Re: Efficient use of Dummynet pipes in IPFW
From: Dave+Seddon (dave-dated-1127532249.eb624a_at_seddon.ca)
Date: 09/19/05
- Previous message: Brett Glass: "Efficient use of Dummynet pipes in IPFW"
- In reply to: Brett Glass: "Efficient use of Dummynet pipes in IPFW"
- Next in thread: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
- Reply: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Brett Glass <brett@lariat.org> Date: Mon, 19 Sep 2005 13:24:07 +1000
skipto
man ipfw -> e.g. ipfw add 10 skipto 4000 all from any to any layer2 out
Brett Glass writes:
> For years, we've used "Dummynet" in FreeBSD for bandwidth control.
> Unfortunately, the semantics of IPFW can, at times, make the use of
> Dummynet awkward and inefficient. For example, suppose you want to create
> a set of rules that does bandwidth limiting first
> and then blocks certain ports (e.g. TCP ports 137 through 139). You want
> to throttle first and then block ports, so that (a) blocked packets count
> against the user's bandwidth limit and (b) a flood of packets will be
> bandwidth-limited before it runs
> through the rest of the rules.
>
> If net.ip.fw.one_pass is set to 0, packets emerging from a Dummynet pipe
> or queue will re-emerge at the next rule. This is good, because the packet
> can be passed on to the rules that block ports. But there's a problem: you
> usually do not want to go to the next rule (which is likely to be one that
> tests the packet to see if it is to go into a different Dummynet pipe).
> Rather, you want the packet to next be tested against a rule farther down
> -- after all of the rules involving bandwidth limiting.
>
> Here's an example of what I mean. Suppose you have several groups of
> users, at IP addresses 0.0.0.1, 0.0.0.2, etc. Each group has a separate
> pipe regulating its bandwidth consumption. You might have rules like this:
>
> # First group
>
> ${fwcmd} pipe 1 config bw 512kbit/s
> ${fwcmd} pipe 2 config bw 512kbit/s
>
> ${fwcmd} add pipe 1 ip from 0.0.0.0/24{55,56,57} to any in via fxp1
> ${fwcmd} add pipe 2 ip from any to 0.0.0.0/24{55,56,57} out via fxp1
>
> # Second group
>
> ${fwcmd} pipe 3 config bw 1024bit/s
> ${fwcmd} pipe 4 config bw 1024kbit/s
>
> ${fwcmd} add pipe 3 ip from 0.0.0.0/24{35-40} to any in via fxp1
> ${fwcmd} add pipe 4 ip from any to 0.0.0.0/24{35-40} out via fxp1
>
> # Filtering here
>
> What you'd really like is to have any packet that satisfies one of the
> "pipe" rules jump down to the filtering rules after being reinjected into
> IPFW.
>
> Unfortunately, because IPFW doesn't have a "not" that can cover the "and"
> of all the conditions in the rule -- that is, you can't say "not (ip from
> A to any in via fxp1)" -- it's very difficult to do this with a single
> rule containing a "skipto" action. What's more, there's no "resume at"
> clause available in IPFW that would change where a packet was reinjected,
> and no such thing as a "come from" directive (something that's often joked
> about in programming classes). So, what's the best way get a packet to
> skip past the remaining bandwidth limiting rules once it was selected to
> go into a pipe?
>
> --Brett Glass
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Brett Glass: "Efficient use of Dummynet pipes in IPFW"
- In reply to: Brett Glass: "Efficient use of Dummynet pipes in IPFW"
- Next in thread: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
- Reply: Brett Glass: "Re: Efficient use of Dummynet pipes in IPFW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
