ipfw (dummynet) adds delay, but not configured to do so
Ian Smith
smithi at nimnet.asn.au
Wed Mar 4 18:40:40 PST 2009
On Wed, 4 Mar 2009, Sebastian Mellmann wrote:
> I've got a IPFW ruleset that looks like this:
>
> cmd=ipfw
> bottleneck_bandwidth=100Mbit/s
> in_if="em0"
>
> $cmd pipe 500 config bw $bottleneck_bandwidth
> $cmd add pipe 500 all from any to any via $in_if
>
> When I do a simple ping from one machine to another (actually the
> FreeBSD machine is between those machines), I can see a delay of ~2ms.
> Without any rules/pipes I've got under 1ms delay.
Presumably each of the other machines are on a separate interface?
Configured as a bridge or a router?
> The question is:
> Why do I have such a "high" delay though I didn't configure any "delay"
> in my pipe?
> Where does this additional millisecond come from (processing delay for
> the packet in the pipe?)?
Covered; kern.hz=1000 should give you more like .2ms with this setup.
> If I configure another rule (or like 10 more rules) that matches the
> packet, I can see the delay increasing.
> For example a delay of ~20ms, when I configure 10 pipes.
> Am I doing something wrong?
Configuring more pipes shouldn't make any difference unless packets are
made to traverse each of the pipes in turn. That would imply having set
net.inet.ip.fw.one_pass=0 (or having run 'ipfw disable one_pass') so
that each packet is reinjected into the firewall at the following rule,
after traversing each pipe; is that what you're doing?
Also, without using a separate pipe for either traffic direction, you're
using 'half-duplex' mode, as well described in ipfw(8) TRAFFIC SHAPING.
> Thanks in advance for any help and please tell me if you need additional
> informations (e.g. kernel configuration).
Output of 'sysctl net.inet.ip.fw.one_pass' and 'ipfw show' with your
example of using multiple pipes?
cheers, Ian
More information about the freebsd-ipfw
mailing list