From owner-freebsd-questions@FreeBSD.ORG Tue Dec 30 21:07:50 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FE9E106566B for ; Tue, 30 Dec 2008 21:07:50 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forwards4.yandex.ru (forwards4.yandex.ru [77.88.32.20]) by mx1.freebsd.org (Postfix) with ESMTP id A2A6D8FC18 for ; Tue, 30 Dec 2008 21:07:49 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp15.yandex.ru (smtp15.yandex.ru [77.88.32.85]) by forwards4.yandex.ru (Yandex) with ESMTP id 29F774C529B for ; Wed, 31 Dec 2008 00:07:48 +0300 (MSK) Received: from 62-184-124-91.pool.ukrtel.net ([91.124.184.62]:14348 "EHLO HOMEUSER" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S4866206AbYL3VHr (ORCPT ); Wed, 31 Dec 2008 00:07:47 +0300 X-Yandex-Spam: 1 X-Yandex-Front: smtp15 X-Yandex-TimeMark: 1230671267 X-BornDate: 1149541200 X-Yandex-Karma: 0 X-Yandex-KarmaStatus: 0 X-MsgDayCount: 5 X-Comment: RFC 2476 MSA function at smtp15.yandex.ru logged sender identity as: kes-kes Date: Tue, 30 Dec 2008 23:07:37 +0200 From: KES X-Mailer: The Bat! (v4.0.24) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <288006721.20081230230737@yandex.ru> To: KES In-Reply-To: <213016870.20081230222950@yandex.ru> References: <1691697011.20081230214740@yandex.ru> <213016870.20081230222950@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Cc: questions@freebsd.org Subject: Re[2]: BUG! Performance loss with dynamic IPFW rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2008 21:07:50 -0000 Здравствуйте, KES. Вы писали 30 декабря 2008 г., 22:29:50: K> Здравствуйте, KES. K> Вы писали 30 декабря 2008 г., 21:47:40: K>> Здравствуйте, Questions. K>> 1 allow all from any to any via rl0 K>> 2 allow all from any to any via rl1 K>> 109 skipto 110 tcp from any to any 80 in recv $iface #split only http trafic K>> 109 skipto 200 all from any to any #do not split all other trafic K>> 110 check-state K>> 111 prob 0.5 skipto 131 in recv rl2 K>> 121 skipto 122 keep-state in recv rl2 K>> 123 setfib 0 proto all in recv rl2 K>> 125 skipto 150 proto all in recv rl2 K>> 131 skipto 132 keep-state in recv rl2 K>> 133 setfib 1 proto all in recv rl2 K>> 135 skipto 150 proto all in recv rl2 K>> I am connected on rl1. K>> INET is rl0, rl1 each 4Mbit/s K>> When I open many connections I get performance loss: K>> 1) Web pages are not opened (it seems flow at start goes through rl0 K>> and then goes rl1. EXPECTED: it flows only through one channel until K>> closed) K>> 2) I get about 2Mbit/s while downloading something K>> When I not open many flows I get 8Mbit/s while serfing K>> What is problem? K> Also another interesting behaviour. K> Packets with FIB 1 are outgoing through rl0 interface, but must out go K> via rl1. Why? I resolve problem!!! I have mpd5 on both interfaces rl0 and rl1. It starts PPPoE connection with my ISP. mpd5 has FIB 0. and has option to NAT packets. When I send packet from rl2 to INET it is: tcpdump -n -i rl1 22:51:40.917666 IP 192.168.9.80.3113 > 205.188.8.85.5190: P 1:27(26) ack 1461 win 65535 I add counters for 192.168.9.80 to ipfw 05500 711 54217 count ip from any to any out xmit rl1 05510 711 54217 count tag 1 ip from 192.168.9.80 to any out xmit rl1 05515 0 0 deny log ip from any to any out xmit rl1 not tagged 1 05890 711 54217 allow untag 1 ip from any to any out xmit rl1 tagged 1 05899 0 0 deny log ip from any to any via rl1 05899 0 0 skipto 65000 ip from any to any Then packet is NATed by mpd (it runned with FIB 0) and out via rl0! instead of rl1 =( I think packet changes its FIB after NATing by process with different FIB than packet itself =( look tcpdump. kes# ifconfig rl0 rl0: flags=88d1 metric 0 mtu 1492 inet 92.113.11.221 --> 195.5.5.202 netmask 0xffffffff kes# ifconfig rl1 rl1: flags=88d1 metric 0 mtu 1492 inet 91.124.184.62 --> 195.5.5.209 netmask 0xffffffff tcpdump -n -i rl0 23:00:39.013565 IP 91.124.184.62 > 68.147.56.238: ICMP 91.124.184.62 udp port 59344 unreachable, length 36 23:00:39.043593 IP 91.124.184.62 > 69.251.246.7: ICMP 91.124.184.62 udp port 59344 unreachable, length 36 23:00:39.675315 IP 91.124.184.62 > 71.30.187.17: ICMP 91.124.184.62 udp port 10758 unreachable, length 36 23:00:39.818931 IP 91.124.184.62 > 117.11.167.163: ICMP 91.124.184.62 udp port 10758 unreachable, length 36 23:00:41.865974 IP 91.124.184.62 > 67.177.215.23: ICMP 91.124.184.62 udp port 10758 unreachable, length 36 23:00:43.289822 IP 91.124.184.62 > 88.84.178.189: ICMP 91.124.184.62 udp port 10758 unreachable, length 36 tcpdump -n -i rl1 23:00:39.013133 IP 68.147.56.238.23877 > 91.124.184.62.59344: UDP, length 103 23:00:39.042899 IP 69.251.246.7.46602 > 91.124.184.62.59344: UDP, length 103 23:00:39.675293 IP 71.30.187.17.61710 > 91.124.184.62.10758: UDP, length 103 23:00:39.818910 IP 117.11.167.163.12312 > 91.124.184.62.10758: UDP, length 98 23:00:41.865952 IP 67.177.215.23.24147 > 91.124.184.62.10758: UDP, length 98 23:00:43.289801 IP 88.84.178.189.60799 > 91.124.184.62.10758: UDP, length 101 23:00:43.419409 IP 93.80.208.87.61523 > 91.124.184.62.10758: S 3219801041:3219801041(0) win 8192