Re: How to obtain fixed packet loss ?

2011-01-04 Thread Luigi Rizzo 
On Mon, Jan 03, 2011 at 06:22:54PM +, nangergong wrote:
 Hi, all:
 
   As far as I know, in dummynet, plr is prabability-based, namely, when a
 packet is processed, it will be discarded according to the probability. So,
 if I have 100 packets and the plr is 5%, eventually I may just discard 3
 packets or even 1 packets. So, the real packet loss is not consitent with
 the plr-set value. Is there any good method that can give me a consistent
 packet loss? Thank you!

you would need to modify the prob option in ipfw so that
e.g. you specify a bitmap indicating the pattern of packet pass/drop

(this was the way i originally implemented packet loss back in 1995!)

cheers
luigi

 ___
 freebsd-ipfw@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
 To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: Transparent Squid and traffic control

2011-01-04 Thread John Nielsen 
On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote:

 I have problem in running transparent squid along with dummynet on FreeBSD 7. 
 I have mpd5 for dialin pppoe which is working perfect along with ipfw 
 dummynet traffic control. Now i want to setup transparent squid using ipfw 
 fwd rule. if i place fwd rule before dummynet rule transparent squid start 
 working but than traffic is not being controlled. Than i placed fwd rule 
 after the dummynet pipe here traffic controlled but transparent squid stop 
 working.Any body have experience in such configuration where both work 
 simultaneously please gave me some hints.

I have done this successfully in the past. You need to remember that for every 
web request there are potentially two TCP conversations: one between the client 
and the proxy and one between the proxy and the server.

You probably do not want to pipe the first type of conversation--requests that 
can be served from the proxy's cache do not use WAN bandwidth and should be 
served at full speed over the LAN.

You DO want to pipe the second type of conversation. Requests from the proxy to 
web servers over the WAN will compete with other traffic for bandwidth.

So leave your fwd rule before the dummynet rule(s) and be sure that LAN traffic 
is not piped.

Then add rules to pipe requests from the proxy's external IP to non-LAN 
addresses on port 80. Something like these:

Downstream:
ipfw add skipto $ACCEPT tcp from $LAN 80 to me
ipfw add pipe $M tcp from any 80 to $EXTIP

Upstream:
ipfw add skipto $ACCEPT tcp from me to $LAN 80
ipfw add pipe $N tcp from $EXTIP to any 80

If you post a specific ruleset you can get specific advice. :)

JN

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: Transparent Squid and traffic control

2011-01-04 Thread Julian Elischer 

On 1/4/11 5:01 AM, Fazal Ahmed Malik wrote:

Hi,

I have problem in running transparent squid along with dummynet on FreeBSD 7. I 
have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet 
traffic control. Now i want to setup transparent squid using ipfw fwd rule. if 
i place fwd rule before dummynet rule transparent squid start working but than 
traffic is not being controlled. Than i placed fwd rule after the dummynet pipe 
here traffic controlled but transparent squid stop working.Any body have 
experience in such configuration where both work simultaneously please gave me 
some hints.

Best regards,


Fazal Ahmed
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

in your ipfw rules separate out the incoming and outgoing work on each 
inteface to different sets of rules..


As a simple example I attach a copy of a sanitased ipfw ruleset that 
does that with mpd..


Noteh that there are two different NAT points.. one for incoming and 
one for outgoing data


You may do your forwarding at the appropriate point for each direction 
independently.
In fact you probably should do it so that you forward incoming packets 
on both the local and remote interfaces

and never forward outgoing packets..
this means you would add a new set of rules for the local interface 
that are not in

my file but you should get the idea..

when you say 'transparent squid, do you mean transparent to the client 
or the server, or both?


basically you should do fwds on incoming packets (fwd to squid locally)
(incoming from the point of view of the firewall itself.)



#!/bin/sh

fwcmd=/sbin/ipfw

# Suck in the configuration variables.
if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi


# set these to your outside interface network and netmask and ip
oif=tun0
onet=192.168.36.0
omask=24
oip=A.A.A.A


# set these to your inside interface network and netmask and ip
iif=vr0
inet=192.168.2.0
imask=255.255.255.0
iip=192.168.2.21

# for not the natd target is us but change this if you
# change that in natd.conf
natd_target=${oip}
work_vpnserver=B.B.B.B

INCOMING=4000
OUTGOING=8000

sysctl net.inet.ip.fw.enable=0
${fwcmd} -q flush
${fwcmd} -q table 1 flush
${fwcmd} -q table 2 flush
${fwcmd} -q table 3 flush
${fwcmd} -q table 4 flush

# Addresses we should never talk to outside our firewall
${fwcmd} table 1 add 10.0.0.0/8
${fwcmd} table 1 add 172.16.0.0/12 
${fwcmd} table 1 add 192.168.0.0/16 
 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
 # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class D),
 # and class E) on the outside interface
${fwcmd} table 1 add 0.0.0.0/8 
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 192.0.2.0/24
${fwcmd} table 1 add 224.0.0.0/4
${fwcmd} table 1 add 240.0.0.0/4 

# add legit sources of ssh.. DNS is not up yet so use IPs
# could add to /etc/hosts I guess.
#  frienly server
${fwcmd} table 2 add C.C.C.C
#  work
${fwcmd} table 2 add D.D.D.D
#  vps1
${fwcmd} table 2 add E.E.EE

# add legit DNS tcp (zone) sources
#  my.first.dns.server
${fwcmd} table 3 add F.F.F.F
#  my.second.dns.server
${fwcmd} table 3 add G.G.G.G
#  my.third.dns.server
${fwcmd} table 3 add H.H.H.H

# Add our local networks here
${fwcmd} table 4 add 192.168.2.0/24
${fwcmd} table 4 add 172.16.15.0/24

# common spoofing code
# --- ALL PACKETS START HERE. 

# Stop localhost spoofing
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny log all from any to 127.0.0.0/8
${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any

# If we've already decided on it. keep our word.
${fwcmd} add check-state

# Select direction and interface class
${fwcmd} add skipto ${INCOMING} ip from any to any in recv ${oif}
${fwcmd} add skipto ${OUTGOING} ip from any to any out xmit ${oif}

# Internal traffic. generally don't care
# except to stop spoofing.
# make extra sure we don't block DHCP to our server
# as initial request will be from 0.0.0.0/0
 
${fwcmd} add allow udp from any to any 67 in recv ${iif}
${fwcmd} add allow udp from any 67 to any out xmit ${iif}
 
#

soft-cap,

2011-01-04 Thread Michael Spratt 
Dear friends,  linux/ipfw/dummynet/transparent-bridge, am trying to cap 
users to upload/TX rates, but allow them to go over if the link is not 
congested.


The example below limits each src-ip mask-IP's TX from 10.10.0.0/20 to 
128Kbp/s,  and from 10.20.0.0/20 to 1024Kbp/s.

-
ipfw pipe 1 config bw 128Kbit/s mask src-ip 0x
ipfw pipe 2 config bw 1024Kbit/s mask src-ip 0x
ipfw 10001 add pipe 1 ip from 10.10.0.0/20 to any out xmit br0   
ipfw 10001 add pipe 2 ip from 10.20.0.0/20 to any out xmit br0   
?How to define total link size 100/100Mbit/s and allow individual ip's 
to exceed rate limit when link is not full?

-
This simply places a HARD CAP on each IP. 

My question is, how to allow each IP to exceed that hard limit if the 
bandwidth on the up-link is available.  IE. If there is free bandwidth  
let them use it; if not scale users exceeding their subscibed data rate 
down until they are down to their subscribed limit?


My WAN uplink is 100Mbp/s
I want to give the clients the benefit of exceeding their TX dynamic 
pipe cap-limit,  when the system has spare bandwdith.


I welcome any feedback. Thanks -Mike 1-214-901-3232
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: soft-cap,

2011-01-04 Thread Freddie Cash 
On Tue, Jan 4, 2011 at 2:33 PM, Michael Spratt
m...@magicislandtechnologies.com wrote:
 Dear friends,  linux/ipfw/dummynet/transparent-bridge, am trying to cap
 users to upload/TX rates, but allow them to go over if the link is not
 congested.

 The example below limits each src-ip mask-IP's TX from 10.10.0.0/20 to
 128Kbp/s,  and from 10.20.0.0/20 to 1024Kbp/s.
 -
 ipfw pipe 1 config bw 128Kbit/s mask src-ip 0x
 ipfw pipe 2 config bw 1024Kbit/s mask src-ip 0x

Create 1 pipe of 1024+128 Kbps.

Then create 2 queues, one with weight 1 (the slow queue) and the other
with weight 8 (the fast queue).

That will guarantee that traffic sent through queue 1 gets at least
128 Kbps of bandwidth, even when the pipe is full.  And traffic sent
through queue 2 gets at least 1024 Kbps of bandwidth, even when the
pipe is full.

The beauty of queues, though, is that either queue can expand to
fill the full pipe, if there's no traffic in the other queues.

Thus, queue 1 is guaranteed 128 Kbps of bandwidth, but can use up to
the full pipe worth if queue 2 is empty.

And queue 2 is guaranteed 1024 Kbps of bandwidth, but can use up to
the full pipe worth if queue 1 is empty.

 ipfw 10001 add pipe 1 ip from 10.10.0.0/20 to any out xmit br0
 ipfw 10001 add pipe 2 ip from 10.20.0.0/20 to any out xmit br0

Then, change the above rules to use the queues instead.

The way dummynet works, is that pipes set hard limits on the bandwidth.

And queues provide minimum guarantees for bandwidth inside of that pipe.

-- 
Freddie Cash
fjwc...@gmail.com
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup

2011-01-04 Thread hrs 
Synopsis: [ipfw] Problem with loading of ipfw NAT rules during system startup

Responsible-Changed-From-To: freebsd-ipfw-hrs
Responsible-Changed-By: hrs
Responsible-Changed-When: Wed Jan 5 01:05:33 UTC 2011
Responsible-Changed-Why: 
Take.

http://www.freebsd.org/cgi/query-pr.cgi?pr=148928
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled

2011-01-04 Thread hrs 
Synopsis: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat 
enabled

Responsible-Changed-From-To: freebsd-ipfw-hrs
Responsible-Changed-By: hrs
Responsible-Changed-When: Wed Jan 5 01:06:05 UTC 2011
Responsible-Changed-Why: 
Take.

http://www.freebsd.org/cgi/query-pr.cgi?pr=153155
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org