dummynet dropping too many packets

Oleg Bulyzhin oleg at FreeBSD.org
Mon Oct 19 11:09:36 UTC 2009 

On Fri, Oct 09, 2009 at 07:35:01PM +0500, rihad wrote:
> Oleg Bulyzhin wrote:
> > On Wed, Oct 07, 2009 at 03:52:56PM +0500, rihad wrote:
> > 
> >> You probably have some special sources of documentation ;-) According to 
> >> man ipfw, both "netgraph/ngtee" and "pipe" decide the fate of the packet 
> >> unless one_pass=0. Or do you mean sprinkling smart skiptos here and 
> >> there? ;-)
> > 
> > you can
> > 1) use ng_ether & ng_netflow. (so no need in 'ngtee' rule).
> > 2) use 'tee' rule with ng_ksocket & ng_netflow
> > 
> >>> Could you show your 'ipfw show' output? (hide ip addresses if you wish but
> >>> keep counters please).
> >>>
> > 
> >> Here it is, in its whole glory:
> >>
> >> 00100   10434423   1484891105 allow ip from any to any via lo0
> >> 00200          2           14 deny ip from any to 127.0.0.0/8
> >> 00300          1            4 deny ip from 127.0.0.0/8 to any
> >> 01000 3300039938 327603104711 allow ip from any to any in
> >> 01010   26214900    421138433 allow ip from me to any out
> >> 01020    5453857     46806278 allow icmp from any to any out
> >> 01030 3268289053 327224694165 ngtee 1 ip from any to any out
> >> 01040   18681181   1089636054 skipto 1100 ip from table(127) to any out 
> >> recv bce0 xmit bce1
> >> 01060  777488848  76743392754 pipe tablearg ip from any to table(0) out 
> >> recv bce0 xmit bce1
> >> 01070  776831109  76682499457 allow ip from any to table(0) out recv 
> >> bce0 xmit bce1
> >> 01100   13102697    808411842 pipe tablearg ip from any to table(2) out
> >> 65535  662648946  66711487830 allow ip from any to any
> > 
> > I guess this one would be better(faster):
> > 
> > 00050 allow ip from any to any in
> > 00100 allow ip from any to any via lo0
> > 01010 allow ip from me to any
> > 01020 allow icmp from any to any
> > 01030 ngtee 1 ip from any to any
> > 01035 skipto 1040 ip from any to any recv bce0 xmit bce1
> > 01036 allow ip from any to any
> > 01040 skipto 1100 ip from table(127) to any
> > 01060 pipe tablearg ip from any to table(0)
> > 01070 allow ip from any to any
> > 01100 pipe tablearg ip from any to table(2)
> > 65535 allow ip from any to any
> > 
> Tried it just now - no visible effect.
> 400-700 packet drops per second which is around 5-7 mbps dropped on 
> output. So I don't think getting rid of one_pass=0 would help at all.

One more idea to check:

What happens if you rearrange your rules to shape 'in' packets?
i.e. use 'in recv bce0' instead of 'out recv bce0 xmit bce1'.

-- 
Oleg.

================================================================
=== Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg at rinet.ru ===
================================================================

More information about the freebsd-net mailing list