Date: Mon, 19 Oct 2009 14:50:02 GMT From: Ian Smith <smithi@nimnet.asn.au> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/139581: [ipfw] "ipfw pipe" not limiting bandwidth Message-ID: <200910191450.n9JEo2fx057396@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/139581; it has been noted by GNATS.
From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, freebsd@alexus.org
Cc:
Subject: Re: kern/139581: [ipfw] "ipfw pipe" not limiting bandwidth
Date: Tue, 20 Oct 2009 01:24:17 +1100
May be a usage issue; I'll have a go. Partial quoting, out of order.
: I'm trying to limit my apache that runs under daemon to up 2Mbit/s
: when I do "ipfw pipe show" I don't see anything in my slots other then
: very first entry that never chage, nor does it limits my traffic, as
: if I look at my MRTG i see way more traffic then 2Mbit/s
Unless you specify masks on your pipes you'll only ever see the first
connection that used that pipe, that's normal.
MRTG sees all traffic on an interface, and your ipfw stats indicate at
least 25% more traffic than that due to your webserver, so it's not
clear how you could tell if your pipe was exceeding 2Mbit/s or not?
Also, it's recommended not to run your inbound and outbound traffic
through the one pipe, unless simulating half-duplex connections; see
explanation in ipfw(8), EXAMPLES section under TRAFFIC SHAPING.
: su-3.2# ipfw show
: 00100 1249368 205115325 allow ip from any to any via lo0
: 00200 0 0 deny ip from any to 127.0.0.0/8
: 00300 0 0 deny ip from 127.0.0.0/8 to any
: 08380 2838075 3586421013 pipe 1 tcp from any 80 to any uid daemon
: 08380 2097473 136454502 pipe 1 tcp from any to any dst-port 80 uid daemon
: 65000 5740679 4716157064 allow ip from any to any
: 65535 0 0 deny ip from any to any
3.586 GiB outbound from the webserver (served data)
0.136 GiB inbound to the webserver (requests, acks)
+ ---
3.722 GiB through the pipe.
but
4.716 GiB passed from any to any, either way.
So there's about 1 Gig of extra traffic shown here, assuming you have
net.inet.ip.fw.one_pass=0 and all traffic eventually hits rule 65000
(and 4.7G extra traffic if net.inet.ip.fw.one_pass=1) but there's not
enough info to see whether or not it's on the interface MRTG watches?
: su-3.2# ipfw pipe show
: 00001: 2.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
: mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
: BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
Pkt/Byte Drp
: 0 tcp 64.237.55.83/59388 208.80.152.3/80 4936077 3723134341 0 0 30179
Total packets and bytes match the above, indicating that this was done
just after the ipfw show. 0.6% dropped packets indicates some limiting
happening, but with a shared in/outbound pipe, not in which direction.
If this is still an issue, please:
. be more precise than "way more traffic" if you have more data?
. say whether the extra ~25% traffic shown is on the same interface
as the webserver, ie the interface MRTG monitors, or not?
. the value of sysctl net.inet.ip.fw.one_pass ?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910191450.n9JEo2fx057396>