From owner-freebsd-isp@FreeBSD.ORG Tue Nov 27 07:16:49 2007 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1984516A417 for ; Tue, 27 Nov 2007 07:16:49 +0000 (UTC) (envelope-from netslists@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id C5FC713C45D for ; Tue, 27 Nov 2007 07:16:48 +0000 (UTC) (envelope-from netslists@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so221222anc for ; Mon, 26 Nov 2007 23:16:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=cCCvVHEujFZ8N77BMLIOLdNEBB05ot2q36GzV8RtK0Y=; b=e1mpYRRbm9FRzNAjYa0mjZujPfbXAa0nJeif2OGQTaGYE1pdSfnWjEkyUUetSW6eI0rNknpm7eRZK9DuaAANm9837rXgztICbQ4zsLl3FamIFEEmFI0P525Xs1zXXIJ3WAiCg8Nt64mhwBPmih9iLtxdYc1GHkgI+PG3wfChyQg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=XfsoqCu/b/Ujp/R0hRZm8ptboigmwiV5rHCEdvcHanMIsgz+/sVt8GxIe94RvnpPvCyVKLk23EDLkgxBdAql/K95izm1FwHOVRpouNSdiLEC6g31qgjHRXB+01BNfDyiD9HkrZZBsW2+AQb3Vy/IvIkY/FPEyoszdM+E8wOCPgY= Received: by 10.100.248.9 with SMTP id v9mr5860511anh.1196147808089; Mon, 26 Nov 2007 23:16:48 -0800 (PST) Received: from ?192.168.12.8? ( [97.101.40.241]) by mx.google.com with ESMTPS id c2sm2050972ana.2007.11.26.23.16.46 (version=SSLv3 cipher=RC4-MD5); Mon, 26 Nov 2007 23:16:47 -0800 (PST) Message-ID: <474BC441.7030303@gmail.com> Date: Tue, 27 Nov 2007 02:16:17 -0500 From: Sten Daniel Soersdal User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: bsdlist@mail.bg References: <1194447774.1814d69a23ce8@mail.bg> <474BB7CC.4020208@gmail.com> In-Reply-To: <474BB7CC.4020208@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: ipfw + dummynet performance X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 07:16:49 -0000 Sten Daniel Soersdal wrote: > bsdlist@mail.bg wrote: >> >> My question is obout performance of ipfw and dummynet with >> this rules >> >> pipe 101 ip from table(1) to any via em1 >> pipe 100 ip from any to table(1) xmit em1 >> pipe 200 ip from table(2) to any via em1 >> pipe 202 ip from any to table(2) xmit em1 >> pipe 301 ip from table(3) to any via em1 >> pipe 300 ip from any to table(3) xmit em1 >> pipe 401 ip from table(4) to any via em1 >> pipe 400 ip from any to table(4) xmit em1 >> >> .. >> pipe 202 config bw 512K mask dst-ip 0xffffffff >> pipe 200 config bw 256K mask src-ip 0xffffffff >> this rules are the same for the 4 table but with diffrent >> speed : >> > > 'via' makes you match both 'recv' and 'xmit' packets. Perhaps this > clears things up? > If you want to make this faster you could halve the number of rules you > need to process, but it's not easy see from what you posted. > Example; > > > skipto 1000 xmit em1 > skipto 2000 recv em1 > > 1000 pipe 100 dst-ip table(1) > 1001 pipe 202 dst-ip table(2) <-- also note the pipe number?? > 1002 pipe 300 dst-ip table(3) > 1003 pipe 400 dst-ip table(4) > 1999 accept > > 2000 pipe 101 src-ip table(1) > 2001 pipe 200 src-ip table(2) <-- also note the pipe number?? > 2002 pipe 301 src-ip table(3) > 2003 pipe 401 src-ip table(4) > 2999 accept > > Also, are you sure you want to swap 202 and 200 in your system? perhaps > this adds to the problem? > > That should be; skipto 1000 out xmit em1 skipto 2000 in recv em1 To be sure :) Also you could change the 1999 and 2999 rules to be 'deny' rules to rule out spoofing (not in table = deny) depending upon other configuration options. -- Sten Daniel Soersdal