Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Mar 2006 17:29:02 +0100
From:      Andrew Seguin <asegu_fbsdnet@borgtech.ca>
To:        freebsd-ipfw@freebsd.org
Subject:   IPFW/Dummynet situation
Message-ID:  <4416EF4E.5020903@borgtech.ca>
index | next in thread | raw e-mail 

I have a problem nagging at me for a while now...

If I create a pipe with a dst-ip mask (I haven't tried with a src-ip 
mask) and a bandwith limit, the limit isn't respected properly. I know 
it's not in the firewall rules themselves, the traffic goes into the 
pipe, just when I use ipfw pipe show, I see more traffic then should 
have been allowed, which is starting to be problematic considering the 
slow internet pipe here.

For example:
10 second averages show 5 users receiving closer to (and above) 300kbps. 
I thought maybe it was just my mental conversion from bytes to kbit that 
was wrong, but I calculated: 250kbit / 8 = 31.25KByte, so I shouldn't 
see more then 31000bytes in a dump (310 000 bytes for a 10s dump, 3.1M 
for a 100s dump, etc), yet it isn't so per the dumps below:

firewall# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask 
dst-ip 0x000000ff && sleep 10 && ipfw -s 4 pipe 20 show

00020: 250.000 Kbit/s    0 ms   50 sl. 13 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
 23 ip           0.0.0.0/0           0.0.0.215/0      541   393993 48 
38867 113
 49 ip           0.0.0.0/0           0.0.0.177/0      568   392311 50 
50243  82
 23 ip           0.0.0.0/0           0.0.0.151/0      419   359542 40 
34010  26
 25 ip           0.0.0.0/0           0.0.0.217/0      396   356667 44 
41133  17
 19 ip           0.0.0.0/0           0.0.0.147/0      589   338828 47 
24481  34
 59 ip           0.0.0.0/0           0.0.0.251/0      299    97693  0    
0   0
 14 ip           0.0.0.0/0           0.0.0.206/0       39     5878  0    
0   0
 33 ip           0.0.0.0/0           0.0.0.225/0       34     5039  0    
0   0


100 second averages:
A014# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask dst-ip 
0x000000ff && sleep 100 && ipfw -s 4 pipe 20 show
00020: 250.000 Kbit/s    0 ms   50 sl. 28 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
 23 ip           0.0.0.0/0           0.0.0.215/0     4820  3561827 47 
55472 1758
 19 ip           0.0.0.0/0           0.0.0.147/0     3604  3171878  0    
0 126
 25 ip           0.0.0.0/0           0.0.0.217/0     3876  2915746 45 
11570  71
 49 ip           0.0.0.0/0           0.0.0.177/0     4845  2764112  5 
2482 138
 23 ip           0.0.0.0/0           0.0.0.151/0     2828  2344594 41 
30362 212
 59 ip           0.0.0.0/0           0.0.0.251/0     4670  1777891  0    
0  21
...

Even with a 1000 second average I still see/have one computer fairly 
high above the limit:

A014# ipfw pipe 20 delete && ipfw pipe 20 config bw 250kbps mask dst-ip 
0x000000ff && sleep 1000 && ipfw -s 4 pipe 20 show
00020: 250.000 Kbit/s    0 ms   50 sl. 43 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes 
Pkt/Byte Drp
 23 ip           0.0.0.0/0           0.0.0.215/0     48823 34909898 49 
39751 14002
 25 ip           0.0.0.0/0           0.0.0.217/0     40294 30358282 23 
19611 1301
...


So is this normal or is it caused by something I'm doing or maybe not?

Thank you for any info!
Andrew
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4416EF4E.5020903>