Date: Tue, 30 Dec 2008 23:07:37 +0200 From: KES <kes-kes@yandex.ru> To: KES <kes-kes@yandex.ru> Cc: questions@freebsd.org Subject: Re[2]: BUG! Performance loss with dynamic IPFW rules Message-ID: <288006721.20081230230737@yandex.ru> In-Reply-To: <213016870.20081230222950@yandex.ru> References: <1691697011.20081230214740@yandex.ru> <213016870.20081230222950@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Здравствуйте, KES.
Вы писали 30 декабря 2008 г., 22:29:50:
K> Здравствуйте, KES.
K> Вы писали 30 декабря 2008 г., 21:47:40:
K>> Здравствуйте, Questions.
K>> 1 allow all from any to any via rl0
K>> 2 allow all from any to any via rl1
K>> 109 skipto 110 tcp from any to any 80 in recv $iface #split only http trafic
K>> 109 skipto 200 all from any to any #do not split all other trafic
K>> 110 check-state
K>> 111 prob 0.5 skipto 131 in recv rl2
K>> 121 skipto 122 keep-state in recv rl2
K>> 123 setfib 0 proto all in recv rl2
K>> 125 skipto 150 proto all in recv rl2
K>> 131 skipto 132 keep-state in recv rl2
K>> 133 setfib 1 proto all in recv rl2
K>> 135 skipto 150 proto all in recv rl2
K>> I am connected on rl1.
K>> INET is rl0, rl1 each 4Mbit/s
K>> When I open many connections I get performance loss:
K>> 1) Web pages are not opened (it seems flow at start goes through rl0
K>> and then goes rl1. EXPECTED: it flows only through one channel until
K>> closed)
K>> 2) I get about 2Mbit/s while downloading something
K>> When I not open many flows I get 8Mbit/s while serfing
K>> What is problem?
K> Also another interesting behaviour.
K> Packets with FIB 1 are outgoing through rl0 interface, but must out go
K> via rl1. Why?
I resolve problem!!!
I have mpd5 on both interfaces rl0 and rl1.
It starts PPPoE connection with my ISP. mpd5 has FIB 0. and has option
to NAT packets.
When I send packet from rl2 to INET it is:
tcpdump -n -i rl1
22:51:40.917666 IP 192.168.9.80.3113 > 205.188.8.85.5190: P 1:27(26) ack 1461 win 65535
I add counters for 192.168.9.80 to ipfw
05500 711 54217 count ip from any to any out xmit rl1
05510 711 54217 count tag 1 ip from 192.168.9.80 to any out xmit rl1
05515 0 0 deny log ip from any to any out xmit rl1 not tagged 1
05890 711 54217 allow untag 1 ip from any to any out xmit rl1 tagged 1
05899 0 0 deny log ip from any to any via rl1
05899 0 0 skipto 65000 ip from any to any
Then packet is NATed by mpd (it runned with FIB 0) and out via rl0! instead of rl1 =(
I think packet changes its FIB after NATing by process with different FIB
than packet itself =(
look tcpdump.
kes# ifconfig rl0
rl0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
inet 92.113.11.221 --> 195.5.5.202 netmask 0xffffffff
kes# ifconfig rl1
rl1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
inet 91.124.184.62 --> 195.5.5.209 netmask 0xffffffff
tcpdump -n -i rl0
23:00:39.013565 IP 91.124.184.62 > 68.147.56.238: ICMP 91.124.184.62 udp port 59344 unreachable, length 36
23:00:39.043593 IP 91.124.184.62 > 69.251.246.7: ICMP 91.124.184.62 udp port 59344 unreachable, length 36
23:00:39.675315 IP 91.124.184.62 > 71.30.187.17: ICMP 91.124.184.62 udp port 10758 unreachable, length 36
23:00:39.818931 IP 91.124.184.62 > 117.11.167.163: ICMP 91.124.184.62 udp port 10758 unreachable, length 36
23:00:41.865974 IP 91.124.184.62 > 67.177.215.23: ICMP 91.124.184.62 udp port 10758 unreachable, length 36
23:00:43.289822 IP 91.124.184.62 > 88.84.178.189: ICMP 91.124.184.62 udp port 10758 unreachable, length 36
tcpdump -n -i rl1
23:00:39.013133 IP 68.147.56.238.23877 > 91.124.184.62.59344: UDP, length 103
23:00:39.042899 IP 69.251.246.7.46602 > 91.124.184.62.59344: UDP, length 103
23:00:39.675293 IP 71.30.187.17.61710 > 91.124.184.62.10758: UDP, length 103
23:00:39.818910 IP 117.11.167.163.12312 > 91.124.184.62.10758: UDP, length 98
23:00:41.865952 IP 67.177.215.23.24147 > 91.124.184.62.10758: UDP, length 98
23:00:43.289801 IP 88.84.178.189.60799 > 91.124.184.62.10758: UDP, length 101
23:00:43.419409 IP 93.80.208.87.61523 > 91.124.184.62.10758: S 3219801041:3219801041(0) win 8192 <mss 1360,nop,nop
I think this is wrong behaviour.
--
С уважением,
KES mailto:kes-kes@yandex.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?288006721.20081230230737>