Dummynet Filtering not working on FreeBSD 10

Question

I am trying to do network emulation using dummynet in FreeBSD 10. I have this working in 9.3 however things must have changed and I cant determine exactly what but my setup no longer works. I have pretty basic config:

**/boot/loader.conf**
dummynet_load="YES"
if_bridge_load="YES"
ipfw_load="YES"
kern.hz=10000

**/etc/sysctl.conf**
net.link.bridge.ipfw=1
net.inet.ip.fw.one_pass=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.ip.dummynet.io_fast=1
net.inet.ip.dummynet.pipe_byte_limit=16777216

**/etc/rc.conf**
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_em0="up"
ifconfig_em1="up"

In my firewall script I have:

ipfw pipe 111 config bw 1Mbit/s delay 10ms plr .01 queue 1000KB
ipfw add pipe 111 log all from 10.25.0.129 to 10.25.0.11

When I do a ping test from 10.25.0.129 to 10.25.0.11 it is always successful however the firewall hits look like:

root@dummynet:/etc/dummynet # ipfw -a list
00100   0     0 pipe 111 log ip from 10.25.0.129 to 10.25.0.11
65535  77 15511 deny ip from any to any

If I shut the BSD machine down the pings stop working so I know the pings are definitely being bridged by BSD for some reason the rule isn't getting hit like it did in FreeBSD9.3 though.

`net.link.bridge.ipfw` should pass packets to the `ipfw` otherwise this is a matter for PR. What version of FreeBSD you have used? — Kondybas, Dec 20 '14 at 14:50
Thanks for the comment; root@dummynet:~ # uname -a FreeBSD dummynet 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 — Rj01, Dec 20 '14 at 23:01
I have upgraded to the latest now still with no luck FreeBSD dummynet 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 — Rj01, Dec 21 '14 at 00:58

Kondybas · Answer 1 · 2014-12-21T00:32:50.943

2

It's all because of net.inet.ip.dummynet.io_fast=1. This variable turned on fast packet processing: while bandwidth is not exhausted, all packets are forwarded directly through the bridge. Shaper is bypassed completely - and no packets counted in the DUMMYNET.

That behaviour is intended specially for heavy loaded gateways for CPU offload for the cost of irrelevant stats.

Try to turn it off and ensure that packets are counted as estimated.

edited Dec 21 '14 at 00:32

answered Dec 21 '14 at 00:27

Kondybas

6,964
2
20
24

That sounded promising. Hopefully I have done something wrong because it didnt fix my problem. currently in /etc/sysctl.conf net.link.bridge.ipfw=1 net.inet.ip.fw.one_pass=1 net.inet.ip.forwarding=1 net.inet.ip.dummynet.pipe_byte_limit=16777216 net.inet.ip.dummynet.pipe_slot_limit=128 Still not hitting the rule. I created another any to any rule and the bridge pings dont hit this rule either. If I ping from my local computer to the vm it hits the any to any rule and the dummynet pipe config takes effect. – Rj01 Dec 21 '14 at 00:57

Dummynet Filtering not working on FreeBSD 10

1 Answers1