ipfw (dummynet) adds delay, but not configured to do so

Sebastian Mellmann sebastian.mellmann at net.t-labs.tu-berlin.de
Wed Mar 4 23:21:50 PST 2009 

>  > When I do a simple ping from one machine to another (actually the
>  > FreeBSD machine is between those machines), I can see a delay of ~2ms.
>  > Without any rules/pipes I've got under 1ms delay.
>
> Presumably each of the other machines are on a separate interface?
> Configured as a bridge or a router?

Yes separate interfaces.
The machine is configured as a router (as far as I know, I didn't set it up.)

>  > The question is:
>  > Why do I have such a "high" delay though I didn't configure any "delay"
>  > in my pipe?
>  > Where does this additional millisecond come from (processing delay for
>  > the packet in the pipe?)?
>
> Covered; kern.hz=1000 should give you more like .2ms with this setup.

See my previous mail to the list (syntax of kern.hz).

>  > If I configure another rule (or like 10 more rules) that matches the
>  > packet, I can see the delay increasing.
>  > For example a delay of ~20ms, when I configure 10 pipes.
>  > Am I doing something wrong?
>
> Configuring more pipes shouldn't make any difference unless packets are
> made to traverse each of the pipes in turn.  That would imply having set
> net.inet.ip.fw.one_pass=0 (or having run 'ipfw disable one_pass') so
> that each packet is reinjected into the firewall at the following rule,
> after traversing each pipe; is that what you're doing?

Yes, I've set net.inet.ip.fw.one_pass=0 so packets are reinjected into the
firewall after passing a pipe.

> Also, without using a separate pipe for either traffic direction, you're
> using 'half-duplex' mode, as well described in ipfw(8) TRAFFIC SHAPING.
>
>  > Thanks in advance for any help and please tell me if you need
> additional
>  > informations (e.g. kernel configuration).
>
> Output of 'sysctl net.inet.ip.fw.one_pass' and 'ipfw show' with your
> example of using multiple pipes?

[root@ ~/ipfw]# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0

[root@ ~/ipfw]# ipfw show
00010        0          0 allow ip from any to any via lo0
10000      122      11832 allow ip from any to any via em2
10100        0          0 pipe 100 ip from 192.168.5.0/26 to
192.168.7.0/24 in via em0
10200        0          0 pipe 200 ip from 192.168.7.0/24 to
192.168.5.0/26 out via em0
10300      342      28728 pipe 500 ip from any to any via em0
10400      359      36512 pipe 510 ip from any to any via em1
10500        0          0 pipe 300 udp from 80.80.80.1 to 60.60.60.1
src-port 4000 dst-port 4000 via em1
10600        0          0 pipe 305 udp from 60.60.60.1 to 80.80.80.1
src-port 4000 dst-port 4000 via em0
10700        0          0 pipe 310 udp from 80.80.80.1 to 60.60.60.1
src-port 4001 dst-port 4001 via em1
10800        0          0 pipe 315 udp from 60.60.60.1 to 80.80.80.1
src-port 4001 dst-port 4001 via em0
65535 14144748 9784372451 allow ip from any to any


> cheers, Ian

Regards,
Sebastian

More information about the freebsd-ipfw mailing list