Please help - dummynet, ipfw and bridging config

R

romar

Hi & thanks in advance for any help and advice. I have been using FreeBSD (as Frenzy 1.1 - FreeBSD 6.3) for network impairment simulation. With new hardware (Intel 82583V, USB devices) this no longer works and I had to upgrade to Frenzy 1.3 - which runs fine with the em interfaces and USB devices just that the previous bridging config no longer works.

Digging a bit deeper I have noticed that sysctl parameters specific to bridging are missing - even after kldload-ing dummynet, if_bridge, bridgestp, etc. And bridging would not work even if configured "by hand" with ifconfig commands. Given this I have installed the FreeBSD 8.1 distribution with the GENERIC kernel.

The behaviour is exactly the same just that now, to make things worse, kldload-ing ipfw blocks everything, even ICMP, although the firewall is not enabled in /etc/sysctl.conf, /etc/default/rc.conf or /etc/rc.conf. This is what I have in 8.1 (distribution or Frenzy 1.3, based on 8.1):

Code: 
FreeBSD-1# sysctl -a | grep bridge
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
This is what I have in Frenzy 1.1 (FreeBSD 6.3)
Code: 
frenzy:~# sysctl -a | grep bridge
bridge_rtnod:     32,        0,      0,      0,        0
net.link.ether.bridge_cfg: xl0,xl1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge.config: xl0,xl1
net.link.ether.bridge.enable: 1
net.link.ether.bridge.predict: 183040182
net.link.ether.bridge.dropped: 0
net.link.ether.bridge.packets: 183045529
net.link.ether.bridge.ipfw_collisions: 0
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.copy: 0
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.ipf: 0
net.link.ether.bridge.debug: 0
net.link.ether.bridge.version: 031224
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1

Frenzy 1.1 bridging works just fine on the old system - no way to make it work with 8.1

I assume I am missing some configurations or modules or maybe I need to recompile the kernel with specific options. However looking at the sysctl kern variables I cannot see anything specific.

This is the dummynet/bridging/impairment specific configuration in the Frenzy 1.1 /etc/sysctl.conf. How to get it working in FreeBSD 8.1?

Code: 
##enables firewall in the IP stack
net.inet.ip.fw.enable=1

net.inet.ip.fw.one_pass=1

##Current hash table size used for dynamic rules.
net.inet.ip.fw.dyn_buckets=256 (readonly)

##Desired hash table size used for dynamic rules.
net.inet.ip.fw.curr_dyn_buckets=256

##Current number of dynamic rules. (readonly)
net.inet.ip.fw.dyn_count=3


##Max number of dynamic rules. If you exceed this limit, you will
##have to wait for a rule to expire before being able to create a new one.
net.inet.ip.fw.dyn_max=1000

##Lifetime (in seconds) for various types of dynamic rules.
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_syn_lifetime=20
net.inet.ip.fw.dyn_fin_lifetime=20
net.inet.ip.fw.dyn_rst_lifetime=5
net.inet.ip.fw.dyn_short_lifetime=5

#dummynet control

##Size of hash table for dynamic pipes.
net.inet.ip.dummynet.hash_size=64

##Delete dynamic pipes when they become empty.
net.inet.ip.dummynet.expire=1

##Max ratio between number of dynamic queues and hash buckets.
##When you exceed (max_chain_len*buckets) queues on a pipe,
##packets not matching any of these will be all put into the
##same default queue.
net.inet.ip.dummynet.max_chain_len=16

net.link.ether.bridge.config=xl0,xl1

##enable bridging.
net.link.ether.bridge.enable=1

##enable ipfw for bridging.
net.link.ether.bridge.ipfw=1



Many thanks for your help
 
Mystery solved (but not for A+) - if_em simply does not support bridging.
On the box running Frenzy 1.1 the interfaces were 2 3COM cards (if_xl) but looking at the "stock" source code, if_xl.c coming with the FreeBSD kernel sources, it does not support bridging either.

There is a patch for if_xl adding the bridging capability (http://www.csl.cornell.edu/~rajit/fbsd/bridge.html) and probably the binary if_xl.ko coming with Frenzy 1.1 has the patch. I have recompiled if_em (the one from Intel) on Frenzy 1.1 and and 1.3 no bridging whatsoever - because the forwarding code is not there in the driver.

Frenzy 1.3 has its native if_em.ko but still without bridging support.

My interfaces are if_em and I have found no bridging patch.

Before I start digging into adding the bridging capability in if_em, I am sure there is someone, somewhere having done this already for if_em (Intel Pro 1000e).

Thanks for any suggestion.
 
OK, it was a RTFM issue - as Sergei Mozhaisky (Frenzy) was mentioning, the bridging behavior in FreeBSD 8.x changed hence the old configurations no longer works. Below is my working configuration changes on a Portwell CAD-0205 box with 4 interfaces, with 2 independent impairment bridges. I have also noticed that the "bridged" option kills all traffic through the interfaces - I assume this is where the bridging support in the driver intervenes. The impairment in bridge1 is really catastrophic.

/boot/defaults/loader.conf

Code: 
# added this:

if_em_load="YES"     (was NO)
if_bridge_load="YES"
dummynet_load="YES"

Thanks for your support

/etc/sysctl.conf:
Code: 
#added this:
nnet.link.bridge.ipfw=1
net.link.ether.ipfw=0

/etc/rc.conf
Code: 
#added this
cloned_interfaces="bridge0 bridge1"

ifconfig_em0="up"
ifconfig_em1="up"
ifconfig_em2="up"
ifconfig_em3="up"

ifconfig_em0="inet 192.168.198.253/24"

ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_bridge1="addm em2 addm em3 up"

Code: 
ipfw -q flush
#
ipfw pipe 1 config delay 150 bw 90Kbit/s plr 0.1
ipfw pipe 2 config delay 200 bw 130Kbit/s plr 0.05
ipfw pipe 3 config delay 450 bw 30Kbit/s plr 0.2
ipfw pipe 4 config delay 600 bw 40Kbit/s plr 0.1
##
ipfw -q add 50 prob 0.07 deny udp from any to any { via em0 or via em1 }
ipfw -q add 55 prob 0.15 pipe 1 udp from any to any { via em0 or via em1 }
ipfw -q add 60 prob 0.17 deny udp from any to any { via em2 or via em3 }
ipfw -q add 65 prob 0.25 pipe 3 udp from any to any { via em2 or via em3 }

ipfw -q add 70 prob 0.03 deny icmp from any to any { via em0 or via em1 }
ipfw -q add 75 prob 0.05 pipe 2 icmp from any to any { via em0 or via em1 }
ipfw -q add 80 prob 0.13 deny icmp from any to any { via em2 or via em3 }
ipfw -q add 85 prob 0.15 pipe 4 icmp from any to any { via em2 or via em3 }

ipfw -q add 100 pass all from any to any via any
 
You must log in or register to reply here.
Back
Top