From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 02:58:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39B9C37B43C for ; Sat, 16 Aug 2003 02:58:49 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5A7943FBF for ; Sat, 16 Aug 2003 02:58:16 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h7G9wCkN031279; Sat, 16 Aug 2003 02:58:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h7G9wCqr031278; Sat, 16 Aug 2003 02:58:12 -0700 (PDT) (envelope-from rizzo) Date: Sat, 16 Aug 2003 02:58:12 -0700 From: Luigi Rizzo To: Peter Losher Message-ID: <20030816025812.A31188@xorpc.icir.org> References: <200308160116.22010.Peter_Losher@isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308160116.22010.Peter_Losher@isc.org>; from Peter_Losher@isc.org on Sat, Aug 16, 2003 at 01:16:21AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: piping killing performance on 5.1-REL-p2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 09:58:49 -0000 well... i don't understand what do you think is wrong here. A 64-byte (512 bits) packet in a 10Kbit/s pipe will take roughly 50ms to go through, and this is exactly what you are reporting.~ I suspect your 4.x configuration was not passing the packets through the pipe and/or had the bandwidth configured differently. [As an aside, by using "mask src-ip 0xffffffff" you are basically making yourself a wonderful candidate for DoS attacks as any IP will create a new pipe. I'd rather have one pipe (or a small number of pipes) for outsider and if someone is saturating them you'll still be able to provide service inside. cheers luigi On Sat, Aug 16, 2003 at 01:16:21AM -0700, Peter Losher wrote: > Hi - > > On several of our servers that provide name service to the local network, > we normally have pipes in our ipfw/ipfw2 rules as such: > > add pipe 1 udp from any to any 53 in > pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 > add pipe 2 tcp from any to any 53 in > pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 > > to make sure outsiders don't slam us too hard, etc... This setup has worked > fine for us in the past under 4.x, but we have now turned up our first > 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are > killing the response times. dig queries that normally take a couple of > milliseconds from another host on the same subnet now take 40-50 > milliseconds. Remove the rules, and the response time goes back > down to a couple of milliseconds. Note that this same configuration on a > 4.x system shows very little degradation with the pipes on-line. > > Has the syntax changed between ipfw and ipfw2, and have others experienced > this "slowness" issue. (I looked in the archives beforehand) > > Best Wishes - Peter > -- > Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"