bin/139581: ipfw pipe

alexus freebsd at alexus.org
Tue Oct 13 21:40:03 UTC 2009 

>Number:         139581
>Category:       bin
>Synopsis:       ipfw pipe
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 13 21:40:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     alexus
>Release:        7.2
>Organization:
alexusbiz corp.
>Environment:
FreeBSD dd.alexus.org 7.2-RELEASE-p1 FreeBSD 7.2-RELEASE-p1 #7: Sat Jun 27 02:42:30 UTC 2009     alexus at dd.alexus.org:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
su-3.2# cat /etc/ipfw.rules 
flush
pipe flush
pipe 1 config bw 2Mbit/s
add 100 allow ip from any to any via lo0
add 200 deny ip from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
add 8380 pipe 1 tcp from any to any src-port www uid daemon
add 8380 pipe 1 tcp from any to any dst-port www uid daemon
add 65000 pass all from any to any
su-3.2# ipfw show
00100 1249368  205115325 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
08380 2838075 3586421013 pipe 1 tcp from any 80 to any uid daemon
08380 2097473  136454502 pipe 1 tcp from any to any dst-port 80 uid daemon
65000 5740679 4716157064 allow ip from any to any
65535       0          0 deny ip from any to any
su-3.2# ipfw pipe show
00001:   2.000 Mbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp     64.237.55.83/59388    208.80.152.3/80    4936077 3723134341  0    0 30179
su-3.2# ps auxwww | grep ^daemon
daemon  81736  0.7  0.3 77768 26460  ??  SJ    9:28PM   0:00.60 /usr/local/apache2/bin/httpd -k start
daemon  81244  0.0  0.3 76744 23860  ??  SJ    9:27PM   0:00.23 /usr/local/apache2/bin/httpd -k start
daemon  81253  0.0  0.3 75720 23628  ??  SJ    9:27PM   0:00.34 /usr/local/apache2/bin/httpd -k start
daemon  81624  0.0  0.3 76744 25184  ??  SJ    9:27PM   0:00.52 /usr/local/apache2/bin/httpd -k start
daemon  81625  0.0  0.3 75720 23640  ??  SJ    9:27PM   0:00.15 /usr/local/apache2/bin/httpd -k start
daemon  81678  0.0  0.3 75720 23672  ??  SJ    9:28PM   0:00.24 /usr/local/apache2/bin/httpd -k start
daemon  81929  0.0  0.3 75720 23564  ??  SJ    9:29PM   0:00.25 /usr/local/apache2/bin/httpd -k start
daemon  81930  0.0  0.3 75720 23484  ??  SJ    9:29PM   0:00.13 /usr/local/apache2/bin/httpd -k start
daemon  81931  0.0  0.3 75720 23616  ??  SJ    9:29PM   0:00.14 /usr/local/apache2/bin/httpd -k start
daemon  81938  0.0  0.3 76744 23912  ??  SJ    9:29PM   0:00.14 /usr/local/apache2/bin/httpd -k start
daemon  82710  0.0  0.3 75720 23468  ??  SJ    9:30PM   0:00.07 /usr/local/apache2/bin/httpd -k start
daemon  82747  0.0  0.3 75720 23492  ??  SJ    9:30PM   0:00.04 /usr/local/apache2/bin/httpd -k start
daemon  82748  0.0  0.3 75720 23604  ??  SJ    9:30PM   0:00.04 /usr/local/apache2/bin/httpd -k start
daemon  82749  0.0  0.3 76744 23808  ??  SJ    9:30PM   0:00.06 /usr/local/apache2/bin/httpd -k start
daemon  82758  0.0  0.3 75720 23448  ??  SJ    9:31PM   0:00.02 /usr/local/apache2/bin/httpd -k start
daemon  82759  0.0  0.3 75720 23460  ??  SJ    9:31PM   0:00.02 /usr/local/apache2/bin/httpd -k start
su-3.2# 

I'm trying to limit my apache that runs under daemon to up 2Mbit/s

when I do "ipfw pipe show" I don't see anything in my slots other then very first entry that never chage, nor does it limits my traffic, as if I look at my MRTG i see way more traffic then 2Mbit/s
>How-To-Repeat:
su-3.2# cat /etc/ipfw.rules 
flush
pipe flush
pipe 1 config bw 2Mbit/s
add 100 allow ip from any to any via lo0
add 200 deny ip from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
add 8380 pipe 1 tcp from any to any src-port www uid daemon
add 8380 pipe 1 tcp from any to any dst-port www uid daemon
add 65000 pass all from any to any
su-3.2# /etc/rc.d/ipfw restart
/etc/rc.d/ipfw: DEBUG: checkyesno: firewall_enable is set to YES.
/etc/rc.d/ipfw: DEBUG: checkyesno: firewall_enable is set to YES.
/etc/rc.d/ipfw: DEBUG: run_rc_command: doit: ipfw_stop 
net.inet.ip.fw.enable: 1 -> 0
/etc/rc.d/natd: DEBUG: checkyesno: natd_enable is set to NO.
/etc/rc.d/ipfw: DEBUG: checkyesno: firewall_enable is set to YES.
/etc/rc.d/ipfw: DEBUG: run_rc_command: start_precmd: ipfw_prestart 
/etc/rc.d/ipfw: DEBUG: checkyesno: dummynet_enable is set to NO.
/etc/rc.d/ipfw: DEBUG: checkyesno: firewall_nat_enable is set to NO.
/etc/rc.d/ipfw: DEBUG: load_kld: ipfw kernel module already loaded.
/etc/rc.d/ipfw: DEBUG: run_rc_command: doit: ipfw_start 
/etc/rc.d/natd: DEBUG: checkyesno: natd_enable is set to NO.
Firewall rules loaded.
/etc/rc.d/ipfw: DEBUG: checkyesno: firewall_logging is set to YES.
Firewall logging enabled.
net.inet.ip.fw.enable: 0 -> 1
su-3.2# 

>Fix:
beats me! i post question on freebsd mailing list, freebsd forums asked same question on other websites no one seems to know...

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list