ipfw + dummynet performance
Sten Daniel Soersdal
netslists at gmail.com
Mon Nov 26 23:16:49 PST 2007
Sten Daniel Soersdal wrote:
> bsdlist at mail.bg wrote:
>>
>> My question is obout performance of ipfw and dummynet with
>> this rules
>>
>> pipe 101 ip from table(1) to any via em1
>> pipe 100 ip from any to table(1) xmit em1
>> pipe 200 ip from table(2) to any via em1
>> pipe 202 ip from any to table(2) xmit em1
>> pipe 301 ip from table(3) to any via em1
>> pipe 300 ip from any to table(3) xmit em1
>> pipe 401 ip from table(4) to any via em1
>> pipe 400 ip from any to table(4) xmit em1
>>
>> ..
>> pipe 202 config bw 512K mask dst-ip 0xffffffff
>> pipe 200 config bw 256K mask src-ip 0xffffffff
>> this rules are the same for the 4 table but with diffrent
>> speed :
>>
>
> 'via' makes you match both 'recv' and 'xmit' packets. Perhaps this
> clears things up?
> If you want to make this faster you could halve the number of rules you
> need to process, but it's not easy see from what you posted.
> Example;
>
>
> skipto 1000 xmit em1
> skipto 2000 recv em1
>
> 1000 pipe 100 dst-ip table(1)
> 1001 pipe 202 dst-ip table(2) <-- also note the pipe number??
> 1002 pipe 300 dst-ip table(3)
> 1003 pipe 400 dst-ip table(4)
> 1999 accept
>
> 2000 pipe 101 src-ip table(1)
> 2001 pipe 200 src-ip table(2) <-- also note the pipe number??
> 2002 pipe 301 src-ip table(3)
> 2003 pipe 401 src-ip table(4)
> 2999 accept
>
> Also, are you sure you want to swap 202 and 200 in your system? perhaps
> this adds to the problem?
>
>
That should be;
skipto 1000 out xmit em1
skipto 2000 in recv em1
To be sure :)
Also you could change the 1999 and 2999 rules to be 'deny' rules to rule
out spoofing (not in table = deny) depending upon other configuration
options.
--
Sten Daniel Soersdal
More information about the freebsd-isp
mailing list