IPFW ipfw blocks outgoing carp advertisements when using pipe

[koverskeid]

I want to rate limit all outgoing traffic. I'm able to do so by following these steps

Add the following line to /boot/loader.conf:
dummynet_load="YES"

Add the following lines to /etc/rc.conf:

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

The /etc/ipfw.rules file looks like this:

ipfw -q add 65534 allow all from any to any
ipfw -q pipe 1 config bw 3Mbit/s
ipfw -q add 10 pipe 1 all from any to any out

Now, the problem is that the outgoing carp advertisements are blocked. Other outgoing traffic is fine, like ping, ntp requests etc...

If I remove the two last lines in /etc/ipfw.rules, the carp advertisements are not blocked.

I have to admit that I'm not very up to speed on ipfw. I don't need the firewall capabilities, I only want to rate limit outgoing traffic, so if there's a smarter way to implement rate limit, I'm willing to try!

 

[VladiBG]

carp is using IP protocol 112 (VRRP) so you can add it like this

ipfw add 5 allow carp from any to any

or

ipfw add 5 allow 112 from any to any

This will allow the multicast to 224.0.0.18

The rule number must be above the pipe limit this way the pipe won't limit the carp advertisement. In above example i used rule number 5 because your pipe is at rule number 10. Anyway your pipe should not "block" the protocol 112 so it's better to check with tcpdump and ipfw count to analyze why those advertisements are blocked.

To monitor those carp adv you can use tcpdump (igb0 is the interface in the example below so replace it with your interface name.)

tcpdump -npi igb0 -T carp

 

[koverskeid]

Now I can see the carp advertisements in wireshark, thanks!

Do you have any idea why the pipe is blocking the carp advertisements, but not ping, ntp requests etc...

 

[VladiBG]

I only suspect that when the multicast traffic go out from the firewall (ipfw_chk) to the dummynet it get dropped there and doesn't return back into (ip_output) or if ipfw one_pass is disabled it's not injected again in ipfw_chk for second pass. I don't know if dummynet can rate limit the multicast traffic or not.

Edit:
it's supported according multicast(4)

The max_rate_limit argument is no longer supported in FreeBSD and
should be set to 0. Users who wish to rate-limit multicast datagrams
should consider the use of dummynet(4) or altq(4).

Do you use one_pass? ipfw(8)

pipe pipe_nr
Pass packet to a dummynet "pipe" (for bandwidth limitation, de-
lay, etc.). See the "TRAFFIC SHAPER (DUMMYNET) CONFIGURATION"
Section for further information. The search terminates; how-
ever, on exit from the pipe and if the sysctl(8) variable
net.inet.ip.fw.one_pass is not set, the packet is passed again
to the firewall code starting from the next rule.

You may test altq(4) instead of dummynet.