Date: Tue, 27 Jan 2009 21:09:46 +0200 From: KES <kes-kes@yandex.ru> To: "Sebastian Mellmann" <sebastian.mellmann@net.t-labs.tu-berlin.de> Cc: Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org Subject: Re[2]: IPFW DUMMYNET: Several pipes after each other Message-ID: <546183781.20090127210946@yandex.ru> In-Reply-To: <38577.130.149.220.164.1232964978.squirrel@anubis.getmyip.com> References: <20090122120027.4E186106570D@hub.freebsd.org> <20090125153358.X90458@sola.nimnet.asn.au> <38577.130.149.220.164.1232964978.squirrel@anubis.getmyip.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Здравствуйте, Sebastian. Вы писали 26 января 2009 г., 12:16:18: SM> Ian Smith wrote: SM> On Thu, 22 Jan 2009 08:10:09 +0100 (CET) >> > >> > So far I've got those rules: >> > >> > in_if="em0" >> > out_if="em1" >> > management_if="em2" >> > in_ip="100.100.100.1" >> > out_ip="200.200.200.1" >> > management_ip="172.16.0.201" >> > client1_subnet="192.168.5.0/26" >> > client2_subnet="192.168.6.0/26" >> > server_subnet="192.168.7.0/24" >> > >> > download_bandwidth="6144Kbit/s" >> > upload_bandwidth="1024Kbit/s" >> > delay="0" >> > queue_size="10" >> >> 10 slots ie packets is likely too small a queue size at these rates. >> You want to check the dropped packet stats from 'ipfw pipe show' re >> that; see the section in ipfw(8) about calculating sizes / delays. >> SM> I had a look at the ipfw howto on the freebsd site [1], but I'm not 100% SM> sure how to choose a "good" value for the queue size. SM> If I choose the default (50 packets) it means that it takes approx. 100ms SM> (600kbits / 6144kbits) to fill the queue. SM> So the question is: Which value to choose for the queue? >> I suggest using 'in recv' and 'out xmit' rather than via for these, for >> the sake of clarity. 'in recv' and 'in via' come to the same thing, as >> only the receive interface is known on inbound packets, but 'out via' >> applies to packets that were *received* on the specified interface as >> well as those going out on that interface after routing, which can lead >> to surprising results sometimes, and being more specific never hurts .. SM> Thanks for the hint. SM> I'll change that. >> > But when I have a look at the pipes with 'ipfw show' I can only see >> > packets go through the pipe 50 and nothing goes through the other pipes >> > (which makes sense actually since IPFW work that way?). >> >> IPFW works that way if you (likely) have net.inet.ip.fw.one_pass=1 .. so >> that packets exiting from pipes aren't seen by the firewall again. If >> you set one_pass=0, packets are reinjected into the firewall at the rule >> following the pipe (or queue) action, which is what you want to do here. SM> Actually this is also described in the manpage of ipfw(8). SM> Shame on me ;-) >> And you'll surely need a much larger queue for this pipe, at 100Mbit/s. >> SM> As already asked above: SM> How do I know the queue is large or small enough for my needs? How calculate queue length for your link speed: suggest link speed is 64kbit/s = 8KB/s 50pkts in queue is 75000bytes (50*1500) ~73KB 73KB/8KB = 9sec so for bandwidth 64kbit you will have timeout 9000ms if queue is full. For example you want to have only 1000ms timeouts (ping) 1 * 8KB = 8KB. This max information transmited before queue will overflow for given timeout. 8Kb/1500= 5 -- value for your queue size For links with speed > 512Kbit your queue size 50 I use next values for queues: c pipe 1 config bw 65536bit/s queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 2 config bw 65536bit/s queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 1 config pipe 1 queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 2 config pipe 2 queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 3 config bw 131072bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 4 config bw 131072bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 3 config pipe 3 queue 10 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 4 config pipe 4 queue 10 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 5 config bw 262144bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 6 config bw 262144bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 5 config pipe 5 queue 20 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 6 config pipe 6 queue 20 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 7 config bw 524288bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 8 config bw 524288bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 7 config pipe 7 queue 40 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 8 config pipe 8 queue 40 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 9 config bw 1048576bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 10 config bw 1048576bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 9 config pipe 9 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 10 config pipe 10 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 11 config bw 2097152bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 12 config bw 2097152bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 11 config pipe 11 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 12 config pipe 12 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 WARNING!!! you must use own queue/pipe for in/out traffic. In case you put in and out traffic to one pipe/queue you will simulate asyncrounous link!!!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?546183781.20090127210946>