From owner-freebsd-questions@FreeBSD.ORG Tue Jan 27 19:09:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93AEE106564A for ; Tue, 27 Jan 2009 19:09:54 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forwards4.yandex.ru (forwards4.yandex.ru [77.88.32.20]) by mx1.freebsd.org (Postfix) with ESMTP id 0EF1E8FC1F for ; Tue, 27 Jan 2009 19:09:54 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp14.yandex.ru (smtp14.yandex.ru [77.88.32.84]) by forwards4.yandex.ru (Yandex) with ESMTP id C969119332D; Tue, 27 Jan 2009 22:09:49 +0300 (MSK) Received: from 254-0-113-92.pool.ukrtel.net ([92.113.0.254]:19718 "EHLO HOMEUSER" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S393321AbZA0TJs (ORCPT + 2 others); Tue, 27 Jan 2009 22:09:48 +0300 X-Yandex-Spam: 1 X-Yandex-Front: smtp14 X-Yandex-TimeMark: 1233083388 X-BornDate: 1149541200 X-Yandex-Karma: 0 X-Yandex-KarmaStatus: 0 X-MsgDayCount: 4 X-Comment: RFC 2476 MSA function at smtp14.yandex.ru logged sender identity as: kes-kes Date: Tue, 27 Jan 2009 21:09:46 +0200 From: KES X-Mailer: The Bat! (v4.0.24) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <546183781.20090127210946@yandex.ru> To: "Sebastian Mellmann" In-Reply-To: <38577.130.149.220.164.1232964978.squirrel@anubis.getmyip.com> References: <20090122120027.4E186106570D@hub.freebsd.org> <20090125153358.X90458@sola.nimnet.asn.au> <38577.130.149.220.164.1232964978.squirrel@anubis.getmyip.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Cc: Ian Smith , freebsd-questions@freebsd.org Subject: Re[2]: IPFW DUMMYNET: Several pipes after each other X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 19:09:55 -0000 Здравствуйте, Sebastian. Вы писали 26 января 2009 г., 12:16:18: SM> Ian Smith wrote: SM> On Thu, 22 Jan 2009 08:10:09 +0100 (CET) >> > >> > So far I've got those rules: >> > >> > in_if="em0" >> > out_if="em1" >> > management_if="em2" >> > in_ip="100.100.100.1" >> > out_ip="200.200.200.1" >> > management_ip="172.16.0.201" >> > client1_subnet="192.168.5.0/26" >> > client2_subnet="192.168.6.0/26" >> > server_subnet="192.168.7.0/24" >> > >> > download_bandwidth="6144Kbit/s" >> > upload_bandwidth="1024Kbit/s" >> > delay="0" >> > queue_size="10" >> >> 10 slots ie packets is likely too small a queue size at these rates. >> You want to check the dropped packet stats from 'ipfw pipe show' re >> that; see the section in ipfw(8) about calculating sizes / delays. >> SM> I had a look at the ipfw howto on the freebsd site [1], but I'm not 100% SM> sure how to choose a "good" value for the queue size. SM> If I choose the default (50 packets) it means that it takes approx. 100ms SM> (600kbits / 6144kbits) to fill the queue. SM> So the question is: Which value to choose for the queue? >> I suggest using 'in recv' and 'out xmit' rather than via for these, for >> the sake of clarity. 'in recv' and 'in via' come to the same thing, as >> only the receive interface is known on inbound packets, but 'out via' >> applies to packets that were *received* on the specified interface as >> well as those going out on that interface after routing, which can lead >> to surprising results sometimes, and being more specific never hurts .. SM> Thanks for the hint. SM> I'll change that. >> > But when I have a look at the pipes with 'ipfw show' I can only see >> > packets go through the pipe 50 and nothing goes through the other pipes >> > (which makes sense actually since IPFW work that way?). >> >> IPFW works that way if you (likely) have net.inet.ip.fw.one_pass=1 .. so >> that packets exiting from pipes aren't seen by the firewall again. If >> you set one_pass=0, packets are reinjected into the firewall at the rule >> following the pipe (or queue) action, which is what you want to do here. SM> Actually this is also described in the manpage of ipfw(8). SM> Shame on me ;-) >> And you'll surely need a much larger queue for this pipe, at 100Mbit/s. >> SM> As already asked above: SM> How do I know the queue is large or small enough for my needs? How calculate queue length for your link speed: suggest link speed is 64kbit/s = 8KB/s 50pkts in queue is 75000bytes (50*1500) ~73KB 73KB/8KB = 9sec so for bandwidth 64kbit you will have timeout 9000ms if queue is full. For example you want to have only 1000ms timeouts (ping) 1 * 8KB = 8KB. This max information transmited before queue will overflow for given timeout. 8Kb/1500= 5 -- value for your queue size For links with speed > 512Kbit your queue size 50 I use next values for queues: c pipe 1 config bw 65536bit/s queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 2 config bw 65536bit/s queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 1 config pipe 1 queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 2 config pipe 2 queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 3 config bw 131072bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 4 config bw 131072bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 3 config pipe 3 queue 10 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 4 config pipe 4 queue 10 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 5 config bw 262144bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 6 config bw 262144bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 5 config pipe 5 queue 20 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 6 config pipe 6 queue 20 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 7 config bw 524288bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 8 config bw 524288bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 7 config pipe 7 queue 40 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 8 config pipe 8 queue 40 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 9 config bw 1048576bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 10 config bw 1048576bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 9 config pipe 9 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 10 config pipe 10 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 11 config bw 2097152bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1 c pipe 12 config bw 2097152bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 11 config pipe 11 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1 c queue 12 config pipe 12 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 WARNING!!! you must use own queue/pipe for in/out traffic. In case you put in and out traffic to one pipe/queue you will simulate asyncrounous link!!!