctly re-inserted at the subsequent rule - but, since DUMMYNET appears to have no notion of jails, they do not get reinserted in the jail's ruleset, but in that of the base system! I just ran into this same problem, and to me it looks like DUMMYNET would need to be made jail-aware. Rel. is 11.3 - anybody knows if this has in the meantime been improved in R.12 ? cheerio, PMc On Tue, Jul 23, 2019 at 08:50:13AM +0000, Stefan.Erl@dlr.de wrote: ! Hi all, ! ! I have a problem with ipfw/dummynet, pipes and VNET jails using FreeBSD 12.0 ! release. Packets are lost in the pipe when any impairments are configured. ! ! I set up several VNET jails and connected them via epairs, in order to ! do tests with different network and routing configurations. On some jails, I ! want to run dummynet with pipes to add delay to the packets. Whenever ! I configure a pipe with zero delay, everything works. As soon as I add any delay ! (or loss, bw limit), the packets enter the pipe, but never exit it, and never ! appear on the target Jail. ! ! ! A simple test setup I've set up is the following: ! (JailB is configured for IP forwarding) ! ! --------- --------- --------- ! | JailA |-----| JailB |-----| JailC | ! --------- --------- --------- ! ! JailA: ping JailC ! ! JailB: ! ipfw flush ! ifpw add 10000 pipe 1 ip from JailA to any ! ipfw config pipe 1 delay 0ms ! ! This works fine, packets arrive at JailC. "ipfw show" shows increasing ! counters for rules 10000 and 65535 (allow ip from any to any) ! ! Then, if I add some delay: ! ! ipfw config pipe 1 delay 10ms ! ! Packets are lost in JailB, don't arrive at JailC. "ipfw show" shows ! increasing counters only for rule 10000, but not for 65535. ! ! ! IPFW and dummynet are compiled into the kernel, with kern.hz=1000 and ! IPFW_DEFAULT_TO_ACCEPT option. Dummynet pipes on the Jail ethernet interface ! outside a jail seem to work fine. ! ! I've found some threads from 2010 saying that there are some problems with ! dummynet and VNET jails. Are these still existing, is something else wrong, or ! am I missing something? ! ! Regards, ! Stefan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200605140424.GA2945>