IPFW DUMMYNET: Several pipes after each other

KES kes-kes at yandex.ru
Tue Jan 27 11:09:55 PST 2009


Здравствуйте, Sebastian.

Вы писали 26 января 2009 г., 12:16:18:

SM> Ian Smith wrote:
SM> On Thu, 22 Jan 2009 08:10:09 +0100 (CET)
>>  >
>>  > So far I've got those rules:
>>  >
>>  > in_if="em0"
>>  > out_if="em1"
>>  > management_if="em2"
>>  > in_ip="100.100.100.1"
>>  > out_ip="200.200.200.1"
>>  > management_ip="172.16.0.201"
>>  > client1_subnet="192.168.5.0/26"
>>  > client2_subnet="192.168.6.0/26"
>>  > server_subnet="192.168.7.0/24"
>>  >
>>  > download_bandwidth="6144Kbit/s"
>>  > upload_bandwidth="1024Kbit/s"
>>  > delay="0"
>>  > queue_size="10"
>>
>> 10 slots ie packets is likely too small a queue size at these rates.
>> You want to check the dropped packet stats from 'ipfw pipe show' re
>> that; see the section in ipfw(8) about calculating sizes / delays.
>>

SM> I had a look at the ipfw howto on the freebsd site [1], but I'm not 100%
SM> sure how to choose a "good" value for the queue size.

SM> If I choose the default (50 packets) it means that it takes approx. 100ms
SM> (600kbits / 6144kbits) to fill the queue.
SM> So the question is: Which value to choose for the queue?

>> I suggest using 'in recv' and 'out xmit' rather than via for these, for
>> the sake of clarity.  'in recv' and 'in via' come to the same thing, as
>> only the receive interface is known on inbound packets, but 'out via'
>> applies to packets that were *received* on the specified interface as
>> well as those going out on that interface after routing, which can lead
>> to surprising results sometimes, and being more specific never hurts ..

SM> Thanks for the hint.
SM> I'll change that.

>>  > But when I have a look at the pipes with 'ipfw show' I can only see
>>  > packets go through the pipe 50 and nothing goes through the other pipes
>>  > (which makes sense actually since IPFW work that way?).
>>
>> IPFW works that way if you (likely) have net.inet.ip.fw.one_pass=1 .. so
>> that packets exiting from pipes aren't seen by the firewall again.  If
>> you set one_pass=0, packets are reinjected into the firewall at the rule
>> following the pipe (or queue) action, which is what you want to do here.

SM> Actually this is also described in the manpage of ipfw(8).
SM> Shame on me ;-)

>> And you'll surely need a much larger queue for this pipe, at 100Mbit/s.
>>

SM> As already asked above:

SM> How do I know the queue is large or small enough for my needs?

How calculate queue length for your link speed:
suggest link speed is 64kbit/s = 8KB/s
50pkts in queue is 75000bytes (50*1500) ~73KB
73KB/8KB = 9sec

so for bandwidth 64kbit you will have timeout 9000ms if queue is full.
For example you want to have only 1000ms timeouts (ping)
1 * 8KB = 8KB. This max information transmited before queue will
overflow for given timeout.
8Kb/1500= 5 -- value for your queue size

For links with speed > 512Kbit your queue size 50
I use next values for queues:

c pipe 1 config bw 65536bit/s queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 2 config bw 65536bit/s queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 1 config pipe 1 queue 5 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 2 config pipe 2 queue 5 mask dst-ip 0xffffffff gred 0.002/10/30/0.1


c pipe 3 config bw 131072bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 4 config bw 131072bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 3 config pipe 3 queue 10 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 4 config pipe 4 queue 10 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

c pipe 5 config bw 262144bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 6 config bw 262144bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 5 config pipe 5 queue 20 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 6 config pipe 6 queue 20 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

c pipe 7 config bw 524288bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 8 config bw 524288bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 7 config pipe 7 queue 40 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 8 config pipe 8 queue 40 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

c pipe 9 config bw 1048576bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 10 config bw 1048576bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 9 config pipe 9 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 10 config pipe 10 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

c pipe 11 config bw 2097152bit/s mask src-ip 0xffffffff gred 0.002/10/30/0.1
c pipe 12 config bw 2097152bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 11 config pipe 11 queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1
c queue 12 config pipe 12 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

WARNING!!! you must use own queue/pipe for in/out traffic. In case you put in
and out traffic to one pipe/queue you will simulate asyncrounous
link!!!





More information about the freebsd-questions mailing list