From owner-freebsd-pf@freebsd.org Mon Jul 29 20:18:07 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 519D0B4A13 for ; Mon, 29 Jul 2019 20:18:07 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 035576B0F7; Mon, 29 Jul 2019 20:18:07 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id A30BF154B1; Mon, 29 Jul 2019 20:18:06 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.10.132.2] (ptr-8rh08jyg0nestgh19od.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:18f4:f54e:bc1c:a83d]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id DB6F93EC31; Mon, 29 Jul 2019 22:18:04 +0200 (CEST) From: "Kristof Provost" To: "Rodney W. Grimes" Cc: "mike tancsa" , freebsd-pf@freebsd.org Subject: Re: pf and dummynet Date: Mon, 29 Jul 2019 22:18:03 +0200 X-Mailer: MailMate (2.0BETAr6137) Message-ID: In-Reply-To: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> References: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> MIME-Version: 1.0 X-Rspamd-Queue-Id: 035576B0F7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.98)[-0.985,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] Content-Type: text/plain; charset=utf-8; markup=markdown Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 20:18:07 -0000 On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote: >> On 29 Jul 2019, at 20:22, mike tancsa wrote: >>> On 7/29/2019 1:51 PM, Kristof Provost wrote: >> In general I?d expect quality of service and bandwidth limits to only >> be effective in the upstream direction (when going from a fast link to a >> slow one). There?s no good way to limit how much traffic other >> machines send to you. > > Though dummynet is most effective in on the outbound > stream (absolute control) it can be used to good effect > on an incoming stream due to the end-to-end paradigm of > the internet and the fact that congestion must be dealt > with. > > If dummynet holds packets and parcels them into a box at > a lower rate for things like TCP you'll end up reducing > the congestion window and hence the senders rate. Or you > can get into the ACK clock situation here the sender simply > does not send any more data until it gets an ack back as > it already has filled the congestion window. > > I have been using dummynet for decades in this way, > and it more or less "just works." > True, with the caveat that that’s only for TCP of course. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 29 23:45:07 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C5C39BA457 for ; Mon, 29 Jul 2019 23:45:07 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D81B182D64 for ; Mon, 29 Jul 2019 23:45:05 +0000 (UTC) (envelope-from nvass@gmx.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1564443895; bh=2B0YfnTkTf7j4EAFwVwrA6lZofSdSuLXxOL+XsCqeC8=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=EHHeyjkll7c/8eC4aCDORprTCzgO8JuAv2WN9txtc1E/093qX/fv8TvwzW1gLndI4 1kpgRuNzCOGRGIddPzJfXXQ5pJHX+cnLqJEhDjxNHFC8LI5Mi5UgmDXZ9B2rrRRtIr 4ezr/H6+MQ6YVv+f+kwaBbb2G6WJm0LeDSWTL7f4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from moby.local ([176.58.245.205]) by mail.gmx.com (mrgmx003 [212.227.17.184]) with ESMTPSA (Nemesis) id 0Le5XQ-1iArzN3yrE-00prtO; Tue, 30 Jul 2019 01:39:42 +0200 Subject: Re: pf and dummynet To: mike tancsa , freebsd-pf@freebsd.org References: From: Nikos Vassiliadis Message-ID: Date: Tue, 30 Jul 2019 02:39:34 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:zWw5rFOm4HBB0MTLdes6iSh1n574Dia0Ef69KaxtbzyqMzr7zzo rakd/aOciIhFO8ngocKY7b9DipZN/ByBk+3WJ8tABNw1BxortciJ3ALnAskyHQdOZ+wxLU6 +fGC+0qoTtdf2BmgHG3XaCsL/HpxYTI6zRJfaBPlLDTfIMmtKYqSad+0wC3TX7i3myu69Eg Rej+5CbGtfybB/9xdQA4A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:pqYSDZ3fEBc=:4JR0thrrfC/DnJ03a/fXo1 LwRtIWaa8kKgACM4mTzQFLjLApylUZ5+ip7mSNSydSvaauChHmwIZ5cQUwPtmCQQhOZh/Mbxl qThpYOZhXSaKcQTcuCBV4QQvacI1A2dZDnkE8EtX900OJJQ+e3ZxNYze0gwQy2oypZVBdKlUf kXPMwJzrAQYb8BE75WA6wCnlDsZhoSszL/hNJkGWFLpX42oDqFmkJt/Jxv60g5bBMjBIoOd83 cM65Qrug4FKgOQIoIMeue16Ks7DSAM6lXdLiri3qTdYTI3zDDT4O7Gl7k8Jp7qswqMdvycLlm wwaYCcikMOK6EAqQDDqDrN3Yis6gxwZvK8IuiitKOE5Ezz2J54qjeHErP7PMGKiJKouKF6lwZ TENyqZ35/E03hayXD1tPZ+/B3XWi6kf9H7qIgCFi3T3GbtZpxDO22zsQZDd1fGkeMrlMm6fKC ZZ8XuUYcHUHkFHoPEaVx9lnp061CwZjhsYOyVMzcScfuIAl3H/ZA4HpeUCfFBJp5kFMlevIJv BMxyYh5qd0eizXA+wnPuJLgk2uApf9NhL8kJXiDHoMc8uGuu876eX+08SJZA2uuBd1KBAOszS Meidhyt4WX+22D36nu9w3JfGP2Lh7q66RsMMqW2yQdpe6IL5lvTCVZBwLgyF3FwnYOEGL9a4H m5SXU/uGB3mKjHkygprq8w5SA7Xl9jZxn7Akbzad9pQgCt9mzax7+inEwH1nRtB4RiMItnKxn iGotafu4dWLh5RGl5y0410conDsdk7xC31U/8UE3/ZjCbnXCHHi1SxbTSgaxCe+0Z05f1mgvO Ur3yNMIrApEr09F5TptkIPeWoF5WZIpTeEyJ6Io1XhXvA4pbRarRtUnqVItjbCaCKtqw/rRZG bqSsnrCHI8YdaFa+h/wyt17rTlzr8N1wRZvvPfHuYWUi+0JHonDKKWXt+oO0wgfQtgx/KkTd9 FtrP+Mw9F9fooJZCzJuaSJ2aSw+s8LawCqS0SiQGa8cUy5d98LrmS+ui7ju+Cjyg3WJvwxdv1 MNv1ZbV6xaiWXM7Bj8D88jXyGFCYV4+aNbLn77VIS/BPOs24f3hNpYx1tkRAPqTv/4CtGq+9R x19ztG0ZZKGtr0= X-Rspamd-Queue-Id: D81B182D64 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=EHHeyjkl; spf=pass (mx1.freebsd.org: domain of nvass@gmx.com designates 212.227.15.15 as permitted sender) smtp.mailfrom=nvass@gmx.com X-Spamd-Result: default: False [-4.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/24]; FREEMAIL_FROM(0.00)[gmx.com]; DKIM_TRACE(0.00)[gmx.net:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[mx01.gmx.net,mx00.gmx.net]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; RECEIVED_SPAMHAUS_PBL(0.00)[205.245.58.176.zen.spamhaus.org : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.com]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[15.15.227.212.list.dnswl.org : 127.0.3.0]; IP_SCORE(-1.23)[ip: (-7.00), ipnet: 212.227.0.0/16(-1.45), asn: 8560(2.31), country: DE(-0.01)]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 23:45:07 -0000 Hi, On 2019-07-29 19:06, mike tancsa wrote: > I have a box I need to shape inbound and outbound traffic. It seems altq > can only shape outbound packets and not limit inbound ?=C2=A0 If thats t= he > case, what is the current state of mixing ipfw, dummynet and pf ? > Writing large complex firewall rules works better from a readability POV > (for us anyways) so I really prefer to use it. But I need to prevent zfs > replication eating up BW over some WAN links, and dummynet seems to > "just work" Maybe you could use pipe viewer (pv in ports or packages) on the ZFS host to limit the bandwidth in userspace. Nikos