Date: Sun, 02 Dec 2007 01:32:15 +0200 From: bsdlist@mail.bg To: Sten Daniel Soersdal <netslists@gmail.com> Cc: freebsd-isp@freebsd.org Subject: Re: ipfw + dummynet performance Message-ID: <1196551935.56cf06e9c6080@mail.bg> In-Reply-To: <474BC441.7030303@gmail.com> References: <1194447774.1814d69a23ce8@mail.bg> <474BB7CC.4020208@gmail.com> <474BC441.7030303@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Sten Daniel Soersdal wrote: > > bsdlist@mail.bg wrote: > >> > >> My question is obout performance of ipfw and dummynet > with > >> this rules > >> > >> pipe 101 ip from table(1) to any via em1 > >> pipe 100 ip from any to table(1) xmit em1 > >> pipe 200 ip from table(2) to any via em1 > >> pipe 202 ip from any to table(2) xmit em1 > >> pipe 301 ip from table(3) to any via em1 > >> pipe 300 ip from any to table(3) xmit em1 > >> pipe 401 ip from table(4) to any via em1 > >> pipe 400 ip from any to table(4) xmit em1 > >> > >> .. > >> pipe 202 config bw 512K mask dst-ip 0xffffffff > >> pipe 200 config bw 256K mask src-ip 0xffffffff > >> this rules are the same for the 4 table but with > diffrent > >> speed : > >> > > > > 'via' makes you match both 'recv' and 'xmit' packets. > Perhaps this > > clears things up? > > If you want to make this faster you could halve the > number of rules you > > need to process, but it's not easy see from what you > posted. > > Example; > > > > > > skipto 1000 xmit em1 > > skipto 2000 recv em1 > > > > 1000 pipe 100 dst-ip table(1) > > 1001 pipe 202 dst-ip table(2) <-- also note the > pipe number?? > > 1002 pipe 300 dst-ip table(3) > > 1003 pipe 400 dst-ip table(4) > > 1999 accept > > > > 2000 pipe 101 src-ip table(1) > > 2001 pipe 200 src-ip table(2) <-- also note the > pipe number?? > > 2002 pipe 301 src-ip table(3) > > 2003 pipe 401 src-ip table(4) > > 2999 accept > > > > Also, are you sure you want to swap 202 and 200 in your > system? perhaps > > this adds to the problem? > > > > > > That should be; > > skipto 1000 out xmit em1 > skipto 2000 in recv em1 > > To be sure :) > > Also you could change the 1999 and 2999 rules to be > 'deny' rules to rule > out spoofing (not in table =3D deny) depending upon other > configuration > options. > > -- > Sten Daniel Soersdal > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" > > I will try this options , and think that they are better from the current i use , 10x :) I read something about dynamic rules in ipfw pipe , and make some changes : cat /boot/loader.conf kern.ipc.nmbclusters=3D"262144" vm.kmem_size=3D"536870912" vm.kmem_size_max=3D"536870912" but i cant spent more then 640 Mb of kernel memory whit 2G of physical memory on the system cat /etc/sysctl.conf kern.polling.enable=3D1 net.inet.ip.fw.one_pass=3D1 #net.inet.ip.fastforwarding=3D1 net.inet.tcp.delayed_ack=3D0 net.inet.tcp.inflight.enable=3D0 net.inet.tcp.recvspace=3D131072 net.inet.tcp.sendspace=3D131072 net.inet.ip.dummynet.max_chain_len=3D32 net.inet.ip.dummynet.hash_size=3D1024 net.inet.icmp.drop_redirect=3D1 net.inet.ip.redirect=3D0 net.inet.ip.portrange.first=3D5000 ----------------------------- Sportingbet.com 9,000 =E5=E2=F0=EE =E2=F1=FF=EA=E0 =F1=E5=E4=EC=E8=F6=E0 =ED=E0=E3=F0=E0=E4= =E0 =E7=E0 2 =E7=EB=E0=F2=ED=E8 =F1=EF=EE=F0=F2=ED=E8 =E7=E0=EB=EE=E3=E0! http://bg.sportingbet.com/t/index.aspx?affiliate=3Dmailbg10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1196551935.56cf06e9c6080>