Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Nov 2007 02:16:17 -0500
From:      Sten Daniel Soersdal <netslists@gmail.com>
To:        bsdlist@mail.bg
Cc:        freebsd-isp@freebsd.org
Subject:   Re: ipfw + dummynet performance
Message-ID:  <474BC441.7030303@gmail.com>
In-Reply-To: <474BB7CC.4020208@gmail.com>
References:  <1194447774.1814d69a23ce8@mail.bg> <474BB7CC.4020208@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Sten Daniel Soersdal wrote:
> bsdlist@mail.bg wrote:
>>
>>  My question is obout performance of ipfw and dummynet with
>> this rules
>>
>>  pipe 101 ip from table(1) to any via em1
>>  pipe 100 ip from any to table(1) xmit em1
>>  pipe 200 ip from table(2) to any via em1
>>  pipe 202 ip from any to table(2) xmit em1
>>  pipe 301 ip from table(3) to any via em1
>>  pipe 300 ip from any to table(3) xmit em1
>>  pipe 401 ip from table(4) to any via em1
>>  pipe 400 ip from any to table(4) xmit em1
>>
>>  ..
>>  pipe 202 config bw 512K mask dst-ip 0xffffffff
>>  pipe 200 config bw 256K mask src-ip 0xffffffff
>>  this rules are the same for the 4 table but with diffrent
>> speed :
>>
> 
> 'via' makes you match both 'recv' and 'xmit' packets. Perhaps this 
> clears things up?
> If you want to make this faster you could halve the number of rules you 
> need to process, but it's not easy see from what you posted.
> Example;
> 
> 
> skipto 1000 xmit em1
> skipto 2000 recv em1
> 
> 1000 pipe 100 dst-ip table(1)
> 1001 pipe 202 dst-ip table(2)     <-- also note the pipe number??
> 1002 pipe 300 dst-ip table(3)
> 1003 pipe 400 dst-ip table(4)
> 1999 accept
> 
> 2000 pipe 101 src-ip table(1)
> 2001 pipe 200 src-ip table(2)     <-- also note the pipe number??
> 2002 pipe 301 src-ip table(3)
> 2003 pipe 401 src-ip table(4)
> 2999 accept
> 
> Also, are you sure you want to swap 202 and 200 in your system? perhaps 
> this adds to the problem?
> 
> 

That should be;

skipto 1000 out xmit em1
skipto 2000 in recv em1

To be sure :)

Also you could change the 1999 and 2999 rules to be 'deny' rules to rule 
out spoofing (not in table = deny) depending upon other configuration 
options.

-- 
Sten Daniel Soersdal

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?474BC441.7030303>