piping killing performance on 5.1-REL-p2
Peter Losher
Peter_Losher at isc.org
Sat Aug 16 01:16:27 PDT 2003
Hi -
On several of our servers that provide name service to the local network,
we normally have pipes in our ipfw/ipfw2 rules as such:
add pipe 1 udp from any to any 53 in
pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3
add pipe 2 tcp from any to any 53 in
pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
to make sure outsiders don't slam us too hard, etc... This setup has worked
fine for us in the past under 4.x, but we have now turned up our first
5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are
killing the response times. dig queries that normally take a couple of
milliseconds from another host on the same subnet now take 40-50
milliseconds. Remove the rules, and the response time goes back
down to a couple of milliseconds. Note that this same configuration on a
4.x system shows very little degradation with the pipes on-line.
Has the syntax changed between ipfw and ipfw2, and have others experienced
this "slowness" issue. (I looked in the archives beforehand)
Best Wishes - Peter
--
Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"
More information about the freebsd-ipfw
mailing list