From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 15 23:09:42 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38CAC16A422 for ; Wed, 15 Mar 2006 23:09:42 +0000 (UTC) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 667FD43D45 for ; Wed, 15 Mar 2006 23:09:41 +0000 (GMT) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (localhost [127.0.0.1]) by lath.rinet.ru (8.13.4/8.13.4) with ESMTP id k2FN9ZdT025347 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Mar 2006 02:09:35 +0300 (MSK) (envelope-from oleg@lath.rinet.ru) Received: (from oleg@localhost) by lath.rinet.ru (8.13.4/8.13.4/Submit) id k2FN9YRb025346; Thu, 16 Mar 2006 02:09:34 +0300 (MSK) (envelope-from oleg) Date: Thu, 16 Mar 2006 02:09:34 +0300 From: Oleg Bulyzhin To: Andrew Seguin Message-ID: <20060315230934.GA24343@lath.rinet.ru> References: <4416EF4E.5020903@borgtech.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: <4416EF4E.5020903@borgtech.ca> User-Agent: Mutt/1.5.11 Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/Dummynet situation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2006 23:09:42 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 14, 2006 at 05:29:02PM +0100, Andrew Seguin wrote: > I have a problem nagging at me for a while now... >=20 > If I create a pipe with a dst-ip mask (I haven't tried with a src-ip=20 > mask) and a bandwith limit, the limit isn't respected properly. I know=20 > it's not in the firewall rules themselves, the traffic goes into the=20 > pipe, just when I use ipfw pipe show, I see more traffic then should=20 > have been allowed, which is starting to be problematic considering the=20 > slow internet pipe here. >=20 > For example: > 10 second averages show 5 users receiving closer to (and above) 300kbps.= =20 > I thought maybe it was just my mental conversion from bytes to kbit that= =20 > was wrong, but I calculated: 250kbit / 8 =3D 31.25KByte, so I shouldn't= =20 > see more then 31000bytes in a dump (310 000 bytes for a 10s dump, 3.1M=20 > for a 100s dump, etc), yet it isn't so per the dumps below: >=20 > firewall# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask=20 > dst-ip 0x000000ff && sleep 10 && ipfw -s 4 pipe 20 show >=20 > 00020: 250.000 Kbit/s 0 ms 50 sl. 13 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes=20 > Pkt/Byte Drp > 23 ip 0.0.0.0/0 0.0.0.215/0 541 393993 48=20 > 38867 113 > 49 ip 0.0.0.0/0 0.0.0.177/0 568 392311 50=20 > 50243 82 > 23 ip 0.0.0.0/0 0.0.0.151/0 419 359542 40=20 > 34010 26 > 25 ip 0.0.0.0/0 0.0.0.217/0 396 356667 44=20 > 41133 17 > 19 ip 0.0.0.0/0 0.0.0.147/0 589 338828 47=20 > 24481 34 > 59 ip 0.0.0.0/0 0.0.0.251/0 299 97693 0 = =20 > 0 0 > 14 ip 0.0.0.0/0 0.0.0.206/0 39 5878 0 = =20 > 0 0 > 33 ip 0.0.0.0/0 0.0.0.225/0 34 5039 0 = =20 > 0 0 >=20 >=20 > 100 second averages: > A014# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask dst-ip= =20 > 0x000000ff && sleep 100 && ipfw -s 4 pipe 20 show > 00020: 250.000 Kbit/s 0 ms 50 sl. 28 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes=20 > Pkt/Byte Drp > 23 ip 0.0.0.0/0 0.0.0.215/0 4820 3561827 47=20 > 55472 1758 > 19 ip 0.0.0.0/0 0.0.0.147/0 3604 3171878 0 = =20 > 0 126 > 25 ip 0.0.0.0/0 0.0.0.217/0 3876 2915746 45=20 > 11570 71 > 49 ip 0.0.0.0/0 0.0.0.177/0 4845 2764112 5=20 > 2482 138 > 23 ip 0.0.0.0/0 0.0.0.151/0 2828 2344594 41=20 > 30362 212 > 59 ip 0.0.0.0/0 0.0.0.251/0 4670 1777891 0 = =20 > 0 21 > ... >=20 > Even with a 1000 second average I still see/have one computer fairly=20 > high above the limit: >=20 > A014# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask dst-ip= =20 > 0x000000ff && sleep 1000 && ipfw -s 4 pipe 20 show > 00020: 250.000 Kbit/s 0 ms 50 sl. 43 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes=20 > Pkt/Byte Drp > 23 ip 0.0.0.0/0 0.0.0.215/0 48823 34909898 49=20 > 39751 14002 > 25 ip 0.0.0.0/0 0.0.0.217/0 40294 30358282 23=20 > 19611 1301 > ... >=20 >=20 > So is this normal or is it caused by something I'm doing or maybe not? >=20 > Thank you for any info! > Andrew >=20 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Tot_pkt/bytes fields are number of pkts/bytes _tried_ to get through the pi= pe. Let's look on your 1st flow (1000s results): ave pkt size =3D 34909898/48823 ~ 715 bytes number of dropped packets is 14002, so 14002*715 ~ 10011430 bytes was dropp= ed. so average flow throughput was (34909898-10011430)/1000 ~ 24898byte/s ~ 194= kpbs. (if you do same calculation for your 1st flow in 10s result you will get throughput ~ 244kbps). P.S. having dst-mask 0x000000ff will cause problems if you'll try to shape = more than one /24 network using same pipe. --=20 Oleg. --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEGJ6uryLc73jOEF8RArDsAJ9SpXXvO8Lmq0pcQ9OwY0ODIC20YwCfTbQy nVNXfKAZNTVAeo1WTlax6yE= =E6OZ -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--