From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 11 08:58:41 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0413CDCF for ; Thu, 11 Dec 2014 08:58:41 +0000 (UTC) Received: from mail-la0-x241.google.com (mail-la0-x241.google.com [IPv6:2a00:1450:4010:c03::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62EA1142 for ; Thu, 11 Dec 2014 08:58:40 +0000 (UTC) Received: by mail-la0-f65.google.com with SMTP id hs14so739653lab.0 for ; Thu, 11 Dec 2014 00:58:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=Ycc1YNVgzi9dioeP+dSE+glFJR9lvLB3mUrx66xAQ3M=; b=EzVT6/gRDTexRmokQ3wSnBKtXhal0n99lFv7g6mz3arjr2RsbLu9YkVdjWwlCwMR6j pVoumzJtt9gqKnY8NRzKaVW6X9ToGXCQ9gHjFFOLcrAaCr+pfoKH9+hQRn/KunzH7x74 sQmvwm4rh9u7gx2IO38DCg5PwD7KYS8t03VqLn4De7wR0Eel6DZhSt01HjrpTWLZLc5G G4RwXrU4qcyzz1JwSNs459KWcKr1oUb2QiBz6BkB84yrsA5kot16yAiNl9PvD3Bo5m5N 2ELVHxkFBKV5/zIwhzU+UJpkwa3aX7Mw33iQzlxchprTuU9Ot/d0wjzO92SKho55bnzy WBaA== X-Received: by 10.112.168.97 with SMTP id zv1mr8767330lbb.6.1418288318348; Thu, 11 Dec 2014 00:58:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.163.73 with HTTP; Thu, 11 Dec 2014 00:58:18 -0800 (PST) In-Reply-To: References: From: Ahmed Kamal Date: Thu, 11 Dec 2014 10:58:18 +0200 Message-ID: Subject: Re: ipfw pipe bursting, not working To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2014 08:58:41 -0000 I am trying to debug this over ssh (freebsd shell) .. While I'm quite experienced with Linux, I'm new to BSDs .. Can someone guide me into running a few commands to discover what's wrong .. Thanks a lot folks On Fri, Dec 5, 2014 at 9:51 PM, Ahmed Kamal wrote: > Hi folks, > > Any thoughts on why "burst" is not having any effect? I'd really > appreciate any feedback .. Thanks > > On Thu, Dec 4, 2014 at 12:18 AM, Ahmed Kamal < > email.ahmedkamal@googlemail.com> wrote: > >> Hi, >> >> I am using pfsense (hope this is not frowned upon) to configure ipfw >> limiting. I am finding that rate limiting is working great, however the >> "burst" parameter does not seem to have any effect at all. I found this bug >> open https://redmine.pfsense.org/issues/3933 .. Based on the milestone, >> I'm not expecting a speedy fix. >> >> I would like to help debug whats wrong, I am pasting below the output of >> "ipfw pipe show" I am hoping a more experienced eye can spot a >> misconfiguration .. Thanks for the help >> >> # ipfw pipe show >> >> 00002: 3.000 Mbit/s 0 ms burst 50000000 >> q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 >> droptail >> sched 65538 type FIFO flags 0x1 256 buckets 27 active >> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 >> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes >> Pkt/Byte Drp >> 19 ip 0.0.0.0/0 10.0.0.19/0 13 19396 0 >> 0 0 >> 55 ip 0.0.0.0/0 10.0.0.55/0 51 6504 0 >> 0 0 >> 78 ip 0.0.0.0/0 10.0.0.78/0 1 52 0 >> 0 0 >> 81 ip 0.0.0.0/0 10.0.0.81/0 565 136618 0 >> 0 0 >> 83 ip 0.0.0.0/0 10.0.0.83/0 74 14998 0 >> 0 0 >> 90 ip 0.0.0.0/0 10.0.0.90/0 21 2011 0 >> 0 0 >> 100 ip 0.0.0.0/0 10.0.0.100/0 4465 2173866 0 >> 0 0 >> 101 ip 0.0.0.0/0 10.0.0.101/0 1077 1268015 0 >> 0 0 >> 110 ip 0.0.0.0/0 10.0.0.110/0 53 6269 0 >> 0 0 >> 124 ip 0.0.0.0/0 10.0.0.124/0 15 2064 0 >> 0 0 >> 134 ip 0.0.0.0/0 10.0.0.134/0 637 134530 0 >> 0 0 >> 135 ip 0.0.0.0/0 10.0.0.135/0 343 63025 0 >> 0 0 >> 143 ip 0.0.0.0/0 10.0.0.143/0 32 3109 0 >> 0 0 >> 145 ip 0.0.0.0/0 10.0.0.145/0 250 117755 0 >> 0 0 >> 147 ip 0.0.0.0/0 10.0.0.147/0 62037 85170555 0 >> 0 347 >> 150 ip 0.0.0.0/0 10.0.0.150/0 322 71834 0 >> 0 0 >> 152 ip 0.0.0.0/0 10.0.0.152/0 433 242323 0 >> 0 0 >> 156 ip 0.0.0.0/0 10.0.0.156/0 147 72501 0 >> 0 0 >> 174 ip 0.0.0.0/0 10.0.0.174/0 1635 1202725 0 >> 0 0 >> 180 ip 0.0.0.0/0 10.0.0.180/0 847 325265 0 >> 0 0 >> 183 ip 0.0.0.0/0 10.0.0.183/0 94 21052 0 >> 0 0 >> 187 ip 0.0.0.0/0 10.0.0.187/0 2 274 0 >> 0 0 >> 191 ip 0.0.0.0/0 54.76.66.39/0 1 40 0 >> 0 0 >> 193 ip 0.0.0.0/0 10.0.0.193/0 127 33068 0 >> 0 0 >> 197 ip 0.0.0.0/0 10.0.0.197/0 1 141 0 >> 0 0 >> 198 ip 0.0.0.0/0 10.0.0.198/0 58 15346 0 >> 0 0 >> 199 ip 0.0.0.0/0 10.0.0.199/0 4078 5472882 0 >> 0 0 >> > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 12 12:49:03 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9EFA02C7 for ; Fri, 12 Dec 2014 12:49:03 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6A4C29A for ; Fri, 12 Dec 2014 12:49:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id sBCCmpWd009756; Fri, 12 Dec 2014 23:48:52 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 12 Dec 2014 23:48:51 +1100 (EST) From: Ian Smith To: Ahmed Kamal Subject: Re: ipfw pipe bursting, not working In-Reply-To: Message-ID: <20141212223743.X68123@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2014 12:49:03 -0000 On Thu, 11 Dec 2014 10:58:18 +0200, Ahmed Kamal wrote: > I am trying to debug this over ssh (freebsd shell) .. While I'm quite > experienced with Linux, I'm new to BSDs .. Can someone guide me into > running a few commands to discover what's wrong .. Thanks a lot folks For me at least, there are too many questions arising to speculate much. I know nothing about pfSense except what I can find on its website, and that's pretty scant on what's going on under the hood without actually digging into sources. I don't even know how and in what order packets are processed by pf and ipfw+dummynet, so don't count me of much use. Presumably you're running a pfSense 2.2 beta, or the just released RC? If so it's FreeBSD 10.1 based, while earlier releases are based on 8.2; you should show at least 'uname -a' contents, and in this case output of 'ipfw show' including rules feeding the pipe might demystify. 'ifconfig' re interface/s concerned (100Mbit? 10Gbit?), stuff that may matter .. But anyway, this seems confirmed as a pfSense bug by Chris Buechler's last comment on the bug URL you quote below: "dummynet burst on stock FreeBSD 10.1 does indeed work how I'd expect it to work. Ours doesn't have any impact whatsoever, with the exact same pipe config that has the expected behavior on 10.1. This has never worked, and there are too many 2.2 target issues already, so I just commented out the burst portion from the GUI bits. Can revisit later." And indeed, unless solved by you and whatever pfSense testers you can muster in the next week or so, it seems burst won't be in pfSense 2.2. One thing struck me comparing the burst description in ipfw(8) and this: https://redmine.pfsense.org/attachments/download/851/2013-09-18_110224.png and linked from another bug I snipped one stanza of 30-limiters-config.txt: Limiter1 1 5 Mb none on none 0 but none of the 30 entries showed burst config .. I'm wondering whether they're using bytes as the units (as in your pipe show below) or whether the '100' in the image above would be specified as Mbits, seeing the bw is given in Mbit/s - or what? ie can you show your config for this in the XML form used by pfSense? And then, if you can find the PHP code that calculates and updates that config, and whatever code that reads that and runs 'ipfw pipe config', you'll maybe find the issue, or at least provide something to chew on. And just checking: you have a normally 3Mbit/s pipe you want to let the first 50Mbytes burst at full speed? Which would take how many seconds? cheers, Ian > On Fri, Dec 5, 2014 at 9:51 PM, Ahmed Kamal > wrote: > > > Hi folks, > > > > Any thoughts on why "burst" is not having any effect? I'd really > > appreciate any feedback .. Thanks > > > > On Thu, Dec 4, 2014 at 12:18 AM, Ahmed Kamal < > > email.ahmedkamal@googlemail.com> wrote: > > > >> Hi, > >> > >> I am using pfsense (hope this is not frowned upon) to configure ipfw > >> limiting. I am finding that rate limiting is working great, however the > >> "burst" parameter does not seem to have any effect at all. I found this bug > >> open https://redmine.pfsense.org/issues/3933 .. Based on the milestone, > >> I'm not expecting a speedy fix. > >> > >> I would like to help debug whats wrong, I am pasting below the output of > >> "ipfw pipe show" I am hoping a more experienced eye can spot a > >> misconfiguration .. Thanks for the help > >> > >> # ipfw pipe show > >> > >> 00002: 3.000 Mbit/s 0 ms burst 50000000 > >> q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 > >> droptail > >> sched 65538 type FIFO flags 0x1 256 buckets 27 active > >> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > >> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > >> Pkt/Byte Drp > >> 19 ip 0.0.0.0/0 10.0.0.19/0 13 19396 0 > >> 0 0 > >> 55 ip 0.0.0.0/0 10.0.0.55/0 51 6504 0 > >> 0 0 > >> 78 ip 0.0.0.0/0 10.0.0.78/0 1 52 0 > >> 0 0 > >> 81 ip 0.0.0.0/0 10.0.0.81/0 565 136618 0 > >> 0 0 > >> 83 ip 0.0.0.0/0 10.0.0.83/0 74 14998 0 > >> 0 0 > >> 90 ip 0.0.0.0/0 10.0.0.90/0 21 2011 0 > >> 0 0 > >> 100 ip 0.0.0.0/0 10.0.0.100/0 4465 2173866 0 > >> 0 0 > >> 101 ip 0.0.0.0/0 10.0.0.101/0 1077 1268015 0 > >> 0 0 > >> 110 ip 0.0.0.0/0 10.0.0.110/0 53 6269 0 > >> 0 0 > >> 124 ip 0.0.0.0/0 10.0.0.124/0 15 2064 0 > >> 0 0 > >> 134 ip 0.0.0.0/0 10.0.0.134/0 637 134530 0 > >> 0 0 > >> 135 ip 0.0.0.0/0 10.0.0.135/0 343 63025 0 > >> 0 0 > >> 143 ip 0.0.0.0/0 10.0.0.143/0 32 3109 0 > >> 0 0 > >> 145 ip 0.0.0.0/0 10.0.0.145/0 250 117755 0 > >> 0 0 > >> 147 ip 0.0.0.0/0 10.0.0.147/0 62037 85170555 0 > >> 0 347 > >> 150 ip 0.0.0.0/0 10.0.0.150/0 322 71834 0 > >> 0 0 > >> 152 ip 0.0.0.0/0 10.0.0.152/0 433 242323 0 > >> 0 0 > >> 156 ip 0.0.0.0/0 10.0.0.156/0 147 72501 0 > >> 0 0 > >> 174 ip 0.0.0.0/0 10.0.0.174/0 1635 1202725 0 > >> 0 0 > >> 180 ip 0.0.0.0/0 10.0.0.180/0 847 325265 0 > >> 0 0 > >> 183 ip 0.0.0.0/0 10.0.0.183/0 94 21052 0 > >> 0 0 > >> 187 ip 0.0.0.0/0 10.0.0.187/0 2 274 0 > >> 0 0 > >> 191 ip 0.0.0.0/0 54.76.66.39/0 1 40 0 > >> 0 0 > >> 193 ip 0.0.0.0/0 10.0.0.193/0 127 33068 0 > >> 0 0 > >> 197 ip 0.0.0.0/0 10.0.0.197/0 1 141 0 > >> 0 0 > >> 198 ip 0.0.0.0/0 10.0.0.198/0 58 15346 0 > >> 0 0 > >> 199 ip 0.0.0.0/0 10.0.0.199/0 4078 5472882 0 > >> 0 0 > >> > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >