Understanding where dummynet fits into an ipfw ruleset
Chuck Swiger
cswiger at mac.com
Fri Jun 27 23:20:17 UTC 2008
On Jun 27, 2008, at 3:01 PM, Freddie Cash wrote:
[ ... ]
>> If net.inet.ip.fw.one_pass is true, then you definitely want to
>> apply your
>> deny rules first, as once something matches a pipe rule, it's going
>> to be
>> passed. The tradeoff is that the accounting/fairness of traffic is
>> less
>> accurate but the firewall ruleset runs faster...
>
> So, in this situation, the "allow" rules would be the queue rules?
>
> To add traffic shaping to the following, using one_pass=1:
> 100 allow ip from 1.1.1.1 to 2.2.2.2 in recv em0
> 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
> 300 deny ip from any to 2.2.2.2 in recv em0
>
> Would be:
> 100 queue 1 ip from 1.1.1.1 to 2.2.2.2 in recv em0
> 200 allow ip from 1.1.1.1 to 2.2.2.2 out xmit em1
> 300 deny ip from any to 2.2.2.2 in recv em0
>
> Or am I way off here? :)
Hmm. If you have one_pass set, I believe that rule 200 would become
superfluous. If it was off, rule 200 would be needed to permit
traffic through. However, queue rulesets are used to classify traffic
into different bins; then then get pulled out of the bins with packets
waiting is proportion to the weights configured via something like:
ipfw queue 1 config pipe 1 weight 10
ie, you have to attach queue(s) to a pipe for this classification or
sorting to be meaningful.
--
-Chuck
More information about the freebsd-net
mailing list