ipfw + dummynet performance
bsdlist at mail.bg
bsdlist at mail.bg
Sat Dec 1 15:32:16 PST 2007
> Sten Daniel Soersdal wrote:
> > bsdlist at mail.bg wrote:
> >>
> >> My question is obout performance of ipfw and dummynet
> with
> >> this rules
> >>
> >> pipe 101 ip from table(1) to any via em1
> >> pipe 100 ip from any to table(1) xmit em1
> >> pipe 200 ip from table(2) to any via em1
> >> pipe 202 ip from any to table(2) xmit em1
> >> pipe 301 ip from table(3) to any via em1
> >> pipe 300 ip from any to table(3) xmit em1
> >> pipe 401 ip from table(4) to any via em1
> >> pipe 400 ip from any to table(4) xmit em1
> >>
> >> ..
> >> pipe 202 config bw 512K mask dst-ip 0xffffffff
> >> pipe 200 config bw 256K mask src-ip 0xffffffff
> >> this rules are the same for the 4 table but with
> diffrent
> >> speed :
> >>
> >
> > 'via' makes you match both 'recv' and 'xmit' packets.
> Perhaps this
> > clears things up?
> > If you want to make this faster you could halve the
> number of rules you
> > need to process, but it's not easy see from what you
> posted.
> > Example;
> >
> >
> > skipto 1000 xmit em1
> > skipto 2000 recv em1
> >
> > 1000 pipe 100 dst-ip table(1)
> > 1001 pipe 202 dst-ip table(2) <-- also note the
> pipe number??
> > 1002 pipe 300 dst-ip table(3)
> > 1003 pipe 400 dst-ip table(4)
> > 1999 accept
> >
> > 2000 pipe 101 src-ip table(1)
> > 2001 pipe 200 src-ip table(2) <-- also note the
> pipe number??
> > 2002 pipe 301 src-ip table(3)
> > 2003 pipe 401 src-ip table(4)
> > 2999 accept
> >
> > Also, are you sure you want to swap 202 and 200 in your
> system? perhaps
> > this adds to the problem?
> >
> >
>
> That should be;
>
> skipto 1000 out xmit em1
> skipto 2000 in recv em1
>
> To be sure :)
>
> Also you could change the 1999 and 2999 rules to be
> 'deny' rules to rule
> out spoofing (not in table = deny) depending upon other
> configuration
> options.
>
> --
> Sten Daniel Soersdal
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to
> "freebsd-isp-unsubscribe at freebsd.org"
>
>
I will try this options , and think that they are better
from the current i use , 10x :)
I read something about dynamic rules in ipfw pipe , and make
some changes :
cat /boot/loader.conf
kern.ipc.nmbclusters="262144"
vm.kmem_size="536870912"
vm.kmem_size_max="536870912"
but i cant spent more then 640 Mb of kernel memory whit 2G
of physical memory on the system
cat /etc/sysctl.conf
kern.polling.enable=1
net.inet.ip.fw.one_pass=1
#net.inet.ip.fastforwarding=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.inflight.enable=0
net.inet.tcp.recvspace=131072
net.inet.tcp.sendspace=131072
net.inet.ip.dummynet.max_chain_len=32
net.inet.ip.dummynet.hash_size=1024
net.inet.icmp.drop_redirect=1
net.inet.ip.redirect=0
net.inet.ip.portrange.first=5000
-----------------------------
Sportingbet.com
9,000 евро всяка седмица награда за 2 златни спортни залога!
http://bg.sportingbet.com/t/index.aspx?affiliate=mailbg10
More information about the freebsd-isp
mailing list