ipfw dummynet, divert order
Robert Usle
robertusn at gmail.com
Fri Dec 23 05:22:37 PST 2005
Hello,
I'm trying to create pipes per src/dst ip on my
Freebsd 4.9 & FreeBSD 4.11 router.
I can't find a detailed documentation on how natd/divert
works. What is the packet flow like then, what interface
information is know then /using xmit/recv/in/out/via).
I only want to queue traffic from/to internet.
Using NATD
My rulesets is as follows:
-------- net.inet.ip.fw.one_pass=1
EXT_IF=rl0
EXT_IP="some ext_ip"
INT_IF=rl1
net.inet.ip.fw.one_pass=1
ipfw -f flush
ipfw -f pipe flush
ipfw add 20 divert 8668 ip from any to $EXT_IP in recv $EXT_IF
ipfw pipe 1 config bw 256kbit/s mask dst-ip 0x000000ff
ipfw add 30 pipe 1 ip from any to 10.0.2.0/24 in recv $EXT_IF
ipfw pipe 2 config bw 256kbit/s mask src-ip 0x000000ff
ipfw add 40 pipe 2 ip from 10.0.2.0/24 to any out xmit $EXT_IF
ipfw add 50 divert 8668 ip from any to any out xmit $EXT_IF
ipfw add 100 deny log ip from any to any
-bash-2.05b# ipfw show
00020 8 1927 divert 8668 ip from any to $EXT_IP in recv rl0
00030 8 1927 pipe 1 ip from any to 10.0.2.0/24 in recv rl0
00040 0 0 pipe 2 ip from 10.0.2.0/24 to any out xmit rl0
00050 0 0 divert 8668 ip from any to any out xmit rl0
00100 77 8726 deny log logamount 100 ip from any to any
65535 5385 289734 allow ip from any to any
-bash-2.05b# ipfw pipe 1 show
00001: 256.000 Kbit/s 0 ms 50 sl. 6 queues (64 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
11 ip 0.0.0.0/0 0.0.0.139/0 1 62 0 0
0
15 ip 0.0.0.0/0 0.0.0.15/0 5 207 0 0
0
37 ip 0.0.0.0/0 0.0.0.229/0 1 136 0 0
0
42 ip 0.0.0.0/0 0.0.0.234/0 3 186 0 0
0
46 ip 0.0.0.0/0 0.0.0.238/0 1 1492 0 0
0
61 ip 0.0.0.0/0 0.0.0.125/0 3 195 0 0
0
-bash-2.05b# ipfw pipe 2 show
00002: 256.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail
mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
-bash-2.05b#
This way, nothing gets diverted in rule #50
-------- net.inet.ip.fw.one_pass=0
EXT_IF=rl0
EXT_IP="some ext_ip"
INT_IF=rl1
net.inet.ip.fw.one_pass=0
ipfw -f flush
ipfw -f pipe flush
ipfw add 20 divert 8668 ip from any to $EXT_IP in recv $EXT_IF
ipfw pipe 1 config bw 256kbit/s mask dst-ip 0x000000ff
ipfw add 30 pipe 1 ip from any to 10.0.2.0/24 in recv $EXT_IF
ipfw add 31 allow ip from any to 10.0.2.0/24 in recv $EXT_IF
ipfw pipe 2 config bw 256kbit/s mask src-ip 0x000000ff
ipfw add 40 pipe 2 ip from 10.0.2.0/24 to any out xmit $EXT_IF
ipfw add 41 allow ip from 10.0.2.0/24 to any out xmit $EXT_IF
ipfw add 50 divert 8668 ip from any to any out xmit $EXT_IF
ipfw add 100 deny log ip from any to any
-bash-2.05b# ipfw show
00020 42 8062 divert 8668 ip from any to $EXT_IP in recv rl0
00030 29 7469 pipe 1 ip from any to 10.0.2.0/24 in recv rl0
00031 29 7469 allow ip from any to 10.0.2.0/24 in recv rl0
00040 0 0 pipe 2 ip from 10.0.2.0/24 to any out xmit rl0
00041 0 0 allow ip from 10.0.2.0/24 to any out xmit rl0
00050 3 156 divert 8668 ip from any to any out xmit rl0
00100 106 24366 deny log logamount 100 ip from any to any
65535 6768 443791 allow ip from any to any
-bash-2.05b# ipfw pipe 1 show
00001: 256.000 Kbit/s 0 ms 50 sl. 3 queues (64 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
15 ip 0.0.0.0/0 0.0.0.79/0 4 302 0 0
0
32 ip 0.0.0.0/0 0.0.0.32/0 6 510 0 0
0
48 ip 0.0.0.0/0 0.0.0.112/0 5 445 0 0
0
-bash-2.05b# ipfw pipe 2 show
00002: 256.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail
mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
58 ip 0.0.0.125/0 0.0.0.0/0 2 80 0 0
0
-bash-2.05b#
For me it looks pretty strange..
Can somebody please explain on what/when interface should I attach
queues/pipes ?
I know this looks complicated, all I need is to be able to queue
incoming/outgoing traffic
for every user in my LAN. (furthermore i will need also use squid, which i
understand, and ommited in this post).
I would be also grateful if you let me know about some ipfw lan sharing
examples.
Thanks!
Regards,
Robert
More information about the freebsd-ipfw
mailing list