ipfw and ipsec processing order for outgoing packets wrong
Vincent Poy
vincepoy at gmail.com
Mon Nov 1 05:12:26 PST 2004
On Mon, 1 Nov 2004 13:09:00 +0100, Joost Bekkers <joost at jodocus.org> wrote:
> On Mon, Nov 01, 2004 at 02:16:42AM -0800, Vincent Poy wrote:
>
>
> > 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out
> > 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out
> > 63006 38782 3364689 queue 2 udp from any to any not
> > dst-port 80,443 out
> > 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out
> > 63008 5467 405319 queue 4 ip from any to any out
> >
> > The counters for queue 1 keeps increasing when I do a ftp out even for
> > non-ACK packets but the other counters for queue 2-4 doesn't move at
> > all so it seems like everything is going out one queue instead of what
> > the rules actually say. I have one pipe configured as 480Kbit/sec
> > which is what rules 63005-63008 does.
> >
>
> How do you define 'non-ack' packets in yopur mind? Your ipfw rule
> seems to define it as 'having the ack flag set' which is for all
> intents and purpouses every tcp packet. Only the very first SYN
> packet doesn't have the ack flag set.
>
> --
> greetz Joost
> joost at jodocus.org
Well, how else would one prioritze outgoing acks? That was the way
everyone has it done. What I want to do is have ACKs have priority
going out as with ADSL, the outgoing pipe is always smaller than the
incoming pipe and when you upload and download at the same time,
unless the ACKs go out first, the downloads will be really slow.
Cheers,
Vince
More information about the freebsd-net
mailing list