From owner-freebsd-net Wed Apr 19 6: 1:42 2000 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id B027337B50F for ; Wed, 19 Apr 2000 06:01:34 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id PAA04241; Wed, 19 Apr 2000 15:02:30 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200004191302.PAA04241@info.iet.unipi.it> Subject: Re: IPFW comments, and a question... In-Reply-To: from Jaye Mathisen at "Apr 19, 2000 03:43:23 am" To: Jaye Mathisen Date: Wed, 19 Apr 2000 15:02:30 +0200 (CEST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Any reason the rule increment # can't be changed to something smaller like > 10, or 20, rather than 100? If you add a lot of rules, you can burn up > good size chunk of the available space in a hurry, even though it's pretty > sparsely used. you should just not rely on automatic numbering, especially for very large rulesets where you most likely want to use "skipto" rules and thus you need to number rules yourself. > 1) Everything passing through dummynet seems Peachy keeno, except ICMP > traffic seems to pick up 40-50ms of delay, yet there's no delay configured > on anything icmp related. Normal TCP/UDP traffic is going through fine. not sure what you mean but remember that passing packets through a bandwidth limiter implicitly causes a delay proportional to pkt_size/bandwidth. ping -s will show the effect (and if you don't have options HZ=1000 in your kernel, you will have these times rounded to the 10ms timer tick. > 2) Are all pipe rules scanned before pass/deny rules? Because when > configuring a lot of pipes, there seems to be no way to assign rule > numbers to a pipe, which makes figuring out where pass/deny rules should > go if the number of pipes change. rules are scanned in the order they are written (modulo skipto rules). Pipe numbers are just "names" assigned to the pipes. i don't understand what you mean by "assign rule numbers to a pipe", the logic is exactly the contrary, it is rules which forward packets to a given pipe whose name just happens to be a string of digits. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message