ipfw quick question regarding dummynet queues and layer2 filtering

[overmind]

Hi,

I want to achieve dynamic traffic shaping, routing with NAT using ipfw and also to block IP-s by MAC address.

Here is my rule:

#!/bin/sh
cmd="/sbin/ipfw -q"

# external interface
wan_if="em0"
# internal interface
lan_if="em1"

b_down="512Kbit/s"
b_up="256Kbit/s"

conn_limit="limit src-addr 1000"

$cmd table 1 add 192.168.11.0/24 1
$cmd table 2 add 10.0.0.0/24

# nat
$cmd nat 1 config if $wan_if reset
$cmd add 50 nat 1 all from 192.168.11.0/24 to any via $wan_if out
$cmd add 60 nat 1 all from any to me via $wan_if in

# download pipe
$cmd pipe 10 config bw $b_down queue 8Kbytes
$cmd queue 1 config sched 5 weight 10 pipe 10 queue 6 mask dst-ip 0x000000ff
$cmd queue 2 config sched 5 weight 1 pipe 10 queue 6 mask dst-ip 0x000000ff

# upload pipe ack
$cmd pipe 20 config bw 128Kbit/s queue 4Kbytes mask src-ip 0x000000ff
# upload all
$cmd pipe 21 config bw $b_up queue 8Kbytes mask src-ip 0x000000ff
$cmd queue 3 config sched 5 weight 10 pipe 21 queue 6 mask dst-ip 0x000000ff
$cmd queue 4 config sched 5 weight 1 pipe 21 queue 6 mask dst-ip 0x000000ff

# download rules
$cmd add 700 queue 1 tcp from any to any out xmit $lan_if tcpflags ack iplen 0-52
$cmd add 710 skipto 7000 tcp from any to any out xmit $lan_if tcpflags ack iplen 0-52
$cmd add 720 queue 2 ip from any to "table(1)" out xmit $lan_if $conn_limit

# upload rules
$cmd add 800 pipe 20 tcp from any to any in recv $lan_if tcpflags ack iplen 0-52
$cmd add 810 skipto 8000 tcp from any to any in recv $lan_if tcpflags ack iplen 0-52
$cmd add 910 queue 2 ip from any to "table(1)" in recv $lan_if
$cmd add 920 queue 4 ip from "table(1)" to any in via $lan_if

Everything works fine with shaping without MAC filtering.

If I want to add layer2 filtering with the following code, added before NAT rules:

# allow using MAC
$cmd add 13 allow ip from any to any layer2 mac-type arp
$cmd add 14 allow ip from any to any MAC any "08:00:27:75:ba:cf" in via $lan_if
$cmd add 15 deny ip from any to any layer2 in via $lan_if
$cmd add 16 allow ip from any to any layer2 via $wan_if

Then the traffic shaping will not work properly anymore. It will shape traffic but not with 512/256, so is not working in parameters.

Where I am wrong. I asume after evaluating layer2 rules the firewall will continue with next rules.

 

[phoenix]

Packets are scanned at layer2 first, then again at layer3. You want to put your MAC rules first.

Otherwise, they are going through the pipe as layer2 packet, then again through the pipe as a layer3 packet.

Move 13-16 up to the top of the list.

 

[overmind]

Thank you!
Yes that was the problem. Also it is easier if we split traffic outgoing and incoming using skipto rule.