Attachment #202355 for bug #236030

View | Details | Raw Unified | Return to bug 236030
Collapse All | Expand All




.Brc
.Bl -tag -width indent
.It Cm any
Matches any IP address.
.It Cm me
Matches any IP address configured on an interface in the system.
.It Cm me6
Matches any IPv6 address configured on an interface in the system.
The address list is evaluated at the time the packet is
analysed.
.It Cm table Ns Pq Ar name Ns Op , Ns Ar value

.It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
.It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
.It Cm addr
Matches IPv4 or IPv6 address.
Each entry is represented by an
.Ar addr Ns Op / Ns Ar masklen
and will match all addresses with base

When looking up an IP address in a table, the most specific
entry will match.
.It Cm iface
Matches interface names.
Each entry is represented by string treated as interface name.
Wildcards are not supported.
.It Cm number
Matches protocol ports, uids/gids or jail IDs.
Each entry is represented by 32-bit unsigned integer.
Ranges are not supported.
.It Cm flow

.Ar m
is the number of bytes a queue can serve before being moved to the tail
of old queues list.
The default is 1514 bytes, and the maximum acceptable value
is 9000 bytes.
.It Cm limit
.Ar m

instance of the scheduler.
The default value of
.Ar m
is 10240 packets, and the maximum acceptable value is 20480 packets.
.It Cm flows
.Ar m
specifies the total number of flow queues (sub-queues) that fq_*

creates and manages.
By default, 1024 sub-queues are created when an instance
of the fq_{codel/pie} scheduler is created.
The maximum acceptable value is
65536.
.El
.Pp

Note that for slow speed links you should keep the queue
size short or your traffic might be affected by a significant
queueing delay.
E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
or 20s of queue on a 30Kbit/s pipe.
Even worse effects can result if you get packets from an
interface with a much larger MTU, e.g.\& the loopback interface

.It Cm onoff
enable turning PIE on and off depending on queue load.
If this option is enabled,
PIE turns on when over 1/3 of queue becomes full.
This option is disabled by
default.
.It Cm dre | ts

If your network has network traffic analyzer
connected to your host directly via dedicated interface
or remotely via RSPAN vlan, you can selectively mirror
some Ethernet layer2 frames to the analyzer.
.Pp
First, make sure your firewall is already configured and runs.
Then, enable layer2 processing if not already enabled:

.Dl "ipfw nat 5 config redirect_port tcp"
.Dl "			192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500"
.Pp
Sometimes you may want to mix NAT and dynamic rules. It could be achieved with
.Cm record-state
and
.Cm defer-action

.Cm allow
rule packet need to be passed to NAT, not allowed as soon is possible.
.Pp
There is example of set of rules to achieve this. Bear in mind that this
is example only and it is not very useful by itself.
.Pp
On way out, after all checks place this rules:
.Pp

Return to bug 236030

Lines 1329-1339 Link Here

(-)sbin/ipfw/ipfw.8 (-15 / +15 lines)
1329	.Brc	1329	.Brc
1330	.Bl -tag -width indent	1330	.Bl -tag -width indent
1331	.It Cm any	1331	.It Cm any
1332	matches any IP address.	1332	Matches any IP address.
1333	.It Cm me	1333	.It Cm me
1334	matches any IP address configured on an interface in the system.	1334	Matches any IP address configured on an interface in the system.
1335	.It Cm me6	1335	.It Cm me6
1336	matches any IPv6 address configured on an interface in the system.	1336	Matches any IPv6 address configured on an interface in the system.
1337	The address list is evaluated at the time the packet is	1337	The address list is evaluated at the time the packet is
1338	analysed.	1338	analysed.
1339	.It Cm table Ns Pq Ar name Ns Op , Ns Ar value	1339	.It Cm table Ns Pq Ar name Ns Op , Ns Ar value
Lines 2083-2089 Link Here
2083	.It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec	2083	.It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2084	.It Ar flow-field : src-ip \| proto \| src-port \| dst-ip \| dst-port	2084	.It Ar flow-field : src-ip \| proto \| src-port \| dst-ip \| dst-port
2085	.It Cm addr	2085	.It Cm addr
2086	matches IPv4 or IPv6 address.	2086	Matches IPv4 or IPv6 address.
2087	Each entry is represented by an	2087	Each entry is represented by an
2088	.Ar addr Ns Op / Ns Ar masklen	2088	.Ar addr Ns Op / Ns Ar masklen
2089	and will match all addresses with base	2089	and will match all addresses with base
Lines 2097-2107 Link Here
2097	When looking up an IP address in a table, the most specific	2097	When looking up an IP address in a table, the most specific
2098	entry will match.	2098	entry will match.
2099	.It Cm iface	2099	.It Cm iface
2100	matches interface names.	2100	Matches interface names.
2101	Each entry is represented by string treated as interface name.	2101	Each entry is represented by string treated as interface name.
2102	Wildcards are not supported.	2102	Wildcards are not supported.
2103	.It Cm number	2103	.It Cm number
2104	maches protocol ports, uids/gids or jail IDs.	2104	Matches protocol ports, uids/gids or jail IDs.
2105	Each entry is represented by 32-bit unsigned integer.	2105	Each entry is represented by 32-bit unsigned integer.
2106	Ranges are not supported.	2106	Ranges are not supported.
2107	.It Cm flow	2107	.It Cm flow
Lines 2792-2798 Link Here
2792	.Ar m	2792	.Ar m
2793	is the number of bytes a queue can serve before being moved to the tail	2793	is the number of bytes a queue can serve before being moved to the tail
2794	of old queues list.	2794	of old queues list.
2795	The default is 1514 bytes, and the maximum accepable value	2795	The default is 1514 bytes, and the maximum acceptable value
2796	is 9000 bytes.	2796	is 9000 bytes.
2797	.It Cm limit	2797	.It Cm limit
2798	.Ar m	2798	.Ar m
Lines 2800-2806 Link Here
2800	instance of the scheduler.	2800	instance of the scheduler.
2801	The default value of	2801	The default value of
2802	.Ar m	2802	.Ar m
2803	is 10240 packets, and the maximum accepable value is 20480 packets.	2803	is 10240 packets, and the maximum acceptable value is 20480 packets.
2804	.It Cm flows	2804	.It Cm flows
2805	.Ar m	2805	.Ar m
2806	specifies the total number of flow queues (sub-queues) that fq_*	2806	specifies the total number of flow queues (sub-queues) that fq_*
Lines 2807-2813 Link Here
2807	creates and manages.	2807	creates and manages.
2808	By default, 1024 sub-queues are created when an instance	2808	By default, 1024 sub-queues are created when an instance
2809	of the fq_{codel/pie} scheduler is created.	2809	of the fq_{codel/pie} scheduler is created.
2810	The maximum accepable value is	2810	The maximum acceptable value is
2811	65536.	2811	65536.
2812	.El	2812	.El
2813	.Pp	2813	.Pp
Lines 2906-2912 Link Here
2906	Note that for slow speed links you should keep the queue	2906	Note that for slow speed links you should keep the queue
2907	size short or your traffic might be affected by a significant	2907	size short or your traffic might be affected by a significant
2908	queueing delay.	2908	queueing delay.
2909	E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit	2909	E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
2910	or 20s of queue on a 30Kbit/s pipe.	2910	or 20s of queue on a 30Kbit/s pipe.
2911	Even worse effects can result if you get packets from an	2911	Even worse effects can result if you get packets from an
2912	interface with a much larger MTU, e.g.\& the loopback interface	2912	interface with a much larger MTU, e.g.\& the loopback interface
Lines 3053-3059 Link Here
3053	.It Cm onoff	3053	.It Cm onoff
3054	enable turning PIE on and off depending on queue load.	3054	enable turning PIE on and off depending on queue load.
3055	If this option is enabled,	3055	If this option is enabled,
3056	PIE turnes on when over 1/3 of queue becomes full.	3056	PIE turns on when over 1/3 of queue becomes full.
3057	This option is disabled by	3057	This option is disabled by
3058	default.	3058	default.
3059	.It Cm dre \| ts	3059	.It Cm dre \| ts
Lines 4089-4095 Link Here
4089	If your network has network traffic analyzer	4089	If your network has network traffic analyzer
4090	connected to your host directly via dedicated interface	4090	connected to your host directly via dedicated interface
4091	or remotely via RSPAN vlan, you can selectively mirror	4091	or remotely via RSPAN vlan, you can selectively mirror
4092	some ethernet layer2 frames to the analyzer.	4092	some Ethernet layer2 frames to the analyzer.
4093	.Pp	4093	.Pp
4094	First, make sure your firewall is already configured and runs.	4094	First, make sure your firewall is already configured and runs.
4095	Then, enable layer2 processing if not already enabled:	4095	Then, enable layer2 processing if not already enabled:
Lines 4434-4440 Link Here
4434	.Dl "ipfw nat 5 config redirect_port tcp"	4434	.Dl "ipfw nat 5 config redirect_port tcp"
4435	.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500"	4435	.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500"
4436	.Pp	4436	.Pp
4437	Sometimes you may want to mix NAT and dynamic rules. It could be achived with	4437	Sometimes you may want to mix NAT and dynamic rules. It could be achieved with
4438	.Cm record-state	4438	.Cm record-state
4439	and	4439	and
4440	.Cm defer-action	4440	.Cm defer-action
Lines 4447-4454 Link Here
4447	.Cm allow	4447	.Cm allow
4448	rule packet need to be passed to NAT, not allowed as soon is possible.	4448	rule packet need to be passed to NAT, not allowed as soon is possible.
4449	.Pp	4449	.Pp
4450	There is example of set of rules to achive this. Bear in mind that this	4450	There is example of set of rules to achieve this. Bear in mind that this
4451	is exmaple only and it is not very usefult by itself.	4451	is example only and it is not very useful by itself.
4452	.Pp	4452	.Pp
4453	On way out, after all checks place this rules:	4453	On way out, after all checks place this rules:
4454	.Pp	4454	.Pp