Date: Mon, 29 Jul 2019 22:18:03 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> Cc: "mike tancsa" <mike@sentex.net>, freebsd-pf@freebsd.org Subject: Re: pf and dummynet Message-ID: <BFF5DCAB-FE60-409C-B50F-39D15668F33F@FreeBSD.org> In-Reply-To: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> References: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote: >> On 29 Jul 2019, at 20:22, mike tancsa wrote: >>> On 7/29/2019 1:51 PM, Kristof Provost wrote: >> In general I?d expect quality of service and bandwidth limits to only >> be effective in the upstream direction (when going from a fast link to a >> slow one). There?s no good way to limit how much traffic other >> machines send to you. > > Though dummynet is most effective in on the outbound > stream (absolute control) it can be used to good effect > on an incoming stream due to the end-to-end paradigm of > the internet and the fact that congestion must be dealt > with. > > If dummynet holds packets and parcels them into a box at > a lower rate for things like TCP you'll end up reducing > the congestion window and hence the senders rate. Or you > can get into the ACK clock situation here the sender simply > does not send any more data until it gets an ack back as > it already has filled the congestion window. > > I have been using dummynet for decades in this way, > and it more or less "just works." > True, with the caveat that that’s only for TCP of course. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 29 23:45:07 2019 Return-Path: <owner-freebsd-pf@freebsd.org> Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C5C39BA457 for <freebsd-pf@mailman.nyi.freebsd.org>; Mon, 29 Jul 2019 23:45:07 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D81B182D64 for <freebsd-pf@freebsd.org>; Mon, 29 Jul 2019 23:45:05 +0000 (UTC) (envelope-from nvass@gmx.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1564443895; bh=2B0YfnTkTf7j4EAFwVwrA6lZofSdSuLXxOL+XsCqeC8=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=EHHeyjkll7c/8eC4aCDORprTCzgO8JuAv2WN9txtc1E/093qX/fv8TvwzW1gLndI4 1kpgRuNzCOGRGIddPzJfXXQ5pJHX+cnLqJEhDjxNHFC8LI5Mi5UgmDXZ9B2rrRRtIr 4ezr/H6+MQ6YVv+f+kwaBbb2G6WJm0LeDSWTL7f4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from moby.local ([176.58.245.205]) by mail.gmx.com (mrgmx003 [212.227.17.184]) with ESMTPSA (Nemesis) id 0Le5XQ-1iArzN3yrE-00prtO; Tue, 30 Jul 2019 01:39:42 +0200 Subject: Re: pf and dummynet To: mike tancsa <mike@sentex.net>, freebsd-pf@freebsd.org References: <d68129cd-40a4-e065-32c3-3f574eca537e@sentex.net> From: Nikos Vassiliadis <nvass@gmx.com> Message-ID: <ab6c5fea-ca1f-b70c-d448-50865ac35be4@gmx.com> Date: Tue, 30 Jul 2019 02:39:34 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <d68129cd-40a4-e065-32c3-3f574eca537e@sentex.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:zWw5rFOm4HBB0MTLdes6iSh1n574Dia0Ef69KaxtbzyqMzr7zzo rakd/aOciIhFO8ngocKY7b9DipZN/ByBk+3WJ8tABNw1BxortciJ3ALnAskyHQdOZ+wxLU6 +fGC+0qoTtdf2BmgHG3XaCsL/HpxYTI6zRJfaBPlLDTfIMmtKYqSad+0wC3TX7i3myu69Eg Rej+5CbGtfybB/9xdQA4A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:pqYSDZ3fEBc=:4JR0thrrfC/DnJ03a/fXo1 LwRtIWaa8kKgACM4mTzQFLjLApylUZ5+ip7mSNSydSvaauChHmwIZ5cQUwPtmCQQhOZh/Mbxl qThpYOZhXSaKcQTcuCBV4QQvacI1A2dZDnkE8EtX900OJJQ+e3ZxNYze0gwQy2oypZVBdKlUf kXPMwJzrAQYb8BE75WA6wCnlDsZhoSszL/hNJkGWFLpX42oDqFmkJt/Jxv60g5bBMjBIoOd83 cM65Qrug4FKgOQIoIMeue16Ks7DSAM6lXdLiri3qTdYTI3zDDT4O7Gl7k8Jp7qswqMdvycLlm wwaYCcikMOK6EAqQDDqDrN3Yis6gxwZvK8IuiitKOE5Ezz2J54qjeHErP7PMGKiJKouKF6lwZ TENyqZ35/E03hayXD1tPZ+/B3XWi6kf9H7qIgCFi3T3GbtZpxDO22zsQZDd1fGkeMrlMm6fKC ZZ8XuUYcHUHkFHoPEaVx9lnp061CwZjhsYOyVMzcScfuIAl3H/ZA4HpeUCfFBJp5kFMlevIJv BMxyYh5qd0eizXA+wnPuJLgk2uApf9NhL8kJXiDHoMc8uGuu876eX+08SJZA2uuBd1KBAOszS Meidhyt4WX+22D36nu9w3JfGP2Lh7q66RsMMqW2yQdpe6IL5lvTCVZBwLgyF3FwnYOEGL9a4H m5SXU/uGB3mKjHkygprq8w5SA7Xl9jZxn7Akbzad9pQgCt9mzax7+inEwH1nRtB4RiMItnKxn iGotafu4dWLh5RGl5y0410conDsdk7xC31U/8UE3/ZjCbnXCHHi1SxbTSgaxCe+0Z05f1mgvO Ur3yNMIrApEr09F5TptkIPeWoF5WZIpTeEyJ6Io1XhXvA4pbRarRtUnqVItjbCaCKtqw/rRZG bqSsnrCHI8YdaFa+h/wyt17rTlzr8N1wRZvvPfHuYWUi+0JHonDKKWXt+oO0wgfQtgx/KkTd9 FtrP+Mw9F9fooJZCzJuaSJ2aSw+s8LawCqS0SiQGa8cUy5d98LrmS+ui7ju+Cjyg3WJvwxdv1 MNv1ZbV6xaiWXM7Bj8D88jXyGFCYV4+aNbLn77VIS/BPOs24f3hNpYx1tkRAPqTv/4CtGq+9R x19ztG0ZZKGtr0= X-Rspamd-Queue-Id: D81B182D64 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=EHHeyjkl; spf=pass (mx1.freebsd.org: domain of nvass@gmx.com designates 212.227.15.15 as permitted sender) smtp.mailfrom=nvass@gmx.com X-Spamd-Result: default: False [-4.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/24]; FREEMAIL_FROM(0.00)[gmx.com]; DKIM_TRACE(0.00)[gmx.net:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[mx01.gmx.net,mx00.gmx.net]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; RECEIVED_SPAMHAUS_PBL(0.00)[205.245.58.176.zen.spamhaus.org : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.com]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[15.15.227.212.list.dnswl.org : 127.0.3.0]; IP_SCORE(-1.23)[ip: (-7.00), ipnet: 212.227.0.0/16(-1.45), asn: 8560(2.31), country: DE(-0.01)]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 29 Jul 2019 23:45:07 -0000 Hi, On 2019-07-29 19:06, mike tancsa wrote: > I have a box I need to shape inbound and outbound traffic. It seems altq > can only shape outbound packets and not limit inbound ?=C2=A0 If thats t= he > case, what is the current state of mixing ipfw, dummynet and pf ? > Writing large complex firewall rules works better from a readability POV > (for us anyways) so I really prefer to use it. But I need to prevent zfs > replication eating up BW over some WAN links, and dummynet seems to > "just work" Maybe you could use pipe viewer (pv in ports or packages) on the ZFS host to limit the bandwidth in userspace. Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BFF5DCAB-FE60-409C-B50F-39D15668F33F>