1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

dummynet / ipfw plr config issue: double plr for UL compared to DL

Discussion in 'Firewalls' started by arusan, Sep 7, 2011.

  1. arusan

    arusan New Member

    Messages:
    11
    Likes Received:
    0
    On a machine acting as a bridge, I have only one dummynet pipe configured with PLR.
    I add two rules, hoping that I will generate symmetric packet loss on UL & DL for a single host behind the bridge.

    However, I end up with double the packet loss in UL, while in DL the packet loss is exacty what I configured. And I can't figure out at all where my mistake lies...

    my config:
    Code:
    ipfw pipe 7 config plr 0.004                #--> 0.4%, right?
    ipfw add 300 pipe 7 out dst-ip 10.x.y.z/30  #--> I also tried only IP@ 10.x.x.2, for the
                                                # specific host. it's anyway alone in that subnet
    ipfw add 400 pipe 7 out src-ip 10.x.y.z/30  # obviously x,y,z identical to the above ones
    I test with iperf, one linux and one windows machine (first command line for the server, second line for client):
    Code:
    iperf -s -u -l 1400
    iperf -c 10.x.y.z -f m -u -i 5 -b 3m -l 1400 -t 100
    (tried with other values for bandwidth, no difference. need -t 100 for a good average since my PLR is very low).

    -when running this in one direction, my PLR is the desired one: ~0.4% (0.39% to 0.41%).
    -when running this in the other direction (I switch my iperf commands and adjust the IP@ for the server, the machines remain on the same side of the bridge, just the iperf server/client are switched) I get double the packet loss: ~0.8% (0.76%-0.85%).

    same result if I run iperf with the -r command (also for reversed direction testing).
    If I put prob 0.5 to the 400 rule (which is the problematic one), I get the correct result of 0.4% --> which is strange...

    I checked that only one rule is matched when running the iperf test (via ipfw show, I see what rule increments packet count) and also that the pipe is configured with the correct value (ipfw pipe show).

    if I change rule 400 to:
    Code:
    ipfw add 400 pipe 7 [B]in[/B] src-ip 10.x.y.z/30
    it is not matched at all... which is again weird. I get then PLR 0% and no packets hit the rule.

    I use a dual port Intel card (em0, em1) configured as a bridge, no IP@ for any of the ports.
    sysctl.conf:
    Code:
    net.link.ether.ipfw=0
    net.link.bridge.ipfw=1
    It must be smtg obvious, but I cannot see it.