my dummynet adventures (spoiler alert: everyone just dies at the end)

Wed Mar 29 10:50:54 UTC 2017

Hi,

Recently I had to move from Ultimate and Perfect pf (because it's not 
the Ultimate and Perfect when it comes to gigabit/s speeds, due to 
legacy TX in Intel drivers and associated problems)  [back] to ipfw. I 
was terribly disappointed, because after 10 years with pf I felt myself 
like being traveled to a stone age, with relic and unuseable spears and 
arrows instead of pulse rifles and railguns. Seems like nothing changed 
for 10 years there:

- "ipfw pipe show" still isn't documented. Like at all.

- "ipfw pipe show" output is weird and cryptic and nobody understands it 
without reading sources. Even after reading sources few understand it (I 
don't). Our local FreeBSD guru is able to explain the output field 
meaning, but first time he explains it wrong, then he consult the 
sources (and does it each time), then he explains again, correcting the 
mistakes (and the guy really rocks, I mean - if it's not intuitive to 
him, who could understand it).

Looks like nobody of the ipfw developers haven't seen "pfctl -vvvs queue 
show" output (which is a state of the art, really), so everyone who's 
using ipfw pipes have to cut and torture themselves. I asked same local 
FreeBSD guru "How can I prove to myself that this thing even works ?" 
and I've been told to just .... measure the traffic after it has flown 
through the shaper ! Same thing with drops measuring. "ipfw pipe show" 
shows zero drops (although I expect some), so I've been told to add the 
counter rules after pipe ones, and to switch the net.inet.ip.fw.one_pass 
to 0. Just to count the drops (it really counts it, so it's a mystery 
why the "ipfw pipe show" does show nothing). Furthermore, "ipfw pipe 
show" shows almost nothing when there's no traffic going through the 
pipe - and it really would be just logical to store the cumulative 
statistics there.

Concluding, ipfw dummynet interface resembles an unfinished student 
work, it's stuck in early 2000's, and it really does not look like 
something of a production-ready system. I know that nobody owes noone 
anything, bit it really looks like both "modern" FreeBSD packet filters 
are lying in ruins, and people using ipfw had to scavenge some long ago 
broken instruments on the junkyards (like in Mad max series) and use sun 
and stars just to determine whether it's working or not.

I didn't mention that both still use 32-bit integers, thus limiting the 
actual bandwidth to 4 Gigs/sec. Jesus.

Eugene.