From owner-freebsd-net@FreeBSD.ORG Mon Oct 19 11:09:36 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 638A4106568D for ; Mon, 19 Oct 2009 11:09:36 +0000 (UTC) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 1F2BA8FC15 for ; Mon, 19 Oct 2009 11:09:36 +0000 (UTC) Received: by lath.rinet.ru (Postfix, from userid 222) id 1AD21704F; Mon, 19 Oct 2009 15:09:35 +0400 (MSD) Date: Mon, 19 Oct 2009 15:09:35 +0400 From: Oleg Bulyzhin To: rihad Message-ID: <20091019110935.GB87829@lath.rinet.ru> References: <4AC8A76B.3050502@mail.ru> <20091007085902.GA88982@lath.rinet.ru> <4ACC5E23.8090405@mail.ru> <20091007100503.GB88982@lath.rinet.ru> <4ACC6A7B.5050808@mail.ru> <20091007104525.GC88982@lath.rinet.ru> <4ACC7308.6070301@mail.ru> <20091007115425.GD88982@lath.rinet.ru> <4ACF4A15.1010203@mail.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ACF4A15.1010203@mail.ru> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-net@freebsd.org Subject: Re: dummynet dropping too many packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 11:09:36 -0000 On Fri, Oct 09, 2009 at 07:35:01PM +0500, rihad wrote: > Oleg Bulyzhin wrote: > > On Wed, Oct 07, 2009 at 03:52:56PM +0500, rihad wrote: > > > >> You probably have some special sources of documentation ;-) According to > >> man ipfw, both "netgraph/ngtee" and "pipe" decide the fate of the packet > >> unless one_pass=0. Or do you mean sprinkling smart skiptos here and > >> there? ;-) > > > > you can > > 1) use ng_ether & ng_netflow. (so no need in 'ngtee' rule). > > 2) use 'tee' rule with ng_ksocket & ng_netflow > > > >>> Could you show your 'ipfw show' output? (hide ip addresses if you wish but > >>> keep counters please). > >>> > > > >> Here it is, in its whole glory: > >> > >> 00100 10434423 1484891105 allow ip from any to any via lo0 > >> 00200 2 14 deny ip from any to 127.0.0.0/8 > >> 00300 1 4 deny ip from 127.0.0.0/8 to any > >> 01000 3300039938 327603104711 allow ip from any to any in > >> 01010 26214900 421138433 allow ip from me to any out > >> 01020 5453857 46806278 allow icmp from any to any out > >> 01030 3268289053 327224694165 ngtee 1 ip from any to any out > >> 01040 18681181 1089636054 skipto 1100 ip from table(127) to any out > >> recv bce0 xmit bce1 > >> 01060 777488848 76743392754 pipe tablearg ip from any to table(0) out > >> recv bce0 xmit bce1 > >> 01070 776831109 76682499457 allow ip from any to table(0) out recv > >> bce0 xmit bce1 > >> 01100 13102697 808411842 pipe tablearg ip from any to table(2) out > >> 65535 662648946 66711487830 allow ip from any to any > > > > I guess this one would be better(faster): > > > > 00050 allow ip from any to any in > > 00100 allow ip from any to any via lo0 > > 01010 allow ip from me to any > > 01020 allow icmp from any to any > > 01030 ngtee 1 ip from any to any > > 01035 skipto 1040 ip from any to any recv bce0 xmit bce1 > > 01036 allow ip from any to any > > 01040 skipto 1100 ip from table(127) to any > > 01060 pipe tablearg ip from any to table(0) > > 01070 allow ip from any to any > > 01100 pipe tablearg ip from any to table(2) > > 65535 allow ip from any to any > > > Tried it just now - no visible effect. > 400-700 packet drops per second which is around 5-7 mbps dropped on > output. So I don't think getting rid of one_pass=0 would help at all. One more idea to check: What happens if you rearrange your rules to shape 'in' packets? i.e. use 'in recv bce0' instead of 'out recv bce0 xmit bce1'. -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================