ipfw dummynet, divert order

To: freebsd-ipfw@xxxxxxxxxxx
Subject: ipfw dummynet, divert order
From: Robert Usle <robertusn@xxxxxxxxx>
Date: Fri, 23 Dec 2005 14:22:31 +0100
Delivered-to: freebsd-ipfw@xxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=PeZL0w0CThgwa8mUXQgqAeylaUoaO4f+kcYR+6+X/npfNyKArfHQVxB1rNJ7oCmxYsgeaCu90z7VV1cDClRGJh/PVt4qivhmMzXY/J0mT0Ky6eAZPyrEaSaWn0eH6+oBswoM+T+bH0DdIumcQOYbEQmHkTGnGksQsEpQsHRaBXs=
List-archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-post: <mailto:freebsd-ipfw@freebsd.org>
List-subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
List-unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>

Hello,

I'm trying to create pipes per src/dst ip on my
Freebsd 4.9 & FreeBSD 4.11 router.

I can't find a detailed documentation on how natd/divert
works. What is the packet flow like then, what interface
information is know then /using xmit/recv/in/out/via).

I only want to queue traffic from/to internet.
Using NATD

My rulesets is as follows:

-------- net.inet.ip.fw.one_pass=1
EXT_IF=rl0
EXT_IP="some ext_ip"
INT_IF=rl1

net.inet.ip.fw.one_pass=1

ipfw -f flush
ipfw -f pipe flush

ipfw add 20 divert 8668 ip from any to $EXT_IP in recv $EXT_IF
ipfw pipe 1 config bw 256kbit/s mask dst-ip 0x000000ff
ipfw add 30 pipe 1 ip from any to 10.0.2.0/24 in recv $EXT_IF

ipfw pipe 2 config bw 256kbit/s mask src-ip 0x000000ff
ipfw add 40 pipe 2 ip from 10.0.2.0/24 to any out xmit $EXT_IF

ipfw add 50 divert 8668 ip from any to any out xmit $EXT_IF

ipfw add 100 deny log ip from any to any


-bash-2.05b# ipfw show
00020    8   1927 divert 8668 ip from any to $EXT_IP in recv rl0
00030    8   1927 pipe 1 ip from any to 10.0.2.0/24 in recv rl0
00040    0      0 pipe 2 ip from 10.0.2.0/24 to any out xmit rl0
00050    0      0 divert 8668 ip from any to any out xmit rl0
00100   77   8726 deny log logamount 100 ip from any to any
65535 5385 289734 allow ip from any to any

-bash-2.05b# ipfw pipe 1 show
00001: 256.000 Kbit/s    0 ms   50 sl. 6 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
 11 ip           0.0.0.0/0           0.0.0.139/0        1       62  0    0
0
 15 ip           0.0.0.0/0            0.0.0.15/0        5      207  0    0
0
 37 ip           0.0.0.0/0           0.0.0.229/0        1      136  0    0
0
 42 ip           0.0.0.0/0           0.0.0.234/0        3      186  0    0
0
 46 ip           0.0.0.0/0           0.0.0.238/0        1     1492  0    0
0
 61 ip           0.0.0.0/0           0.0.0.125/0        3      195  0    0
0
-bash-2.05b# ipfw pipe 2 show
00002: 256.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
    mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
-bash-2.05b#

This way, nothing gets diverted in rule #50

-------- net.inet.ip.fw.one_pass=0


EXT_IF=rl0
EXT_IP="some ext_ip"
INT_IF=rl1

net.inet.ip.fw.one_pass=0

ipfw -f flush
ipfw -f pipe flush

ipfw add 20 divert 8668 ip from any to $EXT_IP in recv $EXT_IF
ipfw pipe 1 config bw 256kbit/s mask dst-ip 0x000000ff
ipfw add 30 pipe 1 ip from any to 10.0.2.0/24 in recv $EXT_IF
ipfw add 31 allow ip from any to 10.0.2.0/24 in recv $EXT_IF

ipfw pipe 2 config bw 256kbit/s mask src-ip 0x000000ff
ipfw add 40 pipe 2 ip from 10.0.2.0/24 to any out xmit $EXT_IF
ipfw add 41 allow ip from 10.0.2.0/24 to any out xmit $EXT_IF

ipfw add 50 divert 8668 ip from any to any out xmit $EXT_IF

ipfw add 100 deny log ip from any to any

-bash-2.05b# ipfw show
00020   42   8062 divert 8668 ip from any to $EXT_IP in recv rl0
00030   29   7469 pipe 1 ip from any to 10.0.2.0/24 in recv rl0
00031   29   7469 allow ip from any to 10.0.2.0/24 in recv rl0
00040    0      0 pipe 2 ip from 10.0.2.0/24 to any out xmit rl0
00041    0      0 allow ip from 10.0.2.0/24 to any out xmit rl0
00050    3    156 divert 8668 ip from any to any out xmit rl0
00100  106  24366 deny log logamount 100 ip from any to any
65535 6768 443791 allow ip from any to any


-bash-2.05b# ipfw pipe 1 show
00001: 256.000 Kbit/s    0 ms   50 sl. 3 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
 15 ip           0.0.0.0/0            0.0.0.79/0        4      302  0    0
0
 32 ip           0.0.0.0/0            0.0.0.32/0        6      510  0    0
0
 48 ip           0.0.0.0/0           0.0.0.112/0        5      445  0    0
0
-bash-2.05b# ipfw pipe 2 show
00002: 256.000 Kbit/s    0 ms   50 sl. 1 queues (64 buckets) droptail
    mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
 58 ip         0.0.0.125/0             0.0.0.0/0        2       80  0    0
0
-bash-2.05b#

For me it looks pretty strange..

Can somebody please explain on what/when interface should I attach
queues/pipes ?

I know this looks complicated, all I need is to be able to queue
incoming/outgoing traffic
for every user in my LAN. (furthermore i will need also use squid, which i
understand, and ommited in this post).

I would be also grateful if you let me know about some ipfw lan sharing
examples.

Thanks!

Regards,
Robert

Prev by Date: FreeBSD 6.0-RELEASE+Dummynet+Bridging
Next by Date: Dummynet delay
Previous by thread: FreeBSD 6.0-RELEASE+Dummynet+Bridging
Next by thread: Dummynet delay
Index(es):
- Date
- Thread