From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 01:16:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBED237B401 for ; Sat, 16 Aug 2003 01:16:26 -0700 (PDT) Received: from luftpost.plosh.net (luftpost.plosh.net [204.152.186.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 742A043F3F for ; Sat, 16 Aug 2003 01:16:26 -0700 (PDT) (envelope-from Peter_Losher@isc.org) Received: from dhcp-2.sql1.plosh.net (tardis-nat.plosh.net [64.139.14.228]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by luftpost.plosh.net (Postfix) with ESMTP id 077AB32606 for ; Sat, 16 Aug 2003 01:17:04 -0700 (PDT) (envelope-from Peter_Losher@isc.org) From: Peter Losher Organization: ISC To: freebsd-ipfw@freebsd.org Date: Sat, 16 Aug 2003 01:16:21 -0700 User-Agent: KMail/1.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308160116.22010.Peter_Losher@isc.org> Subject: piping killing performance on 5.1-REL-p2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 08:16:27 -0000 Hi - On several of our servers that provide name service to the local network, we normally have pipes in our ipfw/ipfw2 rules as such: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 to make sure outsiders don't slam us too hard, etc... This setup has worked fine for us in the past under 4.x, but we have now turned up our first 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are killing the response times. dig queries that normally take a couple of milliseconds from another host on the same subnet now take 40-50 milliseconds. Remove the rules, and the response time goes back down to a couple of milliseconds. Note that this same configuration on a 4.x system shows very little degradation with the pipes on-line. Has the syntax changed between ipfw and ipfw2, and have others experienced this "slowness" issue. (I looked in the archives beforehand) Best Wishes - Peter -- Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"