Date: Sat, 16 Aug 2003 02:58:12 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Peter Losher <Peter_Losher@isc.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: piping killing performance on 5.1-REL-p2 Message-ID: <20030816025812.A31188@xorpc.icir.org> In-Reply-To: <200308160116.22010.Peter_Losher@isc.org>; from Peter_Losher@isc.org on Sat, Aug 16, 2003 at 01:16:21AM -0700 References: <200308160116.22010.Peter_Losher@isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
well... i don't understand what do you think is wrong here. A 64-byte (512 bits) packet in a 10Kbit/s pipe will take roughly 50ms to go through, and this is exactly what you are reporting.~ I suspect your 4.x configuration was not passing the packets through the pipe and/or had the bandwidth configured differently. [As an aside, by using "mask src-ip 0xffffffff" you are basically making yourself a wonderful candidate for DoS attacks as any IP will create a new pipe. I'd rather have one pipe (or a small number of pipes) for outsider and if someone is saturating them you'll still be able to provide service inside. cheers luigi On Sat, Aug 16, 2003 at 01:16:21AM -0700, Peter Losher wrote: > Hi - > > On several of our servers that provide name service to the local network, > we normally have pipes in our ipfw/ipfw2 rules as such: > > add pipe 1 udp from any to any 53 in > pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 > add pipe 2 tcp from any to any 53 in > pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 > > to make sure outsiders don't slam us too hard, etc... This setup has worked > fine for us in the past under 4.x, but we have now turned up our first > 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are > killing the response times. dig queries that normally take a couple of > milliseconds from another host on the same subnet now take 40-50 > milliseconds. Remove the rules, and the response time goes back > down to a couple of milliseconds. Note that this same configuration on a > 4.x system shows very little degradation with the pipes on-line. > > Has the syntax changed between ipfw and ipfw2, and have others experienced > this "slowness" issue. (I looked in the archives beforehand) > > Best Wishes - Peter > -- > Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030816025812.A31188>