Date: Wed, 31 Dec 2014 22:57:44 +0600 From: info@aknet.kg To: <freebsd-net@freebsd.org> Subject: Re: Netmap-Ipfw: eats 90-100% of CPU, is it normal behaviour =?UTF-8?Q?=20=3F?= Message-ID: <eb67a90599938c40d15019e53138c13f@aknet.kg> In-Reply-To: <bf59944795d8f4b98b7d9bfbb15ea813@aknet.kg> References: <bf59944795d8f4b98b7d9bfbb15ea813@aknet.kg>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, All!
In addition to previous info I can say, that netmap-ipfw takes about
95% in top -PHS, even if firewall is fully open:
60 root 100 0 885M 342M CPU0 0 621:31 92.38% kipfw
when first rule is "allow ip from any to any"
May be it needs more RAM ? currently is 885M (RES 342M) and doesn't
increase with load growth.
current traffic:
input ix1 output
packets errs idrops bytes packets errs bytes colls
drops
528K 0 0 599M 434K 0 124M 0
0
520K 0 0 590M 430K 0 126M 0
0
531K 0 0 603M 437K 0 128M 0
0
IT Dep
AkNet ISP
info@aknet.kg писал 2014-12-31 16:24:
> Hello, All !
>
> We tried to use netmap-ipfw in production (as filtering bridge) for
> traffic sanity and bandwidth limitation.
> And meet a problem. Will be explaned below.
>
> CPU: i5-4690 CPU @ 3.50GHz
> RAM: 8GB x 1800Mhz
> NET: Intel DA 520 (2 x 10Gbps)
>
> kipfw starts as:
> /usr/local/netmap-ipfw/kipfw netmap:ix0 netmap:ix1
>
> ruleset:
>
> 00100 allow ip from 192.168.254.0/24 to 192.168.254.0/24
> 00200 allow ip from any to 192.168.0.0/16 -
> incoming (for customers) traffic goes without touching
> 00400 pipe 665 udp from 192.168.0.0/16 to any dst-port 6881
> 00500 pipe 666 tcp from 192.168.0.0/16 to any tcpflags syn
> 00600 deny tcp from table(25) to any dst-port 25
> 00700 deny tcp from 192.168.0.0/16 to table(26) dst-port 25
> 00750 allow ip from 192.168.0.0/16 to any - this
> rule we have to use (explaned below)
> 00800 pipe 10 ip from 192.168.0.0/16 to any - main
> rule for this bridge
> 65535 allow ip from any to any
>
> pipes:
> # BW for packets with SYN flag and UDP-6881
> ${fw} pipe 665 config mask src-ip 0xffffffff bw 384Kbit/s
> ${fw} pipe 666 config mask src-ip 0xffffffff bw 64Kbit/s
> # Outgoing BW for each IP
> ${fw} pipe 10 config mask src-ip 0xffffffff bw 5120Kbit/s
>
> table 25 has about 100 IP's
> table 26 has about 15 sub-networks
>
> this bridge serves about 25K subscribers with IP's from network:
> 192.168.0.0/16
>
> current traffic:
> netstat -bdh -w1 -I ix1
>
> input ix1 output
> packets errs idrops bytes packets errs bytes colls
> drops
> 607K 0 0 753M 452K 0 88M 0
> 0
> 603K 0 0 750M 449K 0 87M 0
> 0
> 604K 0 0 751M 448K 0 88M 0
> 0
> 604K 0 0 747M 452K 0 92M 0
> 0
>
> all traffic:
> netstat -bdh -w1
>
> input (Total) output
> packets errs idrops bytes packets errs bytes colls
> drops
> 2M 0 0 1.6G 2M 0 1.6G 0
> 0
> 2M 0 0 1.6G 2M 0 1.6G 0
> 0
>
>
> current CPU:
> CPU 0: 31.1% user, 0.0% nice, 56.1% system, 5.1% interrupt, 7.7%
> idle
> CPU 1: 0.0% user, 0.0% nice, 0.5% system, 8.2% interrupt, 91.3%
> idle
> CPU 2: 0.0% user, 0.0% nice, 0.0% system, 4.6% interrupt, 95.4%
> idle
> CPU 3: 0.0% user, 0.0% nice, 0.5% system, 7.1% interrupt, 92.3%
> idle
>
> THE Question:
> is it normal for kipfw to eat so much resoures ?
>
> 660 root 99 0 873M 325M CPU0 0 272:03 91.46% kipfw
>
> Also, the rule #750 I have to place into ruleset, cos without it
> kipfw begins to use all 100%
>
> 00750 allow ip from 192.168.0.0/16 to any
> 00800 pipe 10 ip from 192.168.0.0/16 to any - this rule is the main
> for using of this bridge,
>
> it assigns the same outgoing bandwidth for each of IP addresses -
> 5120Kbit/s (5Mbps)
>
>
> # BW for packets with SYN flag and UDP-6881
> ${fw} pipe 665 config mask src-ip 0xffffffff bw 384Kbit/s
> ${fw} pipe 666 config mask src-ip 0xffffffff bw 64Kbit/s
> # Outgoing BW for each IP
> ${fw} pipe 10 config mask src-ip 0xffffffff bw 5120Kbit/s
>
> With working rule #800 after 30-50 mins kipfw begins to use 100% in
> top -PHS and incoming (for users) traffic downs from 750Mbytes/s
> (about 6Gbit/s) to 330Mbytes/s (2.6Gbit/s), delay increases from 65ms
> to 250ms and high percentage of drops.
>
> Is it real limit of using netmap-ipfw ? We can give any additional
> info if it will be usefull to expand limits of kipfw.
>
> With regards and happy New Year !
>
> Azamat B. Umurzakov
> AkNet ISP
>
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eb67a90599938c40d15019e53138c13f>