Dummynet, pipes and VNET jails

Peter pmc at citylink.dinoex.sub.org
Fri Jun 5 16:13:47 UTC 2020 

Hello Stefan,

 I experience the same issue as You describe. I suppose You have
configured
	net.inet.ip.dummynet.io_fast=1

This means, packets that get immediately delivered do not even
traverse the pipe - therefore You see no problem when no delay is on
the pipe.
If You switch net.inet.ip.dummynet.io_fast off, then you will see
packets always disappear.

And, in fact, these packets do NOT disappear. They get correctly
re-inserted at the subsequent rule - but, since DUMMYNET appears to
have no notion of jails, they do not get reinserted in the jail's
ruleset, but in that of the base system!

I just ran into this same problem, and to me it looks like DUMMYNET
would need to be made jail-aware.

Rel. is 11.3 - anybody knows if this has in the meantime been improved
in R.12 ?

cheerio,
PMc


On Tue, Jul 23, 2019 at 08:50:13AM +0000, Stefan.Erl at dlr.de wrote:
! Hi all,
! 
! I have a problem with ipfw/dummynet, pipes and VNET jails using FreeBSD 12.0
! release. Packets are lost in the pipe when any impairments are configured.
! 
! I set up several VNET jails and connected them via epairs, in order to 
! do tests with different network and routing configurations. On some jails, I
! want to run dummynet with pipes to add delay to the packets. Whenever
! I configure a pipe with zero delay, everything works. As soon as I add any delay
! (or loss, bw limit), the packets enter the pipe, but never exit it, and never
! appear on the target Jail.
! 
! 
! A simple test setup I've set up is the following:
! (JailB is configured for IP forwarding)
! 
! ---------     ---------     ---------
! | JailA |-----| JailB |-----| JailC |
! ---------     ---------     ---------
! 
! JailA: ping JailC
! 
! JailB: 
!  ipfw flush
!  ifpw add 10000 pipe 1 ip from JailA to any
!  ipfw config pipe 1 delay 0ms
! 	
!  This works fine, packets arrive at JailC. "ipfw show" shows increasing
!  counters for rules 10000 and 65535 (allow ip from any to any)
! 	
!  Then, if I add some delay:
! 	
!  ipfw config pipe 1 delay 10ms
! 	
!  Packets are lost in JailB, don't arrive at JailC. "ipfw show" shows
!  increasing counters only for rule 10000, but not for 65535.
! 	
! 
! IPFW and dummynet are compiled into the kernel, with kern.hz=1000 and 
! IPFW_DEFAULT_TO_ACCEPT option. Dummynet pipes on the Jail ethernet interface
! outside a jail seem to work fine.
! 
! I've found some threads from 2010 saying that there are some problems with
! dummynet and VNET jails. Are these still existing, is something else wrong, or
! am I missing something?
! 
! Regards,
! Stefan

More information about the freebsd-ipfw mailing list