Re: [Cake] Ubiquity (Unifi ) Smart Queues
G'day, Just a small update on the Unifi security gateway stuff. They have a new range of devices which are a lot more powerful. ( https://store.ui.com/us/en/collections/cloud-gateway-ultra/products/ucg-ultra ) The good news is that the limits set in the GUI now match exactly the "rate" set in the qcdisc. root@UCG-Ultra:~# *tc -p -s -d qdisc show dev eth4* qdisc htb 1: root refcnt 5 r2q 10 default 0x2 direct_packets_stat 0 ver 3.17 direct_qlen 1000 Sent 13112672757 bytes 41407610 pkt (dropped 2863, overlimits 12123381 requeues 0) backlog 0b 0p requeues 0 qdisc fq_codel 2: parent 1:2 limit 2000p flows 1024 quantum 300 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64 Sent 13112672757 bytes 41407610 pkt (dropped 2863, overlimits 0 requeues 0) backlog 0b 0p requeues 0 maxpacket 27888 drop_overlimit 0 new_flow_count 9175282 ecn_mark 0 new_flows_len 1 old_flows_len 3 qdisc ingress : parent :fff1 Sent 104038056896 bytes 143646981 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 root@UCG-Ultra:/etc/systemd# *tc -d class show dev eth4* class htb 1:1 root rate 35Mbit ceil 35Mbit linklayer ethernet burst 1491b/1 mpu 0b cburst 1491b/1 mpu 0b level 7 class htb 1:2 parent 1:1 leaf 2: prio 7 quantum 1514 rate 64bit ceil 35Mbit linklayer ethernet burst 1500b/1 mpu 0b cburst 1491b/1 mpu 0b level 0 class fq_codel 2:1bf parent 2: class fq_codel 2:274 parent 2: class fq_codel 2:296 parent 2: class fq_codel 2:2ca parent 2: class fq_codel 2:34a parent 2: class fq_codel 2:364 parent 2: root@UCG-Ultra:~# *tc -p -s -d qdisc show dev ifbeth4* qdisc htb 1: root refcnt 2 r2q 10 default 0x2 direct_packets_stat 0 ver 3.17 direct_qlen 1000 Sent 108770017013 bytes 143572868 pkt (dropped 24028, overlimits 43487579 requeues 0) backlog 0b 0p requeues 0 qdisc fq_codel 2: parent 1:2 limit 2000p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64 Sent 108770017013 bytes 143572868 pkt (dropped 24028, overlimits 0 requeues 0) backlog 0b 0p requeues 0 maxpacket 69876 drop_overlimit 10448 new_flow_count 14414347 ecn_mark 0 drop_overmemory 10448 new_flows_len 1 old_flows_len 2 root@UCG-Ultra:/etc/systemd# *tc -d class show dev ifbeth4* class htb 1:1 root rate 800Mbit ceil 800Mbit linklayer ethernet burst 1400b/1 mpu 0b cburst 1400b/1 mpu 0b level 7 class htb 1:2 parent 1:1 leaf 2: prio 7 quantum 1514 rate 64bit ceil 800Mbit linklayer ethernet burst 1500b/1 mpu 0b cburst 1400b/1 mpu 0b level 0 class fq_codel 2:111 parent 2: class fq_codel 2:3cc parent 2: So 35Mb/s and 800Mb/s match what is configured in the GUI. [image: image.png] The bad news is still no cake. The bottleneck in my house is now the air interfaces. I'll run some flent tests soon. Thanks, Dave Seddon Other device details root@UCG-Ultra:~# uname -a Linux UCG-Ultra 5.4.213-ui-ipq5322 #5.4.213 SMP PREEMPT Fri Jan 26 01:53:55 CST 2024 aarch64 GNU/Linux root@UCG-Ultra:~# cat /proc/cpuinfo processor : 0 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid CPU implementer : 0x51 CPU architecture: 8 CPU variant : 0xa CPU part : 0x801 CPU revision : 4 processor : 1 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid CPU implementer : 0x51 CPU architecture: 8 CPU variant : 0xa CPU part : 0x801 CPU revision : 4 processor : 2 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid CPU implementer : 0x51 CPU architecture: 8 CPU variant : 0xa CPU part : 0x801 CPU revision : 4 processor : 3 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid CPU implementer : 0x51 CPU architecture: 8 CPU variant : 0xa CPU part : 0x801 CPU revision : 4 root@UCG-Ultra:~# cat /proc/interrupts CPU0 CPU1 CPU2 CPU3 4: 49385470 71684295 74561605 77496134 GIC-0 20 Level arch_timer 6: 0 0 0 0 GIC-0 39 Level arch_mem_timer 8: 0 0 0 0 GIC-0 195 Level edma_txcmpl_4 9: 0 0 0 0 GIC-0 196 Level edma_txcmpl_5 10: 0 0 0 0 GIC-0 197 Level edma_txcmpl_6 11: 0 0 0 0 GIC-0 198 Level edma_txcmpl_7 12:1301701 0 0 0 GIC-0 199 Level edma_txcmpl_8 13: 16537922 0 0 0 GIC-0 200 Level edma_txcmpl_9 14: 16902391 0 0 0 GIC-0 201 Level edma_txcmpl_10 15: 19093638 0 0 0 GIC-0 202 Level edma_txcmpl_11 16: 218358 0 0 0 GIC-0 203 Level edma_txcmpl_12 17: 14172534 0 0 0 GIC-0 204 Level edma_txcmpl_13 18: 12228644 0 0 0 GIC-0 205 Level edma_txcmpl_14 19: 14848643 0 0 0 GIC-0 206 Level edma_txc
Re: Is there ready functionality for disabling caching of particular objects
I guess you could rewrite the headers https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/header_rewrite.en.html On Mon, Apr 22, 2024 at 7:31 AM Pavel Vazharov wrote: > Thank you for the response. > > Unfortunately we don't have control over the upstream http servers in this > case. > We need to make sure that we don't cache particular objects while working > as a forward proxy. > I think, I can write a C++ plugin for this. I was just trying to find if > there is a ready solution before writing our own. > > On Mon, Apr 22, 2024 at 5:26 PM dave seddon > wrote: > >> The "cleanest" way is for the upstream http server to add cache control >> headers >> >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control >> >> On Mon, Apr 22, 2024, 07:22 Pavel Vazharov wrote: >> >>> Hi there, >>> >>> Is there existing ATS functionality or plugin through which can be >>> disabled caching of particular objects by URL or regex? >>> >>> Thanks, >>> Pavel. >>> >> -- Regards, Dave Seddon +1 415 857 5102
Re: Is there ready functionality for disabling caching of particular objects
The "cleanest" way is for the upstream http server to add cache control headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control On Mon, Apr 22, 2024, 07:22 Pavel Vazharov wrote: > Hi there, > > Is there existing ATS functionality or plugin through which can be > disabled caching of particular objects by URL or regex? > > Thanks, > Pavel. >
Re: Using Apache Traffic Server as HTTP client to store some content in the storage
Thanks Brian! Very cool I don't know if you're supposed to retroactively update release notes, but that's a pretty big feature not in the notes. https://docs.trafficserver.apache.org/en/10.0.x/release-notes/upgrading.en.html Stale-while-revaldate feature was a major challenge for some of our use cases, so it's awesome to hear that is resolved. Congratulations and thank you! A potentially larger challenge is memory footprint. Generally, for Yahoo, Apple, Comcast CDNs, and all you guys all have beefy machines with plenty of RAM, so this isn't a drama. In those scenarios ATS is an amazing solution! Woot woot. Love it! There are more unique situations, home caching for example, where you want large amounts of cache storage, but much lower in memory indexes to that storage. I'm not suggesting ATS needs to solve is, but, for the sake of the mailing list history, people need to keep in mind. Specifically, and unless I'm mistaken, RAM consumption is directly linear with the available cache size, regardless of the "working set". E.g. If you have a large storage you need a (relatively) large amount of RAM to index into that storage, even if most of the storage is not accessed. Again, this is a totally understandable engineering decision, and makes sense in most situations. On Fri, Apr 19, 2024, 14:02 Brian Neradt wrote: > If I understand correctly, ATS does NOT support stale while revalidate, >> which is surprising given the RFC was created by a Yahoo-ligan. ;) >> > > I'm glad you mentioned this. Actually Yahoo open-sourced the functionality > for stale while revalidate via the stale_response.so plugin for ATS 10: > > > https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/stale_response.en.html#stale-response-plugin > > On Fri, Apr 19, 2024 at 3:38 PM dave seddon > wrote: > >> Depending on your use case, you also want to carefully consider the cache >> control headers for the downloaded object. >> >> If I understand correctly, ATS does NOT support stale while revalidate, >> which is surprising given the RFC was created by a Yahoo-ligan. ;) >> >> On Fri, Apr 19, 2024 at 9:51 AM Leif Hedstrom wrote: >> >>> We discussed this in the slack channel. Probably the best option for you >>> (other than writing a new plugin) is to use the background_fetch plugin. >>> You will still need to trigger a download, but you can avoid having to wait >>> for the full response in the client. So, what you’d do is >>> >>> curl -H “Range: bytes=0-1” https://www.example.com/some/url/foo.img >>> >>> >>> And make sure background_fetch is enabled on this remap rule. No matter >>> what you do, you will have to have something that tells ATS to kick off a >>> download, and the above is probably as good as any alternative. >>> >>> Cheers, >>> >>> — Leif >>> >>> >>> On Apr 17, 2024, at 9:33 AM, Pavel Vazharov wrote: >>> >>> Hi Brian, >>> >>> Thank you for your response. >>> It'll do the job but, as far as I understand it, an external >>> functionality will need to download the content in order to push it into >>> the ATS. >>> The content that I want to write in the ATS storage is on the Internet. >>> >>> Regards, >>> Pavel. >>> >>> On Wed, Apr 17, 2024 at 6:26 PM Brian Neradt >>> wrote: >>> >>>> Hi Pavel, >>>> >>>> This isn't a direct answer to your question, but are you aware of the >>>> ATS HTTP PUSH feature? That allows you to push objects into the ATS cache >>>> without the typical caching of proxied response. Can that help you in this >>>> situation? >>>> >>>> >>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#pushing-content-into-the-cache >>>> >>>> >>>> On Wed, Apr 17, 2024 at 8:41 AM Pavel Vazharov wrote: >>>> >>>>> Hi there, >>>>> >>>>> Is there a way to use the ATS as an HTTP client to download and store >>>>> given content? >>>>> I'm aware that I can achieve this with a local HTTP client (wget, >>>>> curl) which uses the ATS as a forward proxy and then the ATS will store >>>>> the >>>>> content (which is the actual goal). >>>>> I was wondering if there is a way without using an additional HTTP >>>>> client so that I can skip the additional content moving between sockets. >>>>> >>>>> Thanks, >>>>> Pavel. >>>>> >>>> >>>> >>>> -- >>>> "Come to Me, all who are weary and heavy-laden, and I will >>>> give you rest. Take My yoke upon you and learn from Me, for >>>> I am gentle and humble in heart, and you will find rest for >>>> your souls. For My yoke is easy and My burden is light." >>>> >>>> ~ Matthew 11:28-30 >>>> >>> >>> >> >> -- >> Regards, >> Dave Seddon >> +1 415 857 5102 >> > > > -- > "Come to Me, all who are weary and heavy-laden, and I will > give you rest. Take My yoke upon you and learn from Me, for > I am gentle and humble in heart, and you will find rest for > your souls. For My yoke is easy and My burden is light." > > ~ Matthew 11:28-30 >
Re: Using Apache Traffic Server as HTTP client to store some content in the storage
Depending on your use case, you also want to carefully consider the cache control headers for the downloaded object. If I understand correctly, ATS does NOT support stale while revalidate, which is surprising given the RFC was created by a Yahoo-ligan. ;) On Fri, Apr 19, 2024 at 9:51 AM Leif Hedstrom wrote: > We discussed this in the slack channel. Probably the best option for you > (other than writing a new plugin) is to use the background_fetch plugin. > You will still need to trigger a download, but you can avoid having to wait > for the full response in the client. So, what you’d do is > > curl -H “Range: bytes=0-1” https://www.example.com/some/url/foo.img > > > And make sure background_fetch is enabled on this remap rule. No matter > what you do, you will have to have something that tells ATS to kick off a > download, and the above is probably as good as any alternative. > > Cheers, > > — Leif > > > On Apr 17, 2024, at 9:33 AM, Pavel Vazharov wrote: > > Hi Brian, > > Thank you for your response. > It'll do the job but, as far as I understand it, an external functionality > will need to download the content in order to push it into the ATS. > The content that I want to write in the ATS storage is on the Internet. > > Regards, > Pavel. > > On Wed, Apr 17, 2024 at 6:26 PM Brian Neradt > wrote: > >> Hi Pavel, >> >> This isn't a direct answer to your question, but are you aware of the ATS >> HTTP PUSH feature? That allows you to push objects into the ATS cache >> without the typical caching of proxied response. Can that help you in this >> situation? >> >> >> https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#pushing-content-into-the-cache >> >> >> On Wed, Apr 17, 2024 at 8:41 AM Pavel Vazharov wrote: >> >>> Hi there, >>> >>> Is there a way to use the ATS as an HTTP client to download and store >>> given content? >>> I'm aware that I can achieve this with a local HTTP client (wget, curl) >>> which uses the ATS as a forward proxy and then the ATS will store the >>> content (which is the actual goal). >>> I was wondering if there is a way without using an additional HTTP >>> client so that I can skip the additional content moving between sockets. >>> >>> Thanks, >>> Pavel. >>> >> >> >> -- >> "Come to Me, all who are weary and heavy-laden, and I will >> give you rest. Take My yoke upon you and learn from Me, for >> I am gentle and humble in heart, and you will find rest for >> your souls. For My yoke is easy and My burden is light." >> >> ~ Matthew 11:28-30 >> > > -- Regards, Dave Seddon +1 415 857 5102
[Cake] irtt update to go 1.22
G'day, I'm chasing weird latency spikes in my wifi network, so on Dave T's suggestion, I'm going to try using irtt to debug it. I noticed irtt hasn't upgraded its Go version for a long time, and Go has come a long way since 1.12. While I was there I spotted a bunch of lint errors, so I just hacked in a quick log.Fatal, but these should probably be real error exit codes. https://github.com/heistp/irtt/pull/41 -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] Nanog l4s video
Off topic, but awesome and I think you'll enjoy it https://youtu.be/c2jiqkpw4VY?si=ju-H9ivyNAFBM_R0 On Fri, Feb 23, 2024, 20:57 dave seddon wrote: > https://youtu.be/E7okBZ8NfQ8?si=Ip4Lxo1g1Xx7oy4Z > ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
[Cake] Nanog l4s video
https://youtu.be/E7okBZ8NfQ8?si=Ip4Lxo1g1Xx7oy4Z ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] Ubiquity (Unifi ) Smart Queues
Nils - I guess you could run LibreQoS on N100? On Tue, Jan 9, 2024 at 8:57 AM Nils Andreas Svee via Cake < cake@lists.bufferbloat.net> wrote: > On Jan 9, 2024, at 17:05, Dave Taht wrote: > > On Tue, Jan 9, 2024 at 10:40 AM Nils Andreas Svee via Cake > wrote: > > Though frankly, I don’t plan on updating the sch_cake and tc binaries when > new firmwares are released anymore, as they don’t publish the GPL archives > on their webpage after the redesign, and they don’t respond to requests for > them either by the looks of the forums. So if it breaks there’s not much I > can do anymore. > > > This irks me enormously. It is the direct outcome of the cambium > elevate lawsuit, where both companies lost, the ISPs lost, open source > practices long established about publishing sources, lost, and the > lawyers went on to other nasty things leaving this trail of awful > precedents in their wake. > > https://www.mtin.net/blog/ubnt-vs-cambium/ > > Wow, hadn’t read about that. They even sued an ISP just for using > Cambium’s software on their hardware? > That is crazy, just evil corporate lawyers doing their thing I guess. > > I do not know what to do about it. It also irks me that as a > contributor to "smart queues" they are not maintaining it well. > > It leaves something to be desired yes, and I would’ve hoped to see CAKE > included too of course, > but even WireGuard is only available in the latest release candidates with > the redesigned web UI, so I’m not holding my breath. > > I still have an EdgeRouter 4 that serves the family farm and one of the > 8-port switches under my desk, if only because I don’t wanna spend money on > replacing them, and they do serve their purpose. > > I’ve since moved though, and now live in an area that has FTTH, so I > needed something beefier to handle CAKE on a 750/750 subscription, because > obviously there’s still bloat even on that ;) > > One of those Chinese boxes with a N100 in it and OpenWrt on top works > wonders :) > > Best Regards, > Nils Andreas Svee > _______ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake > -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] Ubiquity (Unifi ) Smart Queues
0 0 BM On Tue, Jan 9, 2024 at 8:05 AM Dave Taht via Cake < cake@lists.bufferbloat.net> wrote: > On Tue, Jan 9, 2024 at 10:40 AM Nils Andreas Svee via Cake > wrote: > > > Though frankly, I don’t plan on updating the sch_cake and tc binaries > when new firmwares are released anymore, as they don’t publish the GPL > archives on their webpage after the redesign, and they don’t respond to > requests for them either by the looks of the forums. So if it breaks > there’s not much I can do anymore. > > This irks me enormously. It is the direct outcome of the cambium > elevate lawsuit, where both companies lost, the ISPs lost, open source > practices long established about publishing sources, lost, and the > lawyers went on to other nasty things leaving this trail of awful > precedents in their wake. > > https://www.mtin.net/blog/ubnt-vs-cambium/ > > I do not know what to do about it. It also irks me that as a > contributor to "smart queues" they are not maintaining it well. > > > > > Best Regards, > > Nils Andreas Svee > > > > On Jan 3, 2024, at 14:44, Pete Heist via Cake < > cake@lists.bufferbloat.net> wrote: > > > > On Tue, 2024-01-02 at 10:59 -0800, dave seddon via Cake wrote: > > > > I thought people might be interested to see what Ubiquity/Unifi is > > doing with "Smart Queues" on their devices. The documentation on > > their website is not very informative. > > > > "Smart Queue" Implementation > > > > Looks like they only apply tc qdiscs to the Eth2, and sadly this is > > NOT cake, but fq_codel. > > > > And cake isn't available :( > > > > root@USG-Pro-4:~# tc qdisc replace dev eth0 cake bandwidth 100m rtt > > 20ms > > Unknown qdisc "cake", hence option "bandwidth" is unparsable > > > > > > Hi Dave, there's a community contributed version of Cake for EdgeRouter > > devices that I've been using for years on production ER-X's: > > > > > https://community.ui.com/questions/Cake-compiled-for-the-EdgeRouter-devices/fc1ff27c-f321-4344-8737-fcc755cae8a2 > > > > I don't think that works for UniFi/USG devices, however, and one should > > note the disclaimer and be careful when installing it. Also, it must be > > re-installed after every upgrade. > > > > Cheers, > > Pete > > > > ___ > > Cake mailing list > > Cake@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/cake > > > > > > _______ > > Cake mailing list > > Cake@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/cake > > > > -- > 40 years of net history, a couple songs: > https://www.youtube.com/watch?v=D9RGX6QFm5E > Dave Täht CSO, LibreQos > ___ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake > -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] Ubiquity (Unifi ) Smart Queues
Thanks Sebastian! Now I see the rates!! I actually reduced the rates to ensure this device is the bottleneck 80/10 Mb/s [image: image.png] root@USG-Pro-4:~# tc -d class show dev eth2 class htb 1:10 root leaf 100: prio 0 quantum 118750 rate 9500Kbit ceil 9500Kbit burst 1598b/1 mpu 0b overhead 0b cburst 1598b/1 mpu 0b overhead 0b level 0 class fq_codel 100:12c parent 100: class fq_codel 100:213 parent 100: class fq_codel 100:22e parent 100: root@USG-Pro-4:~# tc -d class show dev ifb_eth2 class htb 1:10 root leaf 100: prio 0 quantum 20 rate 76000Kbit ceil 76000Kbit burst 1596b/1 mpu 0b overhead 0b cburst 1596b/1 mpu 0b overhead 0b level 0 class fq_codel 100:2c8 parent 100: class fq_codel 100:3df parent 100: On Tue, Jan 2, 2024 at 12:53 PM Sebastian Moeller wrote: > Hi Dave. > > just a few comments from the peanut gallery... > > > > On Jan 2, 2024, at 19:59, dave seddon via Cake < > cake@lists.bufferbloat.net> wrote: > > > > G'day, > > > > Happy new year y'all > > +1 > > > > > I thought people might be interested to see what Ubiquity/Unifi is doing > with "Smart Queues" on their devices. The documentation on their website > is not very informative. > > > > Hopefully, this is vaguely interesting because Ubiquity is widely > deployed and apparently they have a market cap of >$8 billion, so you would > hope they do a "good job" (... Seems like they might be a target customer > for libreqos ) > > > > > > https://finance.yahoo.com/quote/ui/ > > > > ( I use Unifi because their wifi stuff seems ok, and all the > switching/routing/wifi is all integrated into the single gui control > system. Also honestly, I'm not sure I know how to do prefix delegation > stuff on Linux by hand. ) > > > > Network diagram > > > > Spectrum Cable Internets <--> Eth2 [ USG-Pro-4 ] Eth0 <---> > [Switches] <> Access points > > > > "Smart Queue" Configuration > > Ubiquity doesn't have many knobs, you just enable "smart queues" and set > the bandwidth. > > > > > > > > > > "Smart Queue" Implementation > > > > Looks like they only apply tc qdiscs to the Eth2, and sadly this is NOT > cake, but fq_codel. > > > > And cake isn't available :( > > > > root@USG-Pro-4:~# tc qdisc replace dev eth0 cake bandwidth 100m rtt 20ms > > Unknown qdisc "cake", hence option "bandwidth" is unparsable > > > > Outbound eth2 > > > > root@USG-Pro-4:~# tc -p -s -d qdisc show dev eth2 > > qdisc htb 1: root refcnt 2 r2q 10 default 10 direct_packets_stat 0 ver > 3.17 > > Sent 1071636465 bytes 5624944 pkt (dropped 0, overlimits 523078 > requeues 0) < OVERLIMITS? > > backlog 0b 0p requeues 0 > > qdisc fq_codel 100: parent 1:10 limit 10240p flows 1024 quantum 1514 > target 5.0ms interval 100.0ms ecn > > Sent 1071636465 bytes 5624944 pkt (dropped 2384, overlimits 0 requeues > 0) <- DROPS > > backlog 0b 0p requeues 0 > > maxpacket 1514 drop_overlimit 0 new_flow_count 1244991 ecn_mark 0 > > new_flows_len 1 old_flows_len 1 > > qdisc ingress : parent :fff1 > > Sent 12636045136 bytes 29199533 pkt (dropped 0, overlimits 0 requeues > 0) > > backlog 0b 0p requeues 0 > > • target 5.0ms is the default ( > https://www.man7.org/linux/man-pages/man8/tc-fq_codel.8.html ). I wonder > if they did much testing on this hardware? > > [SM] Not sure whether playing with target in isolation would be much use, > in codel theory target should be 5-10% of interval ans interval should be > in the order of magnitude of to be handled RTTs (the default is 100ms wich > works reasonably well even across the Atlantic, but you probably knew all > that). > > > • ( I actually have a spare "wan" ethernet port, so I > guess I could hook up a PC and perform a flent test. ) > > • It's unclear to me what the "htb" is doing, because I would have > expected the download/upload rates to be configured here, but they appear > not to be > > [SM] Likely because HTB does not reveal this when asked with the `-s` > option, try `-q` instead and not as qdisc but as class (so maybe `tc -d > class show dev eth2`). > > > • I'm not really sure what "overlimits" means or what that does, > and tried looking this up, but I guess the kernel source is likely the > "best" documentation for this. Maybe this means it's dropping? Or is it > ECN? > > I think this text about TBF explains this reasonably well (HTB is > essentially a hi
ATS and RFC5861 stale-while-revalidate?
G'day, I hope you are doing well. Just wondering about ATS's support for RFC 5861 ( https://www.rfc-editor.org/rfc/rfc5861 ), specifically stale-while-revalidate. Based on our testing, our current config we have does NOT seem to allow serving stale while revalidating. There's an old doc from 2015 talking about the feature, but not sure if this was ever finalized. https://cwiki.apache.org/confluence/display/TS/Stale-While-Revalidate+in+the+core There is mention of stale-while-revalidate (SWR) here, but not a lot of details: https://docs.trafficserver.apache.org/admin-guide/plugins/collapsed_forwarding.en.html#description The cache architecture doesn't discuss serving stale while revalidate https://docs.trafficserver.apache.org/developer-guide/cache-architecture/architecture.en.html#cache-read Glossary term mentions revalidation, but nothing about stale. https://docs.trafficserver.apache.org/appendices/glossary.en.html#term-revalidation Looking at "is_stale_cache_response_returnable", it looks like the code does take into account must-revalidate header https://github.com/apache/trafficserver/blob/master/src/proxy/http/HttpTransact.cc#L5984 Grepping the code for these headers doesn't find anything. das@t:~/Downloads/trafficserver$ grep -R "stale-while-revalidate" ./ das@t:~/Downloads/trafficserver$ grep -R "stale-if-error" ./ So it seems like ATS does not support RFC 5861 -- Regards, Dave Seddon
Re: [Cake] some comprehensive arm64 w/cake results
G'day, Dave Taht and I have had a couple of phone conversations now, and he's convinced me that rather than inserting the netem delay on each laptop, that latency should be added by a seperate device. To this end, I've got another little PC and a NIC coming, so that I can repeat all the tests with seperate latency injection. However, I've also completed the flent tests with the laptops adding latency at each end. Full test runs here: https://github.com/randomizedcoder/qdisc_results/tree/main/qdisc/2023-10-23T16%3A49%3A10 You can find the actual rrul flent .tar.gz results for each test. e.g Pi4 fq is here: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-23T16%3A49%3A10/pi4/fq/flent/test/16_flent/rrul-2023-10-23T170016.068273.2023-10-23T16_49_10_pi4_fq.flent.gz Lychee Pi Risv with cake qdisc: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-23T16%3A49%3A10/lpi4a/cake20/flent/test/16_flent/rrul-2023-10-23T201354.818316.2023-10-23T16_49_10_lpi4a_cake20.flent.gz Just take these with a grain of salt until the new latency injection is in place. ... I'll see if I can script up the generation of all the pretty graphs soon Thanks, Dave Seddon On Sun, Oct 15, 2023 at 8:11 AM dave seddon wrote: > G'day, > > I've put more work into a test framework around the qdisc tests, but > unfortunately flent doesn't work easily with Ubuntu LTS ( > https://github.com/tohojo/flent/issues/232, which I think is an issue > with flent parsing the fping output ). > > Results and graphs in this sheet: > > https://docs.google.com/spreadsheets/d/1T59QwEdNwJFm4TgDFA_NY98gicOm8ABXKvDsSIMz9ag/edit#gid=1203641125 > > Raw results of x2 test runs are here: > https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/report.csv > > Each run: > > https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/report.csv > > https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-14T14%3A22%3A53/report.csv > > Full iperf outputs are available too, for example: > https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/nanopi-r2s/fq_codel/iperf/test/16_iperf/stdout > > > Logs for each run are also available, for example: > https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/log.json > > The code repo updated here: https://github.com/randomizedcoder/cake , > with thehttps://github.com/randomizedcoder/cake/blob/main/README.md which > explains how the test work. > Updated google doc is started here: > https://docs.google.com/document/d/1fYKj3BS89aB9drg_DsSq289xSdVQhn1zUJYCj0WuCs0/edit?usp=sharing > > Based on the questions on this list earlier, there is a folder with device > information for each of the devices > https://github.com/randomizedcoder/cake/tree/main/device_info > > For example, the Pi4 and the Lichee Pi (risc-v) hardware layout is here: > - > https://github.com/randomizedcoder/cake/blob/main/device_info/pi4/hwloc-ls-pi4.png > > - > https://github.com/randomizedcoder/cake/blob/main/device_info/lpi4a/hwloc-ls-lpi4a.png > > The switch has also been upgraded to a Cisco 3750x, which I think based on > the "show interface" output has a max queue size of 40 frames. The test > process clears the counters before each test and gathers the "show > interface" output at the end. > > The Lichee Pi 4A doesn't look good ( > https://wiki.sipeed.com/hardware/en/lichee/th1520/lp4a.html ) > > [image: image.png] > I really wish the flent was working, so I'll probably see if I can work > out the parsing. > > Thanks, > Dave Seddon > > On Fri, Oct 13, 2023 at 10:25 AM dave seddon > wrote: > >> My bad. There's a bug for this Looks like I have to downgrade fping >> >> https://github.com/tohojo/flent/issues/232 >> https://github.com/schweikert/fping/issues/203 >> >> On Fri, Oct 13, 2023 at 8:59 AM dave seddon >> wrote: >> >>> G'day, >>> >>> I've been working away on automation of the tests. Pretty close to >>> having much nicer tests with a lot more details. I've also got the risc-v >>> device working. >>> >>> However, I've run into something funny with flent. Flent is not happy >>> with fping or ping. >>> >>> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ /usr/bin/sudo >>> /usr/sbin/ip netns exec network101 /usr/bin/flent rrul --output >>> >>> /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/flent_pi4_noqueue.png >>> --data-dir /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/ >>> --format summary --plot all_scaled --title-extra >>> 2023-10-13T15:53:21
Re: How to establish a uni-directional Ethernet link in the dpdk environment
Normally, if you're doing "single fiber optics" it basically means you have a single color/frequency in one direction, and another color/frequency, which is slightly offset. e.g. They say blue for send, and purple for recieve, or something like that. It's hard to screw it up, but I've definitely tried :) On Sun, Oct 15, 2023 at 4:21 PM Stephen Hemminger < step...@networkplumber.org> wrote: > On Sun, 15 Oct 2023 10:30:48 +0330 > Alireza Sadeghpour wrote: > > > Hi, > > > > I am trying to establish a uni-directional Ethernet link where a singular > > fiber is used to transmit data to the receiver in the DPDK environment. > The > > Rx of the transmit side and the Tx of the receive side are not physically > > connected, like in a Data diode scenario. The ethernet controller on both > > sides is intel 82580. > > > > my problem is that when I detach the RX line from one side, both sides' > > links go down. > > > > Could anyone please give me some advice to solve this problem and > establish > > a valid unidirectional ethernet link? > > This is not a DPDK problem. Trying to non-standard configuration like this > requires detailed knowledge of the hardware registers, and likely driver > specific > changes to do that. > > It is possible to bring up device in normal full duplex mode and even setup > the receive queues but ignore them. But that doesn't sound like what you > want. > -- Regards, Dave Seddon +1 415 857 5102
Re: [Cake] some comprehensive arm64 w/cake results
Oh thanks Sebastian. I have irtt installed, but it looks like I need to start the server. That's easy. Doing it now. ( Incidentally, I did write a golang based icmp pinger. It can ping at very high rates: https://github.com/edgio/icmpengine. Really should write one with rust using io_uring... ) On Sun, Oct 15, 2023 at 8:53 AM Sebastian Moeller wrote: > If I recall correctly, flent will use irtt for its delay probes if > available on both ends. Sure fixing fping seems like a good thing longer > term, but to get data in quickly, maybe try irtt instead? > > > On 15 October 2023 17:11:23 CEST, dave seddon via Cake < > cake@lists.bufferbloat.net> wrote: > >> G'day, >> >> I've put more work into a test framework around the qdisc tests, but >> unfortunately flent doesn't work easily with Ubuntu LTS ( >> https://github.com/tohojo/flent/issues/232, which I think is an issue >> with flent parsing the fping output ). >> >> Results and graphs in this sheet: >> >> https://docs.google.com/spreadsheets/d/1T59QwEdNwJFm4TgDFA_NY98gicOm8ABXKvDsSIMz9ag/edit#gid=1203641125 >> >> Raw results of x2 test runs are here: >> >> https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/report.csv >> >> Each run: >> >> https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/report.csv >> >> https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-14T14%3A22%3A53/report.csv >> >> Full iperf outputs are available too, for example: >> https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/nanopi-r2s/fq_codel/iperf/test/16_iperf/stdout >> >> >> Logs for each run are also available, for example: >> https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/log.json >> >> The code repo updated here: https://github.com/randomizedcoder/cake , >> with thehttps://github.com/randomizedcoder/cake/blob/main/README.md >> which explains how the test work. >> Updated google doc is started here: >> https://docs.google.com/document/d/1fYKj3BS89aB9drg_DsSq289xSdVQhn1zUJYCj0WuCs0/edit?usp=sharing >> >> Based on the questions on this list earlier, there is a folder with >> device information for each of the devices >> https://github.com/randomizedcoder/cake/tree/main/device_info >> >> For example, the Pi4 and the Lichee Pi (risc-v) hardware layout is here: >> - >> https://github.com/randomizedcoder/cake/blob/main/device_info/pi4/hwloc-ls-pi4.png >> >> - >> https://github.com/randomizedcoder/cake/blob/main/device_info/lpi4a/hwloc-ls-lpi4a.png >> >> The switch has also been upgraded to a Cisco 3750x, which I think based >> on the "show interface" output has a max queue size of 40 frames. The test >> process clears the counters before each test and gathers the "show >> interface" output at the end. >> >> The Lichee Pi 4A doesn't look good ( >> https://wiki.sipeed.com/hardware/en/lichee/th1520/lp4a.html ) >> >> [image: image.png] >> I really wish the flent was working, so I'll probably see if I can work >> out the parsing. >> >> Thanks, >> Dave Seddon >> >> On Fri, Oct 13, 2023 at 10:25 AM dave seddon >> wrote: >> >>> My bad. There's a bug for this Looks like I have to downgrade fping >>> >>> https://github.com/tohojo/flent/issues/232 >>> https://github.com/schweikert/fping/issues/203 >>> >>> On Fri, Oct 13, 2023 at 8:59 AM dave seddon >>> wrote: >>> >>>> G'day, >>>> >>>> I've been working away on automation of the tests. Pretty close to >>>> having much nicer tests with a lot more details. I've also got the risc-v >>>> device working. >>>> >>>> However, I've run into something funny with flent. Flent is not happy >>>> with fping or ping. >>>> >>>> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ /usr/bin/sudo >>>> /usr/sbin/ip netns exec network101 /usr/bin/flent rrul --output >>>> >>>> /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/flent_pi4_noqueue.png >>>> --data-dir /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/ >>>> --format summary --plot all_scaled --title-extra >>>> 2023-10-13T15:53:21_pi4_noqueue --note 2023-10-13T15:53:21_pi4_noqueue >>>> --extended-metadata --host 172.17.51.10 --length 60 --ipv4 --socket-stats >>>> Starting Flent 2.0
Re: [Cake] some comprehensive arm64 w/cake results
G'day, I've put more work into a test framework around the qdisc tests, but unfortunately flent doesn't work easily with Ubuntu LTS ( https://github.com/tohojo/flent/issues/232, which I think is an issue with flent parsing the fping output ). Results and graphs in this sheet: https://docs.google.com/spreadsheets/d/1T59QwEdNwJFm4TgDFA_NY98gicOm8ABXKvDsSIMz9ag/edit#gid=1203641125 Raw results of x2 test runs are here: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/report.csv Each run: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/report.csv https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-14T14%3A22%3A53/report.csv Full iperf outputs are available too, for example: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/nanopi-r2s/fq_codel/iperf/test/16_iperf/stdout Logs for each run are also available, for example: https://github.com/randomizedcoder/qdisc_results/blob/main/qdisc/2023-10-13T18%3A45%3A45/log.json The code repo updated here: https://github.com/randomizedcoder/cake , with thehttps://github.com/randomizedcoder/cake/blob/main/README.md which explains how the test work. Updated google doc is started here: https://docs.google.com/document/d/1fYKj3BS89aB9drg_DsSq289xSdVQhn1zUJYCj0WuCs0/edit?usp=sharing Based on the questions on this list earlier, there is a folder with device information for each of the devices https://github.com/randomizedcoder/cake/tree/main/device_info For example, the Pi4 and the Lichee Pi (risc-v) hardware layout is here: - https://github.com/randomizedcoder/cake/blob/main/device_info/pi4/hwloc-ls-pi4.png - https://github.com/randomizedcoder/cake/blob/main/device_info/lpi4a/hwloc-ls-lpi4a.png The switch has also been upgraded to a Cisco 3750x, which I think based on the "show interface" output has a max queue size of 40 frames. The test process clears the counters before each test and gathers the "show interface" output at the end. The Lichee Pi 4A doesn't look good ( https://wiki.sipeed.com/hardware/en/lichee/th1520/lp4a.html ) [image: image.png] I really wish the flent was working, so I'll probably see if I can work out the parsing. Thanks, Dave Seddon On Fri, Oct 13, 2023 at 10:25 AM dave seddon wrote: > My bad. There's a bug for this Looks like I have to downgrade fping > > https://github.com/tohojo/flent/issues/232 > https://github.com/schweikert/fping/issues/203 > > On Fri, Oct 13, 2023 at 8:59 AM dave seddon > wrote: > >> G'day, >> >> I've been working away on automation of the tests. Pretty close to >> having much nicer tests with a lot more details. I've also got the risc-v >> device working. >> >> However, I've run into something funny with flent. Flent is not happy >> with fping or ping. >> >> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ /usr/bin/sudo >> /usr/sbin/ip netns exec network101 /usr/bin/flent rrul --output >> >> /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/flent_pi4_noqueue.png >> --data-dir /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/ >> --format summary --plot all_scaled --title-extra >> 2023-10-13T15:53:21_pi4_noqueue --note 2023-10-13T15:53:21_pi4_noqueue >> --extended-metadata --host 172.17.51.10 --length 60 --ipv4 --socket-stats >> Starting Flent 2.0.1 using Python 3.10.12. >> Starting rrul test. Expected run time: 70 seconds. >> WARNING: Found fping, but couldn't parse its output. Not >> using. < ??? >> ERROR: Runner Ping (ms) ICMP failed check: Cannot parse output of the >> system ping binary (/usr/bin/ping). Please install fping v3.5+.<- ?? >> >> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ dpkg --list | grep ping >> ii fping 5.1-1 >> amd64sends ICMP ECHO_REQUEST packets to network hosts >> ii iputils-ping 3:20211215-1 >> amd64Tools to test the reachability of network hosts >> ii kpartx0.8.8-1ubuntu1.22.04.1 >> amd64create device mappings for partitions >> ii libharfbuzz0b:amd64 2.7.4-1ubuntu3.1 >> amd64OpenType text shaping engine (shared library) >> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ fping --version >> fping: Version 5.1 >> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ ping -V >> ping from iputils 20211215 >> >> das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ cat /etc/lsb-release >> DISTRIB_ID=Ubuntu >> DISTRIB_RELEASE=22.04 >> DISTRIB_CODENAME=jammy >> DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" >> >&
Re: [Cake] some comprehensive arm64 w/cake results
My bad. There's a bug for this Looks like I have to downgrade fping https://github.com/tohojo/flent/issues/232 https://github.com/schweikert/fping/issues/203 On Fri, Oct 13, 2023 at 8:59 AM dave seddon wrote: > G'day, > > I've been working away on automation of the tests. Pretty close to having > much nicer tests with a lot more details. I've also got the risc-v device > working. > > However, I've run into something funny with flent. Flent is not happy > with fping or ping. > > das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ /usr/bin/sudo /usr/sbin/ip > netns exec network101 /usr/bin/flent rrul --output > > /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/flent_pi4_noqueue.png > --data-dir /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/ > --format summary --plot all_scaled --title-extra > 2023-10-13T15:53:21_pi4_noqueue --note 2023-10-13T15:53:21_pi4_noqueue > --extended-metadata --host 172.17.51.10 --length 60 --ipv4 --socket-stats > Starting Flent 2.0.1 using Python 3.10.12. > Starting rrul test. Expected run time: 70 seconds. > WARNING: Found fping, but couldn't parse its output. Not > using. < ??? > ERROR: Runner Ping (ms) ICMP failed check: Cannot parse output of the > system ping binary (/usr/bin/ping). Please install fping v3.5+.<- ?? > > das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ dpkg --list | grep ping > ii fping 5.1-1 > amd64sends ICMP ECHO_REQUEST packets to network hosts > ii iputils-ping 3:20211215-1 >amd64Tools to test the reachability of network hosts > ii kpartx0.8.8-1ubuntu1.22.04.1 >amd64create device mappings for partitions > ii libharfbuzz0b:amd64 2.7.4-1ubuntu3.1 >amd64OpenType text shaping engine (shared library) > das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ fping --version > fping: Version 5.1 > das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ ping -V > ping from iputils 20211215 > > das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ cat /etc/lsb-release > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=22.04 > DISTRIB_CODENAME=jammy > DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" > > I did install via "apt install fping" > > Any thoughts please? > > Kind regards, > Dave > > On Thu, Sep 28, 2023 at 6:27 AM Sebastian Moeller via Cake < > cake@lists.bufferbloat.net> wrote: > >> >> >> > On Sep 28, 2023, at 15:19, David Lang wrote: >> > >> > On Thu, 28 Sep 2023, Sebastian Moeller via Cake wrote: >> > >> >> P.S.: I am tempted, but will likely wait until they are available in >> quantity and hope that the street price comes down a bit before getting one >> ;) >> > >> > They aren't available at all yet, and it's not clear when they will be >> available. >> >> The announcement was end of October, but I think I could >> pre-order right now if I was feeling an urge. You are right though, >> announced != available or delivered. >> >> Regards >> Sebastian >> >> P.S.: I have a pi400 in use as "desktop" for my oldest kid, this is close >> to be actually generally usable, I would guess that changing a potential >> p500 from the pi400's 4GB to 8 GB together with the other imprivements the >> 5 brings might push it over the threshold into the truly useful category. >> Which probably means that either a potential pi500 will come late and >> probably with only 4 GB, but let's see how this works out now that the >> supply situation is less problematic. >> And I understand that there are other capable ARM based SoCs for >> homerouter/desktop duty, I just happen ot have a soft spot for the >> raspberry project ;) >> >> > >> > David Lang >> >> ___ >> Cake mailing list >> Cake@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cake >> > > > -- > Regards, > Dave Seddon > +1 415 857 5102 > -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] some comprehensive arm64 w/cake results
G'day, I've been working away on automation of the tests. Pretty close to having much nicer tests with a lot more details. I've also got the risc-v device working. However, I've run into something funny with flent. Flent is not happy with fping or ping. das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ /usr/bin/sudo /usr/sbin/ip netns exec network101 /usr/bin/flent rrul --output /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/flent_pi4_noqueue.png --data-dir /tmp/qdisc/2023-10-13T15:53:21/pi4/noqueue/flent/test/15_flent/ --format summary --plot all_scaled --title-extra 2023-10-13T15:53:21_pi4_noqueue --note 2023-10-13T15:53:21_pi4_noqueue --extended-metadata --host 172.17.51.10 --length 60 --ipv4 --socket-stats Starting Flent 2.0.1 using Python 3.10.12. Starting rrul test. Expected run time: 70 seconds. WARNING: Found fping, but couldn't parse its output. Not using. < ??? ERROR: Runner Ping (ms) ICMP failed check: Cannot parse output of the system ping binary (/usr/bin/ping). Please install fping v3.5+.<- ?? das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ dpkg --list | grep ping ii fping 5.1-1 amd64sends ICMP ECHO_REQUEST packets to network hosts ii iputils-ping 3:20211215-1 amd64Tools to test the reachability of network hosts ii kpartx0.8.8-1ubuntu1.22.04.1 amd64create device mappings for partitions ii libharfbuzz0b:amd64 2.7.4-1ubuntu3.1 amd64OpenType text shaping engine (shared library) das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ fping --version fping: Version 5.1 das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ ping -V ping from iputils 20211215 das@3rd:~/Downloads/cake/cmd/run_qdiscs_tests$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" I did install via "apt install fping" Any thoughts please? Kind regards, Dave On Thu, Sep 28, 2023 at 6:27 AM Sebastian Moeller via Cake < cake@lists.bufferbloat.net> wrote: > > > > On Sep 28, 2023, at 15:19, David Lang wrote: > > > > On Thu, 28 Sep 2023, Sebastian Moeller via Cake wrote: > > > >> P.S.: I am tempted, but will likely wait until they are available in > quantity and hope that the street price comes down a bit before getting one > ;) > > > > They aren't available at all yet, and it's not clear when they will be > available. > > The announcement was end of October, but I think I could pre-order > right now if I was feeling an urge. You are right though, announced != > available or delivered. > > Regards > Sebastian > > P.S.: I have a pi400 in use as "desktop" for my oldest kid, this is close > to be actually generally usable, I would guess that changing a potential > p500 from the pi400's 4GB to 8 GB together with the other imprivements the > 5 brings might push it over the threshold into the truly useful category. > Which probably means that either a potential pi500 will come late and > probably with only 4 GB, but let's see how this works out now that the > supply situation is less problematic. > And I understand that there are other capable ARM based SoCs for > homerouter/desktop duty, I just happen ot have a soft spot for the > raspberry project ;) > > > > > David Lang > > ___ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake > -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] some comprehensive arm64 w/cake results
Thanks Jonathan! Curious and curiouser I'd love to understand the difference between the tests I've been doing and your tests. - How many TCP flows did you have please ( cake performance seems to drop significantly with increased number of TCP flows, although I need to do more testing to understand why )? - What was the RTT? - Load tool? - ... so many questions :) On Mon, Sep 18, 2023 at 3:13 PM Jonathan Morton wrote: > > On 18 Sep, 2023, at 10:50 pm, dave seddon via Cake < > cake@lists.bufferbloat.net> wrote: > > > > The cake tests so far had rtt 1ms and rtt 3ms, which might be too low. > ( If it is too low, then maybe it would make sense to remove "rtt lan = rtt > 1ms" option, as it's a misleading configuration option? ) > > If all your traffic is over the LAN, and you have a machine and > application tuned for the extra-low latencies that a LAN can offer, then > setting LAN-grade targets for Cake might make sense. But most people's > traffic is a mixture, with the performance of Internet traffic being more > important, and that is better served by the *default* settings. > > You ran fq_codel at its default settings. These are equivalent to Cake's > default settings, so far as the AQM activity is concerned. I'm just asking > for a like-to-like comparison. You could be pleasantly surprised. > > - Jonathan Morton -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] some comprehensive arm64 w/cake results
G'day Mr David Reed, Thanks for the comments. Definitely agree with your sentiments and the tests definitely do NOT simply represent Intel verse ARM. Perhaps I should have been more clear about the objectives of the testing: I'm curious to understand the performance of these lower end SoC devices, because these are the types of devices that act as home gateway routers, as access points, and such. There are many many millions of these devices out there and I don't know how well understood their performance is: e.g. How bad is my Spectrum Internet cable modem? e.g. I have a Unifi security gateway and it's "smart queue" performance is pretty poor ( <200 Mb/s ). Why is it so poor? Obviously, with real servers ( and even virtual AWS ones ) which have real NICs, you get things like multi-queues with RSS, and a lot more tuning knobs, and so they can go a lot faster. In the tests so far, the Asus CN60 device with the r8169 performs pretty well, where the NIC is likely to be contributing positively. The default configuration has a bunch of off-loading enabled: root@asus-cn60-2:/home/das# ethtool --show-features enp1s0 | grep ": on" rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-ipv6: on generic-receive-offload: on rx-vlan-offload: on tx-vlan-offload: on highdma: on [fixed] However, based on these initial tests, which are not complete, it's certainly curious that the Pi4 is doing ~923Mbit/s with pfifo_fast and then doing significantly less ( ~621 Mbits/sec ) with cake. I'm interested to understand this in more detail, where DaveT has recommended adding 20ms or 40ms. The cake tests so far had rtt 1ms and rtt 3ms, which might be too low. ( If it is too low, then maybe it would make sense to remove "rtt lan = rtt 1ms" option, as it's a misleading configuration option? ) Definitely, during the testing these little devices have the NIC IRQs all going through core 0, so I want to explore tuning options. root@rpi4b:/home/das# cat /proc/interrupts | grep -E '(CPU0|eth0)' CPU0 CPU1 CPU2 CPU3 30: 38651749 0 0 0 GICv2 189 Level eth0 <--- IRQs only going to CPU0 31: 20418643 0 0 0 GICv2 190 Level eth0 Some ideas include: - Moving most processes of core0. e.g. Configure all the systemd slices NOT to use core0, so core0 is essentially freed to only service the IRQs - RPS ( https://www.kernel.org/doc/html/latest/networking/scaling.html#rps-receive-packet-steering ). e.g. Can the other cores get more involved? - Tuning ideas from here: https://github.com/leandromoreira/linux-network-performance-parameters. Specifically, I was wondering about increasing netdev_budget sysctls. The defaults are shown here root@rpi4b:/home/das# sysctl -a | grep netdev_budget net.core.netdev_budget = 300 net.core.netdev_budget_usecs = 8000 "Armbian's kernel isn't a particularly high performance kernel build." Happy to discuss any recommended tuning. Armbrian is very easy to install on the microSD card. ( Actually, I have the LicheePi 4A RISC-V, but can't find a easy image to just load on a microSD card. ) Over the weekend, I reconfigured the testing setup using a lot more VLANs. Now each device has ALL the different qdiscs configured on different VLANs and IPs, allowing the iperf/flent tests to be run one after the other with no need to change the qdiscs between tests. I'm currently repeating every combination of test, before adding the netem 20/40ms latency as DaveT suggested. ( Test take a while: 8 devices * 6 qdiscs = 48 tests, by 10 minute tests = 480 minutes = 8 hours ) Roughly the plan is: 1. Retest all combinations. This is to confirm the starting position. <--- running now 2. Add netem latency 20 and 40ms, and retest all combinations. I'm hoping Pi4 cake performance will be closer to > 900 Mb/s 3. Apply some tuning options, and retest all combinations Kind regards, Dave Seddon On Sun, Sep 17, 2023 at 6:05 PM Dave Taht wrote: > > A huge thanks to dave seddon for buckling down and doing some > comprehensive testing of a variety of arm64 gear! > > > https://docs.google.com/document/d/1HxIU_TEBI6xG9jRHlr8rzyyxFEN43zMcJXUFlRuhiUI/edit#heading=h.bpvv3vr500nw > > -- > Oct 30: > https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html > Dave Täht CSO, LibreQos > -- Regards, Dave Seddon +1 415 857 5102 ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
[go-nuts] icmpengine - a small golang ping library
G'day, I hope this is an appropriate place to post about a new little library. Recently I was looking for a basic ping library but didn't have much luck, so I hope the community will find this helpful: https://github.com/EdgeCast/icmpengine Feedback welcome. Kind regards, Dave Seddon -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/33536eb5-00ec-4fb6-ac0e-9817254df5b0n%40googlegroups.com.
Re: [dpdk-users] Peformance troubleshouting of TCP/IP stack over DPDK.
better performance than the standard Linux kernel > > one > > > but > > > so far we can't get this performance. > > > 2. Do you think the diffrence comes because of the time spending > handling > > > packets > > > and handling epoll in both of the tests? What do I mean. For the > standard > > > Linux tests > > > the interrupts handling has higher priority than the epoll handling and > > > thus the application > > > can spend much more time handling packets and processing them in the > > kernel > > > than > > > handling epoll events in the user space. For the DPDK+FreeBSD case the > > time > > > for > > > handling packets and the time for processing epolls is kind of equal. I > > > think, that this was > > > the reason why we were able to get more performance increasing the > number > > > of read > > > packets at one go and decreasing the epoll events. However, we couldn't > > > increase the > > > throughput enough with these tweaks. > > > 3. Can you suggest something else that we can test/measure/profile to > get > > > better idea > > > what exactly is happening here and to improve the performance more? > > > > > > Any help is appreciated! > > > > > > Thanks in advance, > > > Pavel. > > > > First off, if you are testing on KVM, are you using PCI pass thru or > SR-IOV > > to make the device available to the guest directly. The default mode uses > > a Linux bridge, and this results in multiple copies and context switches. > > You end up testing Linux bridge and virtio performance, not TCP. > > > > To get full speed with TCP and most software stacks you need TCP > > segmentation > > offload. > > > > Also software queue discipline, kernel version, and TCP congestion > control > > can have a big role in your result. > > > > Hi, > > Thanks for the response. > > We did the tests on Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic > x86_64). > The NIC was given to the guest using SR-IOV. > The TCP segmentation offload was enabled for both tests (standard Linux and > DPDK+FreeBSD). > The congestion control algorithm for both tests was 'cubic'. > > What do you mean by 'software queue discipline'? > > Regards, > Pavel. > -- Regards, Dave Seddon +1 415 857 5102
Re: [dpdk-users] [dpdk-dev] KNI Module (multiple) to handle IGMP requests
*I am relying on KNI TCP/IP stack to handle the igmp - Membership Query to send the igmp - Membership Report, port-1 never send the report and * * hence switch drops the multicast data within few minutes.* Are you saying that traffic does arrive on both ports briefly, and then stops on port1? This would imply that an IGMP join did initially go out both ports. On Tue, Aug 6, 2019 at 5:21 AM Vikash Kumar wrote: > Hello Everyone, > > Currently I am working on a project in which I need to capture the ipv4 > multicast data from a managed (igmp enabled) switch. > > In order achieve this, I am currently using below configuration: > > dpdk-18.05.1. > > *Hardware Description:* > > Operating System: CentOS Linux 7 (Core) > > CPE OS Name: cpe:/o:centos:centos:7 > > Kernel: Linux 3.10.0-957.12.1.el7.x86_64 > > Architecture: x86-64 > > NIC: Ethernet 10G 2P X520 Adapter 154d (ixgbe) > > IG Huge Page available. > > Changes made in grub: isolcpus=0-1 default_hugepagesz=1G hugepagesz=1G > transparent_hugepage=never" > > KNI Module successfully loaded as : sudo /sbin/insmod > $RTE_SDK/$RTE_TARGET/kmod/rte_kni.ko kthread_mode=multiple > > Successfully created 16 hugepages. > > Successfully created hugepage filesystem. (using 'sudo mount -t > hugetlbfs nodev /mnt/huge') > > Static IPs given to both ports of NIC. > > Successfully binded both the ports with igb_uio driver. > > Referring to KNI sample application, allocated 1 KNI module for each > port. Used same MAC address, IP address, ifname same as the original NIC. > > Able to join multicast feeds using these kni interfaces ( > setsockoptIP_ADD_SOURCE_MEMBERSHIP ) > > Using 1 lcore for each port. lcore 0 to capture the data over port 0 and > lcore 1 to capture the data over port 1. > > Each of these 2 eal thread running on lcore does the below operations: > > rte_eth_rx_burst() -> keep copy of required multicast data and free the > mbuff if copied. Else all other packets passed to kni tx (including igmp > packets) > > rte_kni_tx_burst() > > rte_kni_handle_request() > > rte_kni_rx_burst() > > rte_eth_tx_burst() > > *_Problem Statement:_* > > Everything works fine with port 0. But for Port 1, I observe that there > is no output from rte_kni_rx_burst, which in turn leads to multicast > drop by switch. > > I am relying on KNI TCP/IP stack to handle the igmp - Membership Query > to send the igmp - Membership Report, port-1 never send the report and > hence switch drops the multicast data within few minutes. > > I have seen this behaviour on 2-3 machines of almost similar > configuration. However, strangly on one another similar machine, the > behaviour was totally opposite. There Port1 was working fine and port0 > was dropping the multicast. > > *Please advice, what I am missing here and what can I do to debug this > issue further.* > > ** > > Thanks & Regards, > > Vix > > > -- Regards, Dave Seddon +1 415 310 4086
Re: BGP Connection reset on fast timers
Packet 35 shows .13, which is the Bird running on Vmware (sorry about that), and clearly thinks the hold time expired: Major error Code: Hold Timer Expired (4) Minor error Code (Hold Timer Expired): 0 Might be worth trying to run bird debugging to see what else it says. Have you consider BFD? Maybe try running different visualization (e.g. KVM), or no visualization. On Tue, Jun 12, 2018 at 3:42 AM, Olivier Benghozi < olivier.bengh...@wifirst.fr> wrote: > Just a comment: > > here we use 5/15 on some 10GE links between Redback/Ericsson/SmartEdge and > Cisco routers (so, unrelated to BIRD and Linux) with success (never flaps > if the link is OK). These links are used to receive/transmit L2TP tunnels > traffic. > > The usecase was: > 1) there are some intermediate switches on the links (so a cut cannot > always be quickly detected) > 2) L2TP timers are aggressive and it's relevant to switch to another path > quickly enough in order to avoid some L2TP tunnels disconnections, which in > turn would disconnect several tens of thousands PPP sessions and users > 3) BFD wasn't an option (between two different operators) > > > Olivier > > Le 12 juin 2018 à 11:09, Maria Jan Matějka a écrit : > > If I remember it correctly, there was somebody who used a 5/15 setup and > still had to take a lot of care to keep the links up. > > By the way, is there any good reason to have so short timeouts? > > > -- Regards, Dave Seddon +1 415 310 4086
Re: BGP AS Path Filter
Bgp loop prevention works by never accepting a route with you're own AS in the path. Therefore if you prepend your route with the AS numbers of the upstream networks, those networks won't accept the route. However, maybe your ISP will not accept the route either if the have strict filters (they probably will accept it), but keep in mind reachability might not work, so treat carefully. On Nov 16, 2017 3:44 AM, "Shurshuka"wrote: > Hello, > > I am newbie in Bird & BGP so pardon my question: > > I have server and my own AS/IP's (/24). > I get default from my provider. > My provider has a lot of upstreams (different IP transit providers with > there own AS). > I want my AS/routes to be announce only from some providers upstreams. > My provider doesn't provide any self-service BGP communities for that. > As I understood, I can do this thing with BGP AS Path Filter (Default is > OK for this? Or Full View required?). > What filter I need to use (import/export)? > I tried to use this filter, but it failed: > > > import filter { > > > > if (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_1 PROVIDER_AS > MY_AS =]) || (bgp_path ~ [= * IP_TRANSIT_PROVIDER_AS_2 PROVIDER_AS MY_AS > =]) then { > > > > accept; > > > > } else reject; > > }; > > Could you please to answer my questions and to tell in what direction to > move on? > > Thanks. >
Re: Hold time expired error
Perhaps you can get a pcap of what's happening? Capturing just the bgp should be pretty small pcap. On Aug 5, 2017 7:37 PM, "Ajai Kumar"wrote: > Dear All, > Looking forward for your support on issue reported in appended mail. > Regards, > Ajai Kumar > > On 4 August 2017 at 10:50, Ajai Kumar wrote: > >> Dear All, >> >> >> I am suspecting issue on bird,pls refer response are >> >> Question: you cannot ping across your IX, you need to look lower than >> BIRD to figure out the problem. >> >> >> Ans: Yes I can ping the IP from switch connected to bird server. However >> not able to ping from bird server. >> >> >> >> Question: I would try to answer questions like: Is ARP resolving IPs to >> MACs? >> >> Ans: Yes ARP is resolving IPs to MACS >> >> >> >> Question: Is the problem isolated to a single BIRD server only? >> >> Yes the problem occurs now on new one I am installing, the other BIRD >> installed later are working properly >> >> Question: We are using BIRD 1.3.9. Can you confirm which version of >> bird does not have this issues. >> >> >> Question Is it only IPv4 problem only, >> >> Yes it is an IPv4 problem, >> >> >> or IPv6 as well? >> >> Looking forward for your help pls. >> >> Regards, >> Ajai Kumar >> >> On 3 August 2017 at 21:02, Janvier Rwakagabo >> wrote: >> >>> Find my comments in red. >>> >>> >>> >>> Thanks >>> >>> >>> >>> Regards, >>> >>> >>> >>> Janvier R. >>> >>> >>> >>> *From:* Bird-users [mailto:bird-users-boun...@network.cz] *On Behalf Of >>> *Jonathan Stewart >>> *Sent:* Thursday, August 3, 2017 4:06 PM >>> *To:* Ajai Kumar >>> *Cc:* bird >>> *Subject:* Re: Hold time expired error >>> >>> >>> >>> If you cannot ping across your IX, you need to look lower than BIRD to >>> figure out the problem. >>> >>> I can ping the IP through IX >>> >>> >>> >>> >>> >>> I would try to answer questions like: Is ARP resolving IPs to MACs? >>> >>> Yes ARP is resolving IPs to MACS >>> >>> >>> >>> Is the problem isolated to a single BIRD server only? >>> >>> Yes the problem occurs now on new one I am installing, the other BIRD >>> installed later are working properly >>> >>> >>> >>> Is it only IPv4 problem only, >>> >>> Yes it is an IPv4 problem, >>> >>> >>> >>> or IPv6 as well? >>> >>> >>> >>> If you can answer some of these questions, you'll get closer to finding >>> the root cause, I expect. >>> >>> >>> >>> Cheers, >>> >>> Jonathan >>> >>> >>> >>> >>> >>> >>> >>> On Thu, Aug 3, 2017 at 2:25 AM, Ajai Kumar wrote: >>> >>> Dear All, >>> >>> We are facing problem with few peers in our IX. Frequently they get >>> Hold Timer Expired Error and they are not able to ping our route server IP. >>> After shut no shut this problem resolves for sometime. One log message >>> appended >>> >>> >>> bgp_hold_timeout:4690: NOTIFICATION sent to X.X.X.X (External AS >>> 132953): code 4 (Hold Timer Expired Error), Reason: holdtime expired for >>> X.X.X.X (External AS 132953), socket buffer sndcc: 57 rcvcc: 0 TCP state: >>> 4, snd_una: 728368567 snd_nxt: 728368624 snd_wnd: 15744 rcv_nxt: 429172199 >>> rcv_adv: 429188583, hold timer out 90s, hold timer remain 0s >>> >>> Requesting for help pls. >>> >>> Regards, >>> >>> Ajai Kumar >>> >>> -- >>> >>> >>> (M) +91-9868477444 <+91%2098684%2077444> >>> Skype ID:erajay >>> P-mail: joinajay1 at gmail.com >>> . >>> Please don't print this email unless you really need to. This will >>> preserve trees on our planet. >>> >>> >>> >>> >>> >>> -- >>> >>> Jonathan >>> >> >> >> >> -- >> >> (M) +91-9868477444 <098684%2077444> >> Skype ID:erajay >> P-mail: joinajay1 at gmail.com >> . >> Please don't print this email unless you really need to. This will >> preserve trees on our planet. >> > > > > -- > > (M) +91-9868477444 <+91%2098684%2077444> > Skype ID:erajay > P-mail: joinajay1 at gmail.com > . > Please don't print this email unless you really need to. This will > preserve trees on our planet. >
Re: [dpdk-users] what is the average latency you get for io forwarding from dpdk?
There's an interesting video about speed: https://youtu.be/ne3svryuthI On Jan 17, 2017 12:28 AM, "Marco Kwok"wrote: > Hello all, > > I wonder if anyone could get a relative low latency from dpdk on 1gb link. > > When using testpmd, an packet of 150 bytes is sent, packet is received by > the port and loopback to the sender. > I usually could get 50us for io forward. Sometime it can be as fast as 3us. > However it is too slow to be used for switching application. > > My test platform is on a intel NUC NUC5I5RYH, which has i5 5250U 1.6GHz, > 16GB DDR3 and i218-V network chip. dpdk 16.07.2 > > > I have done the following things try to get a better latency with no luck: > -setup 1G hugepages > -disable cpu frequency scaling to make sure cpu runs at max speed of 2.7GHz > -isolate a cpu core from kernel task scheduler by isolcpus > -setting the burst size of testpmd to 1 > > Guys, I really want your input. I don't need high throughput but low > latency. Does anyone of you have been able to achieve a lower latency with > dpdk? I don't see the advantage I have taken from dpdk now. > > Best, > Mark >
Re: OSPF socket error on "bge0" invalid argument
Just a guess "pointopoint" -> "pointtopoint" On Dec 30, 2016 5:04 PM, "David S."wrote: > Dear All, > > I have trouble to establish ospf on BIRD 1.6.3 using FreeBSD 11 amd64, > here is my topology and BIRD configuration: > > router-a -- router-b (directly connected use cat6) > > router-a: 10.22.40.17/30 > router-b: 10.22.40.18/30 > > bird.conf in router-a > > router id 10.5.16.1; > debug all; > import filter ospf_in_routerb; > export filter ospf_out_routerb; > tick 2; > area 0 { >interface "bge0" { > stub; > cost 5; > hello 10; retransmit 2; wait 10; dead 40; > type pointopoint; > }; >networks { > 103.22.40.16/30; > }; >interface "*" { > cost 1000; > stub; > }; > }; > } > > bird.conf in routerb > > router id 10.5.16.2; > debug all; > import filter ospf_in_routera; > export filter ospf_out_routera; > tick 2; > area 0 { >interface "bge0" { > stub; > cost 5; > hello 10; retransmit 2; wait 10; dead 40; > type pointopoint; > }; >networks { > 103.22.40.16/30; > }; >interface "*" { > cost 1000; > stub; > }; > }; > } > > I found the following error message from bird.log: > > 2016-12-31 07:52:38 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:52:43 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:52:48 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:52:53 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:52:57 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:03 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:07 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:13 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:18 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:22 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:27 ospf1: Socket error on bge0: Invalid argument > 2016-12-31 07:53:28 ospf1: Socket error on bge0: Invalid argument > > Show ospf: > > bird> show ospf > ospf1: > RFC1583 compatibility: disabled > Stub router: No > RT scheduler tick: 2 > Number of areas: 1 > Number of LSAs in DB: 260 > Area: 0.0.0.0 (0) [BACKBONE] > Stub: No > NSSA: No > Transit:No > Number of interfaces: 25 > Number of neighbors:0 > Number of adjacent neighbors: 0 > Area networks: > 10.22.40.16/30 Advertise > > bird> show protocols all ospf1 > name prototablestate since info > ospf1OSPF master up 07:53:28Alone > Router ID: 10.8.60.1 > Preference: 150 > Input filter: ospf_in_routerb > Output filter: ospf_out_routerb > Routes: 25 imported, 259 exported, 0 preferred > Route change stats: received rejected filteredignored > accepted > Import updates: 25 0 0 0 > 25 > Import withdraws:0 0--- 0 >0 > Export updates: 630587 0 630328--- > 259 > Export withdraws: 22--------- >0 > > Why ospf neighbor can't established? > I'm new to ospf and really need help. > > Thank you > > Best regards, > David S. > > e. da...@zeromail.us > w. pnyet.web.id >
[dpdk-users] Question regarding packet availability
G'day, BGP peers can advertise routes with a next-hop of a 3rd party neighbor. This is often used at IX peering peering points across a Ethernet switch with a route-reflector (RR). The peers all advertise routes to the RR, and then the RR send the routes to all the other peers with the next hop not of the RR, but of the 3rd party neighbor. Using this, you should be able to use a different NIC on your host machine, or different machine all together, to run Bird/Quagga BGP to advertise multiple routes with the next hop IP of our DPDK process(es) using a different NICs. This way you won't need to (re)implement a BGP solution in DPDK. Info about 3rd party neighbors here with pictures, and it's obviously also covered in detail within the BGP RFCs: http://blog.ine.com/2010/09/02/understanding-third-party-next-hop/ You should think carefully about the health checking, and could also consider that your BGP process could adjust the bandwidth to the different next hop IPs taking advantage of Link Bandwidth Extended communities which you can advertise with Bird and both Juniper and Cisco support from an ECMP perspective: http://bird.network.cz/pipermail/bird-users/2014-December/009456.html Hope this helps, as your project sounds interesting. Kind regards, Dave On Thu, Jul 28, 2016 at 3:00 AM, yingzhi wrote: > Hi All, > > > I'm new to DPDK and would like to ask some quick questions. > We are trying to develop a Load Balance solution that take advantage of > ECMP with BGP, so there is a BGP process running on our LB node, and we'd > like to use DPDK to improve packet processing performance. > The questions is, if DPDK bind to a interface, can it still > sending/receiving BGP packets or I need a separate interface dedicated for > BGP? In the later case, can the BGP process still aware of the DPDK bond > port's network and announce that network to uplink router? > > > Any comment/advice is appreciated. > > > Thanks in advance. -- Regards, Dave Seddon +1 415 857 5102
Re: Enhanced Route Refresh Capability (rfc7313)
Greetings, If this is truly a bug in Juniper, I'd be happy to log the bug with them. We'd just need to supply them the tcpdump and reference the RFC where it says this isn't mandatory. Kind regards, Dave Seddon On Tue, Jun 23, 2015 at 5:37 AM, Raphael Mazelier r...@futomaki.net wrote: Le 23/06/15 15:29, Ondrej Zajicek a écrit : I considered such option for 1.5.0 but thought it would be unnecessary. I will probably reconsider that. It seems that juniper router misbehave on this. So it could be a good one. -- Raphael Mazelier
Re: Inject BGP routes with non directly-connected next-hop
That's the difference between iBGP and eBGP: https://tools.ietf.org/html/rfc4271#section-5.1.3 On Tue, Apr 7, 2015 at 5:39 AM, Jan Huňka jan.hu...@gmail.com wrote: Hello, I'm currently trying to configure BIRD for BGP injection. Routes which are added on BIRD should be distributed to specified neighbor router (in this case Cisco) and added to it's routing table. I also need to specify next-hop IP address of these routes, because injected routes should divert the matching traffic through another way until BIRDS stops to distribute these routes. I was able to configure BIRD to inject these routes with specified next-hop using internal BGP. But I also need it to work with external BGP. The problem is that the next-hop IP of injected routes is a directly connected network of the Cisco router and not BIRD's. BIRD doesn't know anything about this network. So the question is, is it possible to inject routes from BIRD to Cisco router using external BGP with next-hop IP address, which is not directly connected to the BIRD router? I should add that the BGP injection using external BGP works too, but only If the next-hop IP is a directly connected network od the BIRD router. Thank you for any advice. Jan Huňka Configuration of BIRD: protocol device { scan time 10; } protocol static static_10 { route 5.100.100.0/24 reject; } # filters section (DO NOT REMOVE!) filter filter_10 { if ( proto = static_10 ) then { bgp_community.add((25511,444)); bgp_next_hop=3.100.100.1; accept; } else { reject; } } protocol bgp bgp_10 { local as 25511; neighbor Y.Y.Y.Y as 25512; import all; export filter filter_10; } Configuration of the bgp process on the CISCO router: router bgp 25512 neighbor X.X.X.X remote-as 25511 ! address-family ipv4 neighbor X.X.X.X activate no auto-summary !
Re: BGP multipath support
Thanks. You mean: https://tools.ietf.org/html/rfc6774 ? On Tue, Dec 23, 2014 at 1:12 AM, Raphael Mazelier r...@futomaki.net wrote: I completly agree, lack of multipath could be a show stopper. To dave : for installing multiple path in the routing table of the server (analogy to juniper = fib) , bird has to accept mulitple path in his own routing tables (rib). Le 23/12/14 10:02, David Barroso a écrit : Add-path and multipath are two completely different things. Does someone know if there are plans around it? I was evaluating running bird on the DC but without multipath support that will be impossible. I prefer bird 100 times over quagga but I might not have any option as I need BGP multipath support. On Mon, Dec 22, 2014 at 12:21 AM, dave seddon dave.seddon...@gmail.com mailto:dave.seddon...@gmail.com wrote: Greetings, Bird will just carry the routes, and distribute this information to your routers. Your routers will install the routes, and then depending on the router and configuration, the router could install multiple routes via multiple paths. However, if you are using the Linux machine itself as a router, then I think the options for multi path aren't like a router. e.g. Not per flow ECMP. Just per packet. Kind regards, Dave On Sun, Dec 21, 2014 at 9:39 AM, Raphael Mazelier r...@futomaki.net mailto:r...@futomaki.net wrote: Le 19/12/2014 09:55, David Barroso a écrit : Hello, I was planning to use bird within my DC as my routing protocol but apparently BGP multipath is not supported. Is that correct? Do you know if there there are any plans to support it? Thanks! David As far as I know bgp multipath is not implemented in bird. Someone to confirm ? However bgp add path is now implemented, which it could be used as an alternative. Regards, -- Raphael Mazelier
Re: BGP multipath support
Greetings, Bird will just carry the routes, and distribute this information to your routers. Your routers will install the routes, and then depending on the router and configuration, the router could install multiple routes via multiple paths. However, if you are using the Linux machine itself as a router, then I think the options for multi path aren't like a router. e.g. Not per flow ECMP. Just per packet. Kind regards, Dave On Sun, Dec 21, 2014 at 9:39 AM, Raphael Mazelier r...@futomaki.net wrote: Le 19/12/2014 09:55, David Barroso a écrit : Hello, I was planning to use bird within my DC as my routing protocol but apparently BGP multipath is not supported. Is that correct? Do you know if there there are any plans to support it? Thanks! David As far as I know bgp multipath is not implemented in bird. Someone to confirm ? However bgp add path is now implemented, which it could be used as an alternative. Regards, -- Raphael Mazelier
[Qemu-devel] qemu - SCSI disk Device Model, Serial Number, and Firmware Version?
Greetings, Just wondering if it would be difficult to add the ability to define the SCSI disk Device Model, Serial Number, and Firmware Version. I've been using the '-device lsi' successfully to emulate the LSI controller, but now I want to emulate certain disks too. e.g. I've been using this: --- ... -drive if=none,id=disk00,file=/home/das/documents/qemu/disk00.img.qcow,media=disk,cache=writeback \ -device lsi \ -device scsi-disk,drive=disk00,bus=scsi.0 \ ... --- The reason this would be really cool is that tools like smartmontools seem to match on the Device Model, and the device-model QEMU hasn't made it into the list yet. I found hunting around the net that somebody has tried to make this work. I'm not sure if it works. '-drive ...,serial=xyz' This is how the QEMU disks are currently seen in dmesg: --- scsi 0:0:0:0: Direct-Access QEMU QEMU HARDDISK0.12 PQ: 0 ANSI: 3 target0:0:0: tagged command queuing enabled, command queue depth 16. target0:0:0: Beginning Domain Validation target0:0:0: Domain Validation skipping write tests target0:0:0: Ending Domain Validation --- This is an example of a real disk, that I would like to 'fake': --- scsi 2:0:0:0: Direct-Access ATA ST3500320NS SN06 PQ: 0 ANSI: 5 sd 2:0:0:0: [sda] 976773168 512-byte hardware sectors (500108 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 73 00 00 08 sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sd 2:0:0:0: [sda] 976773168 512-byte hardware sectors (500108 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 73 00 00 08 sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA --- Here's an example of the nasty/QEMU output of smartmontools: --- # smartctl -d sat --all /dev/sg0 smartctl version 5.38 [i686-spcdn-linux-gnu] Copyright (C) 2002-8 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Device Model: [No Information Found] Serial Number:[No Information Found] Firmware Version: � Device is:Not in smartctl database [for details use: -P showall] ATA Version is: 1 ATA Standard is: Exact ATA specification draft version not indicated Local Time is:Tue Jun 7 16:57:08 2011 UTC SMART is only available in ATA Version 3 Revision 3 or greater. We will try to proceed in spite of this. SMART support is: Ambiguous - ATA IDENTIFY DEVICE words 82-83 don't show if SMART supported. Checking for SMART support by trying SMART ENABLE command. SMART ENABLE appeared to work! Continuing. SMART support is: Ambiguous - ATA IDENTIFY DEVICE words 85-87 don't show if SMART is enabled. A mandatory SMART command failed: exiting. To continue, add one or more '-T permissive' options --- Here's an example of the output of smartmontools from a real disk: --- # smartctl -d sat --all /dev/sg1 smartctl version 5.38 [i686-spcdn-linux-gnu] Copyright (C) 2002-8 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Device Model: ST3500320NS --- CAN WE SIMULATE THIS? Serial Number:9QMCAMS6--- AND THIS? Firmware Version: SN06--- AND THIS? User Capacity:500,107,862,016 bytes Device is:Not in smartctl database [for details use: -P showall] ATA Version is: 8 ATA Standard is: ATA-8-ACS revision 4 Local Time is:Tue Jun 7 06:01:29 2011 UTC SMART support is: Available - device has SMART capability. SMART support is: Enabled --- Looking in the source, I can see that the QEMU HARDDISK for example is statically defined. Would this be difficult to make an option for the '-drive '? --- [root@tester hw]# grep -R 'QEMU' scsi-disk.c QEMUIOVector qiov; QEMUBH *bh; memcpy(outbuf[16], QEMU CD-ROM , 16); memcpy(outbuf[16], QEMU HARDDISK , 16); memcpy(outbuf[8], QEMU, 8); s-version = qemu_strdup(QEMU_VERSION); --- Kind regards, Dave Seddon d...@seddon.ca
Re: [Qemu-devel] qemu - SCSI disk Device Model, Serial Number, and Firmware Version?
Greetings, Thanks for all the responses. Overall it sounds like supporting this is capability would be fairly easy. However, Sadly for me it sounds like this won't be useful to people generally unless they are trying to virtulize something that relies on these codes. Answers to: Paulo: Statement: Here we should perhaps try to improve the ATA emulation. Response: It would probably be helpful to improve both SCSI and ATA emulation. Markus: Question: That's not what I see. What version of QEMU are you using? Answer: Using current package for Ubuntu 0.12.5 (that's probably a bad word, give all the @redhat emails. sorry :) ) What do you see? I did download the source and check, hence the grep snippet. Statement: No. Hardcoded to QEMU HARDDISK . Response: Why couldn't this be a configuration item? Thanks for your reference to: docs/qdev-device-use.txt And also for the 'scsi-hd' example. I can't see why, if the serial=S,ver=V options are supported, that model= couldn't also be added. - I will try this. Statement: Doubt it would be difficult. But would it be useful? Agree with what your saying about specific calls, however, in my case I'm trying to run a vendor supplied image which only supports certain disks. It is currently borking because it doesn't like the disks. I strongly doubt it does any disk specific calls. They are doing this to stop us installing disks bigger than 500GB, for example. I'm trying to make appliance software run virtually. Kevin: Q: But this is scsi-disk - what does smartctl even try here? A: True. SMART only applied to ATA. I should not have included this smartctl example, however the 'dmesg' output is still relevant. Kind regards, Dave Seddon On Tue, 2011-06-07 at 17:04 +1000, Dave Seddon wrote: Greetings, Just wondering if it would be difficult to add the ability to define the SCSI disk Device Model, Serial Number, and Firmware Version. I've been using the '-device lsi' successfully to emulate the LSI controller, but now I want to emulate certain disks too. e.g. I've been using this: --- ... -drive if=none,id=disk00,file=/home/das/documents/qemu/disk00.img.qcow,media=disk,cache=writeback \ -device lsi \ -device scsi-disk,drive=disk00,bus=scsi.0 \ ... --- The reason this would be really cool is that tools like smartmontools seem to match on the Device Model, and the device-model QEMU hasn't made it into the list yet. I found hunting around the net that somebody has tried to make this work. I'm not sure if it works. '-drive ...,serial=xyz' This is how the QEMU disks are currently seen in dmesg: --- scsi 0:0:0:0: Direct-Access QEMU QEMU HARDDISK0.12 PQ: 0 ANSI: 3 target0:0:0: tagged command queuing enabled, command queue depth 16. target0:0:0: Beginning Domain Validation target0:0:0: Domain Validation skipping write tests target0:0:0: Ending Domain Validation --- This is an example of a real disk, that I would like to 'fake': --- scsi 2:0:0:0: Direct-Access ATA ST3500320NS SN06 PQ: 0 ANSI: 5 sd 2:0:0:0: [sda] 976773168 512-byte hardware sectors (500108 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 73 00 00 08 sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sd 2:0:0:0: [sda] 976773168 512-byte hardware sectors (500108 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 73 00 00 08 sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA --- Here's an example of the nasty/QEMU output of smartmontools: --- # smartctl -d sat --all /dev/sg0 smartctl version 5.38 [i686-spcdn-linux-gnu] Copyright (C) 2002-8 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Device Model: [No Information Found] Serial Number:[No Information Found] Firmware Version: � Device is:Not in smartctl database [for details use: -P showall] ATA Version is: 1 ATA Standard is: Exact ATA specification draft version not indicated Local Time is:Tue Jun 7 16:57:08 2011 UTC SMART is only available in ATA Version 3 Revision 3 or greater. We will try to proceed in spite of this. SMART support is: Ambiguous - ATA IDENTIFY DEVICE words 82-83 don't show if SMART supported. Checking for SMART support by trying SMART ENABLE command. SMART
Re: FreeBSD route tables limited 16?
Greetings, Thanks for the quick response. It sounds like dedicating some space for this in the mbuf would be the best way forward, but the question is how much. I'm worried that most freebsd users won't go for lots of route tables, which is why you went for 4 bits originally. Within the network service provider space there is frequently a requirement for lots of virtual-routing with MPLS. I imagine there are others in my situation, including vendors and people working on equipment like Cisco/Juniper/Lucatel. Regarding the size to dedicate, the best number might be 12 bits or 4096. This would allow a route table per VLAN on a 802.1q interface. (Actually I'm lying a little because the first and last vlan IDs aren't usable :) ). Perhaps a separate option for non-common users who want many route tables would be best. e.g. GIANT_ROUTETABLES=12 Seems like there would need to be changes in multiple places although perhaps this list isn't exhaustive. So far the files to edit are: /usr/src/sys/net/route.h /sys/sys/mbuf.h Regarding firewalls and these multiple route tables, have you considered having a separate firewall rule table per route table? I haven't looked at the vnet jails, yet. Will do. Thanks. Kind regards, Dave -Original Message- From: Julian Elischer jul...@elischer.org To: d...@seddon.ca Cc: Andrew Hannam andr...@itsallaboutbiz.com, FreeBSD Net n...@freebsd.org, Robert Watson rwat...@freebsd.org Subject: Re: FreeBSD route tables limited 16? Date: Mon, 13 Sep 2010 17:56:37 -0700 Mailer: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 On 9/13/10 5:18 PM, Dave Seddon wrote: Greetings Julian, I've been wondering if it's possible to increase the number of FreeBSD route tables to a larger number. It seems this is currently 4 bits, however I was wondering about perhaps 16 bits? Yes the code is designed to handle many more and if you do create more then everything SHOULD handle it. The bottleneck is that we need to store an associated fib with each outgoing (or for that matter incoming) packet, bit we do not at this time want to dedicate a whole word in the mbuf to the task. My hack for 8.x (before it was done) was to hide the information in the flags word of the mbuf. I only took 4 bits to make sure I didn't trample on other people's use of bits there. The plan is/was to make a separate entry in the mbuf some time after 7.x branched (say, now for example :-) ) you could just steal more bits for now, but if you take 8 bits there will only be one spare. (see /sys/sys/mbuf.h) It may just be time to bite the bullet and steal the entry. Out of curiosity, why do you need 16 fibs? have you considered using vnet jails a well? /* MRT compile-time constants */ #ifdef _KERNEL #ifndef ROUTETABLES #define RT_NUMFIBS 1 #define RT_MAXFIBS 1 #else /* while we use 4 bits in the mbuf flags, we are limited to 16 */ #define RT_MAXFIBS 16 #if ROUTETABLES RT_MAXFIBS #define RT_NUMFIBS RT_MAXFIBS #error ROUTETABLES defined too big #else #if ROUTETABLES == 0 #define RT_NUMFIBS 1 #else #define RT_NUMFIBS ROUTETABLES #endif #endif #endif #endif Really liked your announcement years ago: http://lists.freebsd.org/pipermail/freebsd-arch/2007-December/007331.html Kind regards, Dave Seddon +61 447 SEDDON d...@seddon.ca -Original Message- From: Andrew Hannamandr...@itsallaboutbiz.com To: d...@seddon.ca Subject: RE: FreeBSD route tables - limited to 16 :( Date: Mon, 13 Sep 2010 15:55:47 +1000 Mailer: Microsoft Office Outlook 12.0 I think the gentleman is confusing route-tables with routes. 150K routes is easily possible but it is obvious there is currently only support for up to 16 route tables. I think that you are right and the number of bits will need to be updated. I don't know the answer to the 'route leaking' question and it has been a long time since I looked at this code. You really need to speaking the specialist responsible for the multiple route table code. This person should be clearly marked in the code headers. I'm guessing that no-one has thought about using it the way you are planning to use it. If I get some time I will have a look - but don't hold your breath. Regards, Andrew. -Original Message- From: Dave Seddon [mailto:d...@seddon.ca] Sent: Saturday, 11 September 2010 12:52 AM To: Aldous, Matthew D Cc: d...@seddon.ca; Andrew Hannam; Truman Boyes Subject: RE: FreeBSD route tables - limited to 16 :( Greetings, I'm guessing we need to adjust the number of bits defined for the route table in the mbufs structure definition (where ever that is), then we can update the route.h to match. I guess really we should make the mbufs codes _and_ route.h code pickup the KERNCONF definition of the variable ROUTETABLES. Andrew - thoughts on this? I'm not sure if the firewall rules allow you
ipf ttl question
Greetings, I'm running ipf+ipnat and proftp. I'm encountering a problem where the data connection is working fine, however because there's a large tranfer no data is tranferred on port 21, so the port 21 session dies (ttl expires). The transfer is running now. How can I change the ttl on the port 21 session, without dropping the session? Or can I change the ruleset to allow everything without dropping the session? Regards, Dave ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet, em driver, device polling issues :-((
Greetings, The default values are based on 100 MB/s fxp driver. Luigi did heaps of work a few years ago on this, and arrived at these values after lots of testing (i think). (I also remember reading some interesting stuff where he had fxp and a 3com card and was testing to see how many frames he could push out of each differnet card - fxp won!). Given we're now running 1000MB/s em cards, it might be safe to say you can increase the defaults by 10. You have to edit the source to change some of the defaults: /usr/src/sys/kern/kern_poll.c #define MIN_POLL_BURST_MAX 100 #define MAX_POLL_BURST_MAX 1 I tried doing this, but encountered the problems with the throughput somehow related to the em cards and gave up. Maybe you're results will be better. Regards, Dave Seddon Ferdinand Goldmann writes: Kevin Day wrote: In one case, we had a system acting as a router. It was a Dell PowerEdge 2650, with two dual server adapters. each were on separate PCI busses. 3 were lan links, and one was a wan link. The lan links were receiving about 300mbps each, all going out the wan link at near 900mbps at peak. We were never able to get above 944mbps, but I never cared enough to figure out where the bottleneck was there. 944mbps is a very good value, anyway. What we see in our setup are throuput rates around 300mbps or below. When testing with tcpspray, throughput hardly exceeded 13MB/s. Are you running vlans on your interface? Our em0-card connects several sites together, which are all sitting on separate vlan interfaces for which the em0 acts as parent interface. This was with PCI-X, and a pretty stripped config on the server side. Maybe this makes a difference, too. We only have a quite old xSeries 330 with PCI and a 1.2GHz CPU. Nothing fancy on polling, i think we set HZ to 1 Ten-thousand? Or is this a typo, and did you mean thousand? This is weird. :-( Please, is there any good documentation on tuning device polling? The man page does not give any useful pointers about values to use for Gbit cards. I have already read things about people using 2000, 4000HZ ... Gaaah! I tried with 1000 and 2000 so far, without good results. It seems like everybody makes wild assumptions on what values to use for polling. , turned on idle_poll, and set user_frac to 10 because we had some cpu hungry tasks that were not a high priority. I think I red somewhere about problems with idle_poll. How high is your burst_max value? Are you seeing a lot of ierrs? *sigh* :-( confusing. -- Ferdinand Goldmann | | EMail: [EMAIL PROTECTED] |--00 |UNIX | Tel. : +43/732/2468/9398 Fax. : +43/732/2468/9397 C ^ | | EMail: [EMAIL PROTECTED]\ ~/ ~~~| PGP D4CF 8AA4 4B2A 7B88 65CA 5EDC 0A9B FA9A 13EA B993| |-3 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dummynet, em driver, device polling issues :-((
Jeremie, Sorry for top posting. My time machine is broken :) Kevin, You mention your running at near line rate. What are you pushing or pulling? Whats the rough spec of these machines pushing out this much data? What setting do you have for the polling? I've been trying to do near line rate and can't even get close with new HP-DL380s (Single 3.4 Ghz Xeon). I think the PCI bus might be the problem. The em Intel NICs I found to be very slow and stop after about 3 hours. - The Intel NICs I have are dual port, although they end up on seperate IRQs. - cat /var/run/dmesg | grep em em0: Ethernet address: 00:11:0a:57:70:fa em0: Speed:N/A Duplex:N/A em1: Intel(R) PRO/1000 Network Connection, Version - 1.7.35 port 0x5040-0x507f mem 0xfde6-0xfde7 irq 73 at device 1.1 on pci6 em1: Ethernet address: 00:11:0a:57:70:fb em1: Speed:N/A Duplex:N/A em2: Intel(R) PRO/1000 Network Connection, Version - 1.7.35 port 0x6000-0x603f mem 0xfdf8-0xfdfb,0xfdfe-0xfdff irq 97 at device 1.0 on pci10 em2: Ethernet address: 00:11:0a:57:73:6a em2: Speed:N/A Duplex:N/A em3: Intel(R) PRO/1000 Network Connection, Version - 1.7.35 port 0x6040-0x607f mem 0xfdf6-0xfdf7 irq 98 at device 1.1 on pci10 em3: Ethernet address: 00:11:0a:57:73:6b em3: Speed:N/A Duplex:N/A - ps ax | grep em 84 ?? WL 0:00.00 [irq73: em1] 85 ?? WL 0:00.00 [irq74: em0] 108 ?? WL 0:00.00 [irq97: em2] 109 ?? WL 0:00.00 [irq98: em3] -- Ferdinand, After giving up on the Intel cards in the DL380s I started using the onboard broadcom cards (bge). They work great, although I don't seem to be able to get near line rate either. I've been severing up 10 files from MFS via thttpd. I get about 80MB/s only. :( Regards, Dave Jeremie Le Hen writes: Hi Benjamin, Ferdinant, (Please avoid top-posting, this reverts the flow of the conversation and make the whole thread difficult to follow.) i have been messing with the em driver now for over a month, ive come to the conclusion is a piece of crap. if you watch on this list every other day you have someone saying there em driver is causing some sort of error, this should not be on a nic from a company like intel. im saddly contimplating moving over to fedora right now just so i can work until 6.0 comes out (which i doubt will solve the problem anyway since im using the drivers from 6.0 now and there not helping out either). somebody really needs to look into this and find out what the hell is going on as i consider this a major problem right now. em(4) is known to be full of problems, it would indeed require someone taking the maintainership of the driver and then reworking it a bit. After you experience your problems, can you do sysctl -w hw.em0.stats=1 and sysctl -w hw.em0.debug_info=1 and post what gets dumped to your syslog/dmesg output? em0: Excessive collisions = 0 em0: Symbol errors = 0 em0: Sequence errors = 0 em0: Defer count = 11 em0: Missed Packets = 0 em0: Receive No Buffers = 0 em0: Receive length errors = 0 em0: Receive errors = 0 em0: Crc errors = 0 em0: Alignment errors = 0 em0: Carrier extension errors = 0 em0: XON Rcvd = 11 em0: XON Xmtd = 0 em0: XOFF Rcvd = 11 em0: XOFF Xmtd = 0 em0: Good Packets Rcvd = 283923273 em0: Good Packets Xmtd = 272613648 em0: Adapter hardware address = 0xc12cfb48 em0:CTRL = 0x58f00249 em0:RCTL = 0x8002 PS=(0x8402) em0:tx_int_delay = 66, tx_abs_int_delay = 66 em0:rx_int_delay = 0, rx_abs_int_delay = 66 em0: fifo workaround = 0, fifo_reset = 0 em0: hw tdh = 173, hw tdt = 173 em0: Num Tx descriptors avail = 256 em0: Tx Descriptors not avail1 = 0 em0: Tx Descriptors not avail2 = 0 em0: Std mbuf failed = 0 em0: Std mbuf cluster failed = 0 em0: Driver dropped packets = 0 We're using polling on nearly all the servers, and don't see ierrs at all. Hm. That's strange. The above values were gathered with polling disabled. As soon as I enable polling, ierrs on the em0 interface are rising: em0: Excessive collisions = 0 em0: Symbol errors = 0 em0: Sequence errors = 0 em0: Defer count = 11 em0: Missed Packets = 39 em0: Receive No Buffers = 2458 em0: Receive length errors = 0 em0: Receive errors = 0 em0: Crc errors = 0 em0: Alignment errors = 0 em0: Carrier extension errors = 0 em0: XON Rcvd = 11 em0: XON Xmtd = 4 em0: XOFF Rcvd = 11 em0: XOFF Xmtd = 43 em0: Good Packets Rcvd = 315880003 em0: Good Packets Xmtd = 303985941 em0: Adapter hardware address = 0xc12cfb48 em0:CTRL = 0x58f00249 em0:RCTL = 0x8002 PS=(0x8402) em0:tx_int_delay = 66, tx_abs_int_delay = 66 em0:rx_int_delay = 0, rx_abs_int_delay = 66 em0: fifo workaround = 0, fifo_reset = 0 em0: hw tdh = 57, hw tdt = 57 em0: Num Tx descriptors avail = 249 em0: Tx Descriptors not avail1 = 0 em0: Tx Descriptors not avail2 = 0 em0: Std mbuf failed = 0 em0: Std mbuf cluster failed = 0 em0: Driver dropped packets = 0 Can you tell me
Re: Which em(4) chips work/don't work? [Was: RE: dummynet, em driver, device polling issues :-((]
Under 5.4 this revision of the em card doesn't work: 82546EB [EMAIL PROTECTED]:1:0: class=0x02 card=0x00db0e11 chip=0x10108086 rev=0x01 hdr=0x00 vendor = 'Intel Corporation' device = '82546EB Dual Port Gigabit Ethernet Controller (Copper)' class= network subclass = ethernet Dave Darren Pilgrim writes: [Reflowed] From: Benjamin Rosenblum Darren Pilgrim wrote: I'd be interested in finding out the specific chips with which people are (not) having success. As em(4) supports an entire family of products, rather than a single chip, it may be that some chips have quirks or other gotchas the driver needs to address. It certainly wouldn't be the first occurance of revision-specific bugs. my non working card is 82547EI aka 1000CT. Under which version(s) of FreeBSD is it not working? Would an official person care to chime in about putting together a card/chip vs. em(4) bugs matrix? ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with em(4)
Greetings, M The problem is: M M After the system run about 3 hours, there will be large Ierrs M The system is not heavy loaded, incoming rates of em0 is less M than 150Mbits/s. em1 and em2 are not connected. M M After 3 hours, the ierrs raise quickly every 1 minutes! M M I think is a problem with em(4) driver. M M Anyone meet such condition? Yes. Lots of people. 3 hours does seem to be the magic number, regardless of the volumne of traffic. I'm interested in what you do sniffing 150MB/s. Normally libpcap can't handle that amount of traffic. Regards, Dave Seddon ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tcpdump based packet generator
Greetings, Yes I was wondering about doing that the other day. I'd like to here how you go if you do get somewhere. Perhaps this is how the load generators work? I've been using one based on SmartBits, which seems to be linux. Dave Nickolay Kritsky writes: combination of tcpdump and nemesis may do the trick Nick -Original Message- From: det_re [mailto:[EMAIL PROTECTED] Sent: Friday, September 30, 2005 7:53 AM To: freebsd-net@freebsd.org Subject: tcpdump based packet generator has anyone seen or implemented packet generator capable of reading tcpdump trace file and resend the packets back into the wire through bpf in freebsd box? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup problems
There seem to be serious issues around this driver. There have been many posts on this list in the last days particularly, as well as over the last few months. People seem to be looking at it, and I guess once we all rush out and by other (e.g. broadcom) NICs intel might try to help. dave Daemon writes: I hope this is the correct list to post to, if not, I apologize. I've had an ongoing problem with arplookup for some months now and as of yet, haven't been able to find anything on the web concerning my particular problem. Every 24 hours, almost to the minute, I get the following errors; *Note This proceeds each arplookup failure em0: Link is Down em0: Link is up 100 Mbps Full Duplex Sep 25 01:32:49 thisbox kernel: arplookup 169.0.0.1 failed: host is not on local network Sep 25 01:33:05 thisbox kernel: arplookup 10.32.240.171 failed: host is not on local network Sep 26 01:23:37 thisbox kernel: arplookup 169.0.0.1 failed: host is not on local network Sep 26 01:23:49 thisbox kernel: arplookup 10.32.240.171 failed: host is not on local network Sep 27 01:23:35 thisbox kernel: arplookup 169.0.0.1 failed: host is not on local network Sep 27 01:23:48 thisbox kernel: arplookup 10.32.240.171 failed: host is not on local network When this happens, one by one, each of my (ssh, gaim, irc, etc.) connections time out until every connection is dead. I'm using RoadRunner Business Class with a static IP on em0 and an internal subnet 172.16.XXX.XXX on em1. I was getting the errors on two older nics I had, so I bought new nics in hopes that would correct the problem. I was running FreeBSD 5.4-Release p7 and switched to FreeBSD 5.4-STABLE about a week ago. I'm running the most current DHCP server, IPFW2, and NATD. I have the following in /etc/sysctl.conf kern.polling.enable=1 net.inet.tcp.syncookies=0 net.inet.udp.blackhole=1 net.inet.tcp.blackhole=2 # TCP send and receive spaces net.inet.tcp.sendspace=1048576 net.inet.tcp.recvspace=1048576 # Socket queue defense against SYN attacks kern.ipc.somaxconn=1024 # Redirects net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=1 net.inet.ip.redirect=0 # Subnet net.link.ether.bridge_cfg=em0,em1 net.link.ether.bridge.enable=0 net.link.ether.bridge.ipfw=0 net.link.ether.ipfw=1 # ARP cleanup net.link.ether.inet.max_age=1200 # Source routing net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # Broadcast ECHO response net.inet.icmp.bmcastecho=0 # Other broadcast probes net.inet.icmp.maskrepl=0 net.inet.ip.fw.dyn_ack_lifetime=3600 net.inet.ip.fw.dyn_buckets=1024 net.inet.ip.fw.one_pass=0 I have the following in my kernel conf; # Firewall Stuff options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPDIVERT options DUMMYNET options BRIDGE options IPSTEALTH options HZ=1000 options DEVICE_POLLING It is probably a bad idea to post my /etc/rc.conf ifconfig info here, but since I'm almost positive that in order for someone to help me track this down, they're going to want/need to know what is in there, I'll wait in hopes of a response first. Regards, Mark ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: em(4) receive part wedging randomly at moderate load
Can we try running the windows drivers? Wasn't that called project evil. Dave Scott M. Ferris writes: On 9/26/05, Petri Helenius [EMAIL PROTECTED] wrote: Does anyone have the programming data for the chipsets so the driver could be taken further? I've been unable to obtain them from Intel despite of repeated attempts. Intel released the 8254x Developer Manual in late July, so some information is now available. You can download a PDF from SourceForge: http://www.sourceforge.net/projects/e1000/ Unfortunately that document doesn't appear to have any chip errata in it, so you may have to search the Linux driver for the work-arounds it's using, but it's better than having no documentation at all. -- Scott M. Ferris ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: wierd problems with openvpn [update]
So ditch pf and let us know. Or swap to ipf Z.C.B. writes: I am positive it is something to do with pf. I copied the exact same config file from the vpn server over to another box and pointed the client at it and it worked perfectly fine. Any one see any thing odd in that pf setup or have any suggestions or the like? On Thu, 22 Sep 2005 20:55:05 -0500 Vulpes Velox [EMAIL PROTECTED] wrote: Just been messing around with openvpn and trying to get it up and running using http://openvpn.net/static.html as a guide. It works, but I run into a weird problem with data moving across the vpn. I can send a ping across from the client to the server, but the server never sends any thing back. I used tcpdump to make sure the server is seeing it and it is. I see it going there on both machines, but I never see a reply. I am running pf on the server... but it should not be doing any thing... server pf.conf... ext_if=fxp1 int_if=fxp0 internal_net=192.168.0.0/8 dcc = { 6115:6130 } bittorrent = { 6881:6889 } nat on $ext_if from $internal_net to any - ($ext_if) rdr on $ext_if proto tcp from any to any port $dcc - 192.168.0.2 rdr on $ext_if proto tcp from any to any port $bittorrent - 192.168.0.2 rdr on $ext_if proto udp from any to any port 27960 - 192.168.0.2 pass in all pass out all server config... dev tun secret vulpes-static.key ifconfig 10.8.0.1 10.8.0.2 comp-lzo host config... dev tun secret vulpes-static.key ifconfig 10.8.0.2 10.8.0.1 remote inari comp-lzo ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UDP dont fragment bit
Greeting Sten, I'm a little worried about a couple of the things you've said: 1. It is more common to block icmp messages about reassembly problems than DF problems IF a message is generated in the first place. I think that's crap. Most firewalls DO correctly and statefully accept the ICMP messages for existing sockets. ipf and pf do, but I'm not sure about IPFW2, but I'd be surprised if it didn't. I'd also be surprised if iptables in linux land didn't track the ICMP. Most commercial firewalls, like Netscreen, Checkpoint, PIX, all do also. 2. Consider a client connected to an isp's network(1). The isp drops all ICMP packets. That network is then connected to a third network(2) which has a data path that has an MTU of 1400 bytes but also mangles tcp mss to 1360, udp packets must get fragmented. On server size the firewall must reassemble all udp fragments before passing them on to server. If your ISP doesn't understand the importance of ICMP and they just drop it, change ISPs. ICMP is critical to efficient TCP, and your whole thread is about getting that ability for UDP. If you ISP does drop ICMP then the don't defragment option will just result in packets disappearing anyway. Regards, Dave Seddon ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems with SK and EM network cards/drivers on my system
Greetings, There seems to be heaps of people on the list reporting errors with em cards and FreeBSD 5.4 -stable-ish (as in cvsup-ed within the last couple of months). Are there many people running these ok? Perhaps is not the network card so much as some other element of the computer? Regarding the below issue- what about spanning tree? Is portfast enabled? Regards, Dave Maxim Tuliuk writes: On Sun, Sep 18, 2005 at 14:15 -0400, Benjamin Rosenblum wrote: ... now the EM problem. when i am running a very high network load (streaming video, dumping ALOT of data across the network, etc) the network card disconnects (i loose pings and all my transfers drop) and 15-20 seconds later it pops up on the console with em0: Link is up 1000 Mbps Full Duplex and then it starts working again. again im at a dead wall and really want my network to work properly so i can do what i need to do. Hello! I've same problems on 5.4-STABLE: /var/run/dmesg.boot: FreeBSD 5.4-STABLE #5: Tue Sep 13 16:14:10 EEST 2005 em0: Intel(R) PRO/1000 Network Connection, Version - 1.7.35 port 0xbc00-0xbc1f mem 0xff8e-0xff8f irq 18 at device 1.0 on pci1 em0: Ethernet address: 00:0c:f1:cf:7e:b6 em0: Speed:N/A Duplex:N/A /etc/rc.conf: ifconfig_em0=inet ... netmask ... media 100baseTX mediaopt full-duplex /var/log/messages: Sep 20 15:51:40 tak kernel: em0: Link is up 100 Mbps Full Duplex Sep 20 17:01:40 tak kernel: em0: Link is up 100 Mbps Full Duplex Sep 20 18:48:16 tak kernel: em0: Link is up 100 Mbps Full Duplex switch: Catalyst 3550 I changed ports: 100M to 1GB and back; changed cables, but... no positive results :( -- Maxim Tuliuk WWW: http://primats.org.ua/~mt/ ICQ: 21134222 The bike is absolute freedom of moving ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: iperf results
Greetings, We would all be very interested to see the complete report. Particularly if you fix up the results for FreeBSD :) Chucks right, we need waaay more info. We don't even know what version of FreeBSD your running. There are lots of sysctl variables to adjust. Here's a bunch I played with, importantly, you don't need to recompile the kernel to adjust most of the settings. /etc/sysctl.conf /boot/loader.conf should do it. See defaults in /boot/defaults/loader.conf - cat /etc/sysctl.conf #kern.polling.enable=1 kern.polling.enable=1 #kern.polling.user_frac: 50 #kern.polling.reg_frac: 20 ##kern.polling.user_frac=70 ##kern.polling.reg_frac=40 #kern.polling.burst: 5 #kern.polling.each_burst: 5 #kern.polling.burst_max: 150 #default for 100MB/s ##kern.polling.burst=50 kern.polling.each_burst=50 kern.polling.burst_max=1500 #example I found on the web #kern.polling.burst: 1000 #kern.polling.each_burst: 80 #kern.polling.burst_max: 1000 #net.inet.tcp.sendspace: 32768 #net.inet.tcp.recvspace: 65536 #net.inet.tcp.sendspace=65536 #net.inet.tcp.recvspace=65536 #DO NOT SET THIS HIGHER THAN 65536 * 2 (FREEBSD BUG_ net.inet.tcp.sendspace=131072 net.inet.tcp.recvspace=131072 #sysctl net.inet.tcp.rfc1323=1 Activate window scaling and timestamp options according to RFC 1323. #net.inet.tcp.rfc1323=1 net.inet.tcp.delayed_ack=0 net.inet.icmp.icmplim=1000 #kern.ipc.maxsockbuf: 262144 ###kern.ipc.maxsockbuf=2048 #The kern.ipc.somaxconn sysctl variable limits the size of the listen queue for accepting new TCP connections. The default value of 128 is typically too low for robust handling of new connections in a heavily loaded web server environment. #kern.ipc.somaxconn: 128 kern.ipc.somaxconn=1024 #The TCP Bandwidth Delay Product Limiting is similar to TCP/Vegas in NetBSD. It can be enabled by setting net.inet.tcp.inflight.enable sysctl variable to 1. The system will attempt to calculate the bandwidth delay product for each connection and limit the amount of data queued to the network to just the amount required to maintain optimum throughput. #This feature is useful if you are serving data over modems, Gigabit Ethernet, or even high speed WAN links (or any other link with a high bandwidth delay product), especially if you are also using window scaling or have configured a large send window. If you enable this option, you should also be sure to set net.inet.tcp.inflight.debug to 0 (disable debugging), and for production use setting net.inet.tcp.inflight.min to at least 6144 may be beneficial. #these are the defaults #net.inet.tcp.inflight.enable: 1 #net.inet.tcp.inflight.debug: 0 #net.inet.tcp.inflight.min: 6144 #net.inet.tcp.inflight.max: 1073725440 #net.inet.tcp.inflight.stab: 20 #Disable entropy harvesting for ethernet devices and interrupts. There are optimizations present in 6.x that have not yet been backported that improve the overhead of entropy harvesting, but you can get the same benefits by disabling it. In your environment, it's likely not needed. I hope to backport these changes in a couple of weeks to 5-STABLE. kern.random.sys.harvest.ethernet=0 kern.random.sys.harvest.interrupt=0 #3 #/boot/loader stuff #kern.ipc.maxsockets: 131072 #sysctl: Tunable values are set in /boot/loader.conf #sysctl kern.ipc.nmbclustersView maximum number of mbuf clusters. Used for storage of data packets to/from the network interface. Can only be set att boot time - see above. #kern.ipc.nmbclusters: 25600 - Regards, Dave Chuck Swiger writes: Matthew Jakeman wrote: Some colleagues and myself have performed some simple tests on various OS's using iperf to simply fire packets from one pc to another over ethernet to test a few characteristics such as packet loss, jitter etc between IPv4 and IPv6. The configuration for all three OS's were 'out of the box' installs. The results we got back from that are strange for FreeBSD with regards to the packet loss iperf reports and I was wondering if anyone has any ideas why they might be as they are. The image at the link below shows the packet loss results for windows, Linux and FreeBSD for comparison! As you can see the packet loss for v6 is substantially less than v4 on FreeBSD, however this is still substantially larger than for the other two OS's, does anyone have any idea why this might be? http://www.mjakeman.co.uk/images/4v6tests.jpg You're probably getting packet loss either because you are filling up the network buffer space without pausing until it drains, or are running into ICMP response limits. If you're going to be testing latency around the millisecond level, you'll need to increase HZ to at least 1000, if not better. For example, set sysctl net.inet.icmp.icmplim=20 on a machine called shot. # ping -c 1000 -i 0.01 -s 1280 shot PING shot
Re: Problems with SK and EM network cards/drivers on my system
It would also be interesting to know if you've got device polling enabled. If so, what sysctl settings do you have. Regards, Dave Seddon Mike Tancsa writes: On Sun, 18 Sep 2005 14:15:51 -0400, in sentex.lists.freebsd.net you wrote: Im having an issue with my new linksys eg1032 nic and the onboard intel 82547EI on my new server. ill go over both problems individually and include my dmesg below that. now the EM problem. when i am running a very high network load (streaming video, dumping ALOT of data across the network, etc) the network card disconnects (i loose pings and all my transfers drop) and 15-20 seconds later it pops up on the console with em0: Link is up 1000 Mbps Full Duplex and then it starts working again. again im at a dead wall and really want my network to work properly so i can do what i need to do. Not sure about the sk issue, but there have been some changes to the em driver since 5.4. If you can, I would try moving to 6.0R when it comes out. Also, what is the em nic plugged into ? Does the port have any logging facilities to see what might be going on from the switch's perspective ? ---Mike Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 [EMAIL PROTECTED], (http://www.tancsa.com) ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Efficient use of Dummynet pipes in IPFW
skipto man ipfw - e.g. ipfw add 10 skipto 4000 all from any to any layer2 out Brett Glass writes: For years, we've used Dummynet in FreeBSD for bandwidth control. Unfortunately, the semantics of IPFW can, at times, make the use of Dummynet awkward and inefficient. For example, suppose you want to create a set of rules that does bandwidth limiting first and then blocks certain ports (e.g. TCP ports 137 through 139). You want to throttle first and then block ports, so that (a) blocked packets count against the user's bandwidth limit and (b) a flood of packets will be bandwidth-limited before it runs through the rest of the rules. If net.ip.fw.one_pass is set to 0, packets emerging from a Dummynet pipe or queue will re-emerge at the next rule. This is good, because the packet can be passed on to the rules that block ports. But there's a problem: you usually do not want to go to the next rule (which is likely to be one that tests the packet to see if it is to go into a different Dummynet pipe). Rather, you want the packet to next be tested against a rule farther down -- after all of the rules involving bandwidth limiting. Here's an example of what I mean. Suppose you have several groups of users, at IP addresses 0.0.0.1, 0.0.0.2, etc. Each group has a separate pipe regulating its bandwidth consumption. You might have rules like this: # First group ${fwcmd} pipe 1 config bw 512kbit/s ${fwcmd} pipe 2 config bw 512kbit/s ${fwcmd} add pipe 1 ip from 0.0.0.0/24{55,56,57} to any in via fxp1 ${fwcmd} add pipe 2 ip from any to 0.0.0.0/24{55,56,57} out via fxp1 # Second group ${fwcmd} pipe 3 config bw 1024bit/s ${fwcmd} pipe 4 config bw 1024kbit/s ${fwcmd} add pipe 3 ip from 0.0.0.0/24{35-40} to any in via fxp1 ${fwcmd} add pipe 4 ip from any to 0.0.0.0/24{35-40} out via fxp1 # Filtering here What you'd really like is to have any packet that satisfies one of the pipe rules jump down to the filtering rules after being reinjected into IPFW. Unfortunately, because IPFW doesn't have a not that can cover the and of all the conditions in the rule -- that is, you can't say not (ip from A to any in via fxp1) -- it's very difficult to do this with a single rule containing a skipto action. What's more, there's no resume at clause available in IPFW that would change where a packet was reinjected, and no such thing as a come from directive (something that's often joked about in programming classes). So, what's the best way get a packet to skip past the remaining bandwidth limiting rules once it was selected to go into a pipe? --Brett Glass ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Testing Ethernet Ports
Greetings, You need a seperate routing table. Try using Xen (http://www.cl.cam.ac.uk/Research/SRG/netos/xen/), or there's a patch floating around for FreeBSD4.9. Dave Barney Wolff writes: On Thu, Sep 01, 2005 at 09:58:14AM -0500, Will Maier wrote: On Thu, Sep 01, 2005 at 10:36:04AM -0400, Ames, Jonathan (N-ENSCO) wrote: Can someone give me a hand with this? Here goes... A PC has two ethernet ports, both directly on the motherboard. Can I connect them externally with an ethernet cable and ping from one port to the other to test them both? How? Lemme see if I parsed your question correctly: * box.A.nic.1 --cable-- box.A.nic.2 Is that what you're talking about? Sure. Use a crossover cable, assign each interface a different IP on the same subnet (eg 10.0.0.1 and 10.0.0.2) and ping from one to the other: I don't believe this will do what's wanted - the packets will not actually go thru the NICs, as the OS is smart enough to realize that the dest is internal. With a crossover cable (not required with gigabit nics) you can't tell, so if you try it use a switch and look at the lights. -- Barney Wolff http://www.databus.com/bwresume.pdf I never met a computer I didn't like. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VLANs / Bridging / BPDU
Or just interface GigabitEthernet0/1 spanning-tree portfast Or disable spanning tree no spanning-tree vlan 1-100 You could also do some MAC address filtering as the BPDUs are ethernet multicast, but that smacks of hard work. :) Peter Wood writes: Sods law, after working on this for two weeks I ask for help, then 20 minutes later I figure it out. The easiest solution was to disable BPDU on the machines port on the Cisco. interface GigabitEthernet0/1 switchport mode trunk spanning-tree bpdufilter enable Thought I'd post it for reference, so it'll appear somewhere in a archive if others need it. Pete. -- Peter Wood BSc (Hons) :: [EMAIL PROTECTED] :: Tel +44 1606 828010 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhclient and ADSL modem trouble...
What ISP is it? You sure the ISP doesn't use PPPeE? Dave Digital Brain writes: Hi Chuck and thanks for your reply -- unfortunately dhclient still fails to get an IP... Here's a copy of my dhclient.conf: #dhclient config for interface ed0 interface ed0 { send host-name my.gateway.com; send dhcp-client-identifier my.client.com; request subnet-mask, broadcast-address, routers, domain-name-servers, domain-name, time-servers; require domain-name-servers; media media autoselect; } I've tried a program called dhcping which supposedly tries to ping the dhcp server. All I get is No answer. Any idea why linux's dhcpd and Windows work :-| ? And, any other ideas? Thanks ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Aggregate network interfaces
Greetings, - Gig cards are cheap. - PCI bus throughput is really bad (like 32MB/s) - There is no easy way to bond on FreeBSD, but you can just use multiple IP addresses. It would be cool to have something like Etherchannel, but that doesn't work. Solaris has Etherchannel. Regards, Dave Gary D. Margiotta writes: Hello, Probably a stupid question, but I've not had much luck searching for the answers (probably because I'm not using the correct search terminology). Is there a way to bond multiple network cards together, so as to get a higher aggregate bandwith? And also, if it is possible, is it recommended to do so, or am I looking at more trouble than its worth? Thanks to a liquidation of office equipment from a previous employer, I ended up with several Intel series 10/100 switches (530 host and 535 member series), and a whole basket of Intel and 3Com 10/100 network cards. Rather than going out and buying new gigabit hardware, and since I have the spare PCI slots, switch ports and cards lying around, I'm curious to see if this could be a solution. Please cc: replies directly to me, as I'm not subscribed to this particular list (and if this really should belong on another list, please let me know as well, and I'll repost). Thanks for any info, -Gary ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Aggregate network interfaces
Greetings, Oh wow! That's cool. I missed that somehow. The 'man' page doesn't mention the hash functions options. On the Cat 6500s you can log into the Sup and change the hash function so it's not just IP, but rather IP+Port. I've previously used this to balance the load across multiple gig links with traffic going to a sinlge backup host, for example. (I you want to know how I'll have to look that up) Regards, Dave Seddon Evgueni V. Gavrilov writes: In article [EMAIL PROTECTED] you wrote: IP addresses. It would be cool to have something like Etherchannel, but that doesn't work. Solaris has Etherchannel. you missed ng_fec(4) which runs fine for me with Catalyst 3750 stack (Cisco WS-C3750G-24TS) (gigabit ethernet) -- http://aquatique.rusunix.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: two dc cards on 5.4
google = freebsd media rc.conf - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/config-network-set up.html Section shows: ifconfig_dc0=inet 192.168.1.3 netmask 255.255.255.0 ifconfig_dc1=inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP So you want: ifconfig_dc0=100baseTX mediaopt full-duplex ifconfig_dc1=100baseTX mediaopt full-duplex Regards, Dave Seddon dave writes: Hello, I'm trying to get a pair of netgear cards to work on a 5.4-RELEASE-p6 box. My rc.conf looks as follows: ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.0.200 netmask 255.255.255.255 When i only have one dc card in the box dc0 everything works, the box gets a dhcp ip. Put the second one in regardless whether or not the ifconfig dc1 line is uncommented and two things happen, first i get continuous watchdog timeouts from dc0, second dc0 does not get an IP. As i said the second card doesn't have to be configured, just in the box and it happens, i've checked i/o and irq's neither conflict between the two cards. One thing, with a single dc card the media is set to ethernet autoselect 100base-TX full-duplex and it's listed as active. Put the second card in and dc0 shows media ethernet autoselect but for media type i have none and status is listed as no carrier, i believe this is the reason for the lack of a dhcp ip, my question is i don't understand why. I've tried: ifconfig_dc0_mediaopt=100base-TX, full-duplex but the system didn't like that. I'd like to tell fbsd specifically what mode these cards are to be probed to in, but nothing seems to work, and this only occurs when the second card is in the box. I've tried three separate cards, all give the same behavior. Some urgency! Any help greatly appreciated. Dave. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: two dc cards on 5.4
google = freebsd media rc.conf - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/config-network-set up.html Section shows: ifconfig_dc0=inet 192.168.1.3 netmask 255.255.255.0 ifconfig_dc1=inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP So you want: ifconfig_dc0=100baseTX mediaopt full-duplex ifconfig_dc1=100baseTX mediaopt full-duplex Regards, Dave Seddon dave writes: Hello, I'm trying to get a pair of netgear cards to work on a 5.4-RELEASE-p6 box. My rc.conf looks as follows: ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.0.200 netmask 255.255.255.255 When i only have one dc card in the box dc0 everything works, the box gets a dhcp ip. Put the second one in regardless whether or not the ifconfig dc1 line is uncommented and two things happen, first i get continuous watchdog timeouts from dc0, second dc0 does not get an IP. As i said the second card doesn't have to be configured, just in the box and it happens, i've checked i/o and irq's neither conflict between the two cards. One thing, with a single dc card the media is set to ethernet autoselect 100base-TX full-duplex and it's listed as active. Put the second card in and dc0 shows media ethernet autoselect but for media type i have none and status is listed as no carrier, i believe this is the reason for the lack of a dhcp ip, my question is i don't understand why. I've tried: ifconfig_dc0_mediaopt=100base-TX, full-duplex but the system didn't like that. I'd like to tell fbsd specifically what mode these cards are to be probed to in, but nothing seems to work, and this only occurs when the second card is in the box. I've tried three separate cards, all give the same behavior. Some urgency! Any help greatly appreciated. Dave. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Why Ierrs is so high?
Greetings, Yeah I'd say there is something funny also. I've stuffed around with HZ and polling settings heaps and could only manage about 120MB/s-ish of HTTP traffic. I'm as running 5.4-stable from about 2-3 weeks ago. /etc/sysctl.conf kern.polling.enable=1 kern.polling.each_burst=50 #need to edit /usr/src/sys/kern/kern_poll.c for set this kern.polling.burst_max=1500 #DO NOT SET THIS HIGHER THAN 65536 * 2 (FREEBSD BUG) net.inet.tcp.sendspace=131072 net.inet.tcp.recvspace=131072 kern.random.sys.harvest.ethernet=0 kern.random.sys.harvest.interrupt=0 kern.ipc.somaxconn=1024 I still get lots of kern.polling.lost_polls and kern.polling.suspect. How do you edit the RXD is 256, TXD is 256? How do you view the errors when you set sysctl hw.em0.stats=1? Regards, Dave Mao Shou Yan writes: Hi, all, I have a machine with 3 Intel pro1000 cards. em0 is in promisc mode, whose MAC controller is 82543 using fiber line connected. em1, em2 is not connected with cable. Driver configuration is the default, RXD is 256, TXD is 256. Result of netstat -i: Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em0 1500 Link#1 00:03:47:de:72:36 1701943600 369823630 1 0 0 em1 1500 Link#2 00:10:dc:56:8b:b5 5561 0 4608 0 0 em2 1500 Link#3 00:03:47:42:6d:17 0 0 0 0 0 Pps of em0 is about 20k/pps, and bandwidth is no more than 150Mbps. When I use sysctl hw.em0.stats=1, I found the number of missed packets is very high, which is about equal Ierrs. And I also found the number ofreceive with no buffersis raising with about 10 per second. The machine is no extra load, only a raw system with em0 in promisc mode! I'm looking forward your help! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Why Ierrs is so high?
Greetings, Also, how were you measuring the packet and data rate? What were you using to generate the traffic? I used /usr/ports/benchmark/siege and /usr/ports/www/thttpd. Regards, Dave Mao Shou Yan writes: Hi, all, I have a machine with 3 Intel pro1000 cards. em0 is in promisc mode, whose MAC controller is 82543 using fiber line connected. em1, em2 is not connected with cable. Driver configuration is the default, RXD is 256, TXD is 256. Result of netstat -i: Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em0 1500 Link#1 00:03:47:de:72:36 1701943600 369823630 1 0 0 em1 1500 Link#2 00:10:dc:56:8b:b5 5561 0 4608 0 0 em2 1500 Link#3 00:03:47:42:6d:17 0 0 0 0 0 Pps of em0 is about 20k/pps, and bandwidth is no more than 150Mbps. When I use sysctl hw.em0.stats=1, I found the number of missed packets is very high, which is about equal Ierrs. And I also found the number ofreceive with no buffersis raising with about 10 per second. The machine is no extra load, only a raw system with em0 in promisc mode! I'm looking forward your help! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: running out of mbufs?
% 0.10% httpd 4906 www 200 5040K 3256K lockf 1 0:36 0.10% 0.10% httpd 4542 www 200 5040K 3256K lockf 1 0:36 0.10% 0.10% httpd 607 www40 5040K 3252K sbwait 1 0:35 0.10% 0.10% httpd 4510 www40 5040K 3272K sbwait 1 0:35 0.10% 0.10% httpd On both system the kern.polling.lost_polls is still increasing rapidly. I'm not sure what to do about this. ?? kern.polling.lost_polls: 9605569 Also the kern.polling.suspect is increasing similarly. I'm not sure what to do about this either. ?? -- kern.polling.suspect: 608527 -- Also thanks for the info on the VLAN searching. I think the adjustment you suggested sounds good, but at bit out of my league. It seems there are plent of things to tweak in the kernel still. BTW, I'd be interested to know people's thoughts on multiple IP stacks on FreeBSD. It would be really cool to be able to give a jail it's own IP stack bound to a VLAN interface. It could then be like a VRF on Cisco. Regards, Dave Seddon ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: running out of mbufs?
Perhaps a quick fix to the bug would be to output a message to the console when somebody tried to set the tcp.sendspace or tcp.recvspace space 65535 * 2. Regards, Dave Seddon Pieter de Boer writes: Mike Silbersack wrote: net.inet.tcp.sendspace=1024000 net.inet.tcp.recvspace=1024000 kern.ipc.maxsockbuf=2048 I don't think large socket buffers have been tested well, it's possible that you're exhausting almost all of your mbufs with just a few connections - if you're really stuffing that much data in. I'd go back to the default settings for the above and try again. With the added note that the send/recv spaces should be 65535 * 2^x (which 1024000 isn't). I might add that there's still a bug in the calculation of the TCP window scale option with regards to the set window size, leading to a FreeBSD system advertising a too large recvspace, which makes setting this option right even more necessary. (http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/82470) -- Pieter ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
running out of mbufs?
#net.inet.tcp.inflight.min: 6144 #net.inet.tcp.inflight.max: 1073725440 #net.inet.tcp.inflight.stab: 20 #Disable entropy harvesting for ethernet devices and interrupts. There are optimizations present in 6.x that have not yet been backported that improve the overhead of entropy harvesting, but you can get the same benefits by disabling it. In your environment, it's likely not needed. I hope to backport these changes in a couple of weeks to 5-STABLE. kern.random.sys.harvest.ethernet=0 kern.random.sys.harvest.interrupt=0 -- host228# sysctl -a | grep ipc | grep nm kern.ipc.nmbclusters: 25600 host228# sysctl kern.ipc.nmbclusters=50 kern.ipc.nmbclusters: 25600 - 2147483647 host228# sysctl -a | grep ipc | grep nm kern.ipc.nmbclusters: 2147483647 - host228# sysctl -a | grep hz kern.clockrate: { hz = 15000, tick = 66, profhz = 1024, stathz = 128 } debug.psmhz: 20 -- THE PHYSCIAL INTERFACES ONLY (I'm only using 1 interface per 2 port card, and only running performance tests on the em cards) bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1aTXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 192.168.1.228 netmask 0xff00 broadcast 192.168.1.255 ether 00:12:79:cf:d0:bf media: Ethernet autoselect (1000baseTX full-duplex) status: active bge1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 options=1aTXCSUM,VLAN_MTU,VLAN_HWTAGGING ether 00:12:79:cf:d0:be media: Ethernet autoselect (none) status: no carrier em0: flags=18843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,POLLING mtu 1500 options=4bRXCSUM,TXCSUM,VLAN_MTU,POLLING ether 00:11:0a:56:ab:3a media: Ethernet autoselect (1000baseTX full-duplex) status: active em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=4bRXCSUM,TXCSUM,VLAN_MTU,POLLING ether 00:11:0a:56:ab:3b media: Ethernet autoselect status: no carrier em2: flags=18843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,POLLING mtu 1500 options=4bRXCSUM,TXCSUM,VLAN_MTU,POLLING ether 00:11:0a:56:b2:4c media: Ethernet autoselect (1000baseTX full-duplex) status: active em3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=4bRXCSUM,TXCSUM,VLAN_MTU,POLLING ether 00:11:0a:56:b2:4d media: Ethernet autoselect status: no carrier lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 --- Regards, Dave Seddon [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: running out of mbufs?
So as for the system losing all network connectivity, do you have any suggestions? regards, Dave Kris Kennaway writes: On Wed, Aug 03, 2005 at 01:49:32PM +1000, Dave+Seddon wrote: Greetings, I'm trying to do some performance testing of a content filtering system, so I'm trying to get very high HTTP throughput. I've got 4 * HP DL380s with 3.4G Xeon processors (hyper threading) and 1 G RAM, 2 onboard BGEs, and 2 * 2 port EM. Using FreeBSD5.4-stable (as of 2005/08/02) and device polling, I've configured a large number (246) VLAN interfaces on two machines, and have apache on one box and siege on the other. Using 'siege -f /home/my_big_list_of_urls -c 50 --internet' one host does a large number of request from the other machine. I've been trying to tune for maximum performance and have been using lots of examples for /etc/sysctl.conf and so on from the web. Adjusting these settings and running the siege, I've found the apache server completely loses network connectivity when device polling is enabled. I've adjusted the HZ lots and found the system survives the longest set a 15000 (yes it seems very large doesn't it). The problem now seems to be that I'm running out of mbufs: -- 4294264419 mbufs in use 4294866740/2147483647 mbuf clusters in use (current/max) This is a FAQ..see the release errata. The short answer is that it's not a real leak, only a leak in the stats. This is fixed in 7.0 and might be fixed in 6.0-RELEASE. Kris ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pfil 2.1.1 and Solaris Express: no IPv6
Greetings, I thought that Sun were actually releasing ipfilter along with all the other GNU packages with version 10. Maybe you should try to use the Sun version of ipfiler? Dave Laurent Blume writes: Hello all, I've noticed that when I replace Sun's oldeer pfil (part of SUNWipfu package) in Solaris 10 beta 2 (and also the previous, 2/04 build), IPv6 just stops working: no IPv6 packet gets out of the box at all. IPv4 continue to work (though there are other, unrelated, IP Filter problems that have already been reported). Anybody notice the same behaviour? For me, almost as annoying as the NAT problems, since I spent some time installing an IPv6 network at home (for fun :-), and it breaks it completely :-( Laurent -- A hundred thousand lemmings can't be wrong!
Re: IP Filter rdr problem on Solaris 9
Greetings, I'm not sure the rdr rule is correct. The 192.168.131.125/32 should the destination address, usually people use something like: -- From: http://www.unixcircle.com/ipf/ipf-howto.html#TOC_35 rdr xl0 0.0.0.0/0 port 21 - 127.0.0.1 port 21 This statement says that any packet coming in on the xl0 interface destined for any address (0.0.0.0/0) on the ftp port should be rewritten to connect it with a proxy that is running on the NAT system on port 21. -- So many you want something similar to: -- rdr bge2 x.y.128.2/32 port 2 - 1.2.3.4 port 2000 tcp -- Regards, Dave Seddon KOVACS Krisztian writes: Hi, Some updates: I've tried a more conventional network setup: ++ bge0 +---+ bge2++ | server |--| proxy |-| client | ++ +---+ ++ .128.2 .128.1.131.90 .131.49 The client has proxy set up as gateway. Proxy is a SUN Fire V210, with four bge interfaces (only two of them used), running IP Filter 4.1.1 and pfil 2.1 on Solaris 9. Connections are redirected to 1.2.3.4:2000 on the proxy: rdr bge2 192.168.131.125/32 port 2 - 1.2.3.4 port 2000 tcp Unfortunately, almost the same problem occurs, it works for a while, but after some time (5 short-lived TCP sessions), all RDR NAT sessions are screwed, all of them look like this: RDR 1.2.3.4 2000 - - 192.168.131.90 2 [192.168.131.49 51609] while the correct entry would be: RDR 1.2.3.4 2000 - - 192.168.131.125 2 [192.168.131.49 51609] I wasn't able to reproduce the problem using the ARP-entry deletion trick, however... Really strange. The strangest aspect of the whole problem is that when things get stuck, _all_ of the NAT sessions get their IP changed from 192.168.131.125 (correct) to (192.168.131.90), even though all entries were correct before the problem occurs. -- Regards, Krisztian KOVACS
Re: no cheap routing?
Greetings, If you use FreeBSD you'll be able to route based on packet matching rules, using IPFW/IPFW2 (you'll also be able to use DUMMYNET that will allow clever rate limiting). FreeBSD will work fine on your Sun box (use the latest version). Hint: Once you've got the routing sorted, if you NAT inbound traffic, such that traffic on one link is NATed to a different address to the other link, then you'll be able to make sure traffic coming in on each link leaves on the same link. Regards, Dave Seddon [EMAIL PROTECTED] writes: I think this question has been asked before, and answered in the negative, but I thought I'd check before setting up two separate firewalls: I have two external connections, a slow static expensive 384kb SDSL and now a fast dynamic cheap 3mb cable. I have two internal subnets, a DMZ and one for individual hosts. Incoming requests on the static DSL go to the DMZ for resolution (dns, smtp, http). ipnat on the firewall has rdr rules to get those services from the static DSL to the DMZ server. Outgoing requests from the internal individual hosts have been going to the static DSL line via ipnat map rules on the firewall. I would like to send them to the fast cable interface instead. The problem is routing.Solaris allows multiple default routes but not in a way useful with firewalls. I don't really want general internet routing with redundancy, even if it were possible with the cable and DSL routers. I just want stuff coming in on DSL to go out that way, and stuff intended for cable to get there. I can certainly do that with two routers, and that's plan B. I think every time variants of this question have come up before, the answer has been no, you can't do this with one router. But I thought I'd check one more time in case something new has been added lately, or I didn't understand the previous answers (quite possible). The firewall environment is a Sun Netra server running Solaris 9 12/03 and ipfilter 3.4.33 Thanks for any light you can shed.
Re: ipnat - local redirection - ANSWER
Greetings, A friend, more observant than I, noticed the destination address should not have /32. The following works fine: rdr dmfe0 161.117.169.92/32 port 4888 - 161.117.169.92 port 4889 Regards, Dave Dave+Seddon writes: Greetings, I'd like to do a local redirection, to redirect from TCP port 4888 to 4889 (This is for Oracle Management Agent 10g). Here's what I've tried: # cat /etc/ipnat.rules rdr dmfe0 161.117.169.92/32 port 4888 - 127.0.0.1 port 4889 # ipnat -CF -f /etc/ipnat.rules 0 entries flushed from NAT table 0 entries flushed from NAT list localhost as destination not supported 4: syntax error in rdr /etc/ipnat.rules: parse error (-1), quitting I also tried using the non-lo interface address, even though the how-to says the packets must be redirect to a different interface than the one they come in on (ref. http://www.unixcircle.com/ipf/ipf-howto.html). # cat /etc/ipnat.rules rdr dmfe0 161.117.169.92/32 port 4888 - 161.117.169.92/32 port 4889 # ipnat -CF -f /etc/ipnat.rules 0 entries flushed from NAT table 0 entries flushed from NAT list 5: can't resolve hostname: 161.117.169.92/32 5: syntax error in rdr /etc/ipnat.rules: parse error (-1), quitting Any ideas? Regards, Dave Seddon
Re: IPFilter and P3Scan
Greetings, ooops. sorry the 'rdr' must be to a different interface. rdr fxp1 0.0.0.0/0 port 110 - 127.0.0.1 port 8110 Regards, Dave Paul Armstrong writes: On Tue, Apr 27, 2004 at 08:34:36AM +0200, Fabrice wrote: To: [EMAIL PROTECTED] The example is : ipfw add fwd 192.168.0.254,8110 tcp from 192.168.0.0/24 to any pop3 rdr fxp0 192.168.0.0/24 port 110 - 192.168.0.254 port 8110 tcp
ipnat - local redirection
Greetings, I'd like to do a local redirection, to redirect from TCP port 4888 to 4889 (This is for Oracle Management Agent 10g). Here's what I've tried: # cat /etc/ipnat.rules rdr dmfe0 161.117.169.92/32 port 4888 - 127.0.0.1 port 4889 # ipnat -CF -f /etc/ipnat.rules 0 entries flushed from NAT table 0 entries flushed from NAT list localhost as destination not supported 4: syntax error in rdr /etc/ipnat.rules: parse error (-1), quitting I also tried using the non-lo interface address, even though the how-to says the packets must be redirect to a different interface than the one they come in on (ref. http://www.unixcircle.com/ipf/ipf-howto.html). # cat /etc/ipnat.rules rdr dmfe0 161.117.169.92/32 port 4888 - 161.117.169.92/32 port 4889 # ipnat -CF -f /etc/ipnat.rules 0 entries flushed from NAT table 0 entries flushed from NAT list 5: can't resolve hostname: 161.117.169.92/32 5: syntax error in rdr /etc/ipnat.rules: parse error (-1), quitting Any ideas? Regards, Dave Seddon
Re: error with ipf..help!
Greetings, I recommend downloading the package from: http://www1.maraudingpirates.org:8080/ipfilter/ If you install this it works straight away, without reboot. Sadly, the default rule is allow, not block like you can have on BSD, but this is kind of good if you don't have serial access. :) I'm not sure how to check if it's using 64bits or not, but I think it is. Regards, Dave Seddon Tirunagaram, Kiran Maye (Kiran Maye) writes: One has to install the pfil package first... I have the following rule that has syntax errors. pass in log quick from a.b.c.d/32 to w.x.y.z/32 port 7000 can some one help??? Hi, I use solaris 9 ,I have built the ipfilters as a package and installed it and rebooted the machine manually created the device files /dev/ipnat .etc when I try a rule ipf -fa -f /etc/ipf.rules, I get the following error open device:No such file or directory User /Kernel version check failed Any suggestions? thanks in Advance, Kiran
RE: [vqadmin] Unable to add domain in vqadmin
Greetings, I doubt it's a permission issue with the web pages. There's likely to be a permission issue in the /path/to/your/vpopmail/domains/directory. Maybe it's /home/vpopmail/domains, like mine: -- qmail# pwd /usr/home/vpopmail qmail# ll total 4 drwx-- 3 vpopmail vchkpw 4096 Jul 7 12:02 domains -- Dave Seddon Smarter Networks #-Original Message- #From: Kris Northern [mailto:[EMAIL PROTECTED] #Sent: Tuesday, 30 December 2003 10:25 AM #To: [EMAIL PROTECTED] #Subject: [vqadmin] Unable to add domain in vqadmin # #Hello, #In vqadmin I am unable to add a domain. The error message i receive is #Can not make domains directory # #I checked the directory that i specified in the configure line and I #chowned it to www-data.www-data #Im not sure where its trying to write this directory or where i could view #an errorlog to figure it out. #thanks in advance. # #-- #Kris Northern #graphic design / sound design #www.phidelity.com #
RE: [vqadmin] problems when assigning quotas
Greetings, When you say I set an OS disk usage limit on a user, then create the domain under that user, do you mean create a directory in the users home with a name like vpopmail, then link it to /home/vpopmail/domains/new_user? E.g ln -s /home/new_user/vpopmail /home/vpopmail/domains/new_user. Thanks, Dave Seddon #-Original Message- #From: Ken Jones [mailto:[EMAIL PROTECTED] #Sent: Wednesday, 17 December 2003 5:17 AM #To: Payal Rathod; [EMAIL PROTECTED] #Subject: Re: [vqadmin] problems when assigning quotas # #On Monday 15 December 2003 3:19 am, Payal Rathod wrote: # Hi, # When I use vqadmin I find that all users are housed in # /home/vpopmail/domains. Can't it work for system users? # #No, it only talks to vpopmail type domains/users. # # The reason is # taht I can assign a single sytem quota for each users and tehy can # manage their mail, fpt, http sizes by themselves. # Is it possible? # #It is possible per domain. I set an OS disk usage limit on a #user, then create the domain under that user. Also put there #web site, logs, etc under the users home directory. Then I #give them qmailadmin to admin email accounts and ftp access #(chrrooted to their docroot directory). Then the OS disk limit #will be enforced on email, web, logs or whatever else goes #in their home directory. # #Ken Jones #
RE: [vqadmin] Load Balancing
Greetings, Put a big NFS server at the back end and just mount vpopmail user dirs across the NFS. I strongly suggest a very good quality NFS server, eg. Network Appliance Filer. GigE is good too so you can do jumbo frames, and therefore transfer a whole NFS chunk in one frame. This works very well since qmail uses Maildir. Thanks, Dave Seddon Systems Architect Smarter Networks #-Original Message- #From: Giuseppe Meniconi [mailto:[EMAIL PROTECTED] #Sent: Thursday, 20 November 2003 1:35 AM #To: [EMAIL PROTECTED] #Subject: [vqadmin] Load Balancing # #Hi. # #I made a complete qmail installation (qmail, qmailadmin, vqadmin, #vpopmail etc.) on two boxes and I want to put them in load balancing. #The problem is that when I create a domain with the vqadmin web #interface of the first server, I don't find it on the web interface of #the second server even if they share the MySql database, installed on a #third machine on the back-end. When I use command-line commands to #manage the domain, I find it on both servers. Any suggestion? # #Thank you in advance #-- #Giuseppe Meniconi - YH reply srl #Viale Regina Margherita 8, 00198 Roma #e-mail: [EMAIL PROTECTED] #Tel. 0684434207 #Fax 0684434200 # #
Doco update, FAQ 4.14 - mysql_rlm error.
Title: Message Greetings, It might be nice to update the FAQ, part 4.14 (It says "Could not link...file not found", what do I do?", to suggest that perhaps the reason the rlm_sql module doesn't work is because it wasn't actually compiled. I recently had a very late night rebuilding a box, and in my delierium in the morning, had forgotten to do the make properly. It would have been good if the FAQ had suggest this. In FreeBSD, using the ports, the correct line was "cd /usr/ports/net/freeradius; make WITH_MYSQL_VER=3 all install". Other mysql version are WITH_MYSQL_VER=40, and WITH_MYSQL_VER=41. This was for verion freeradius 0.8.1. thanks, Dave Seddon
/usr/ports/mail/courier-imap/ authvchkpw?
Greetings, I can't get VPOPMAIL authentication to build with the latest port of /usr/ports/mail/courier-imap/. Several weeks ago I could with an older version, but I can't reproduce this. I've tried modifying the configure arguments in the Makefile, and everything else I can think of. Maybe somebody has some ideas. -- Should I email the ports list? I do this: --- cd /usr/ports/mail/courier-imap make clean make WITH_VPOPMAIL=yes all install --- And off it goes...during the build process I see this flash up, which indicates to that the configure arguments are ok. Looks like --with-authvchkpw is working. --- configure: running /bin/sh './configure' --prefix=/usr/local '--without-authshadow' '--sysconfdir=/usr/local/etc/courier-imap' '--with-userdb=/usr/local/etc/userdb' '--datadir=/usr/local/share/courier-imap' '--libexecdir=/usr/local/libexec/courier-imap' '--enable-workarounds-for-imap-client-bugs' '--enable-unicode' '--disable-root-check' '--with-authvchkpw' '--without-authldap' '--without-authmysql' '--without-authpgsql' '--with-authpam' '--without-authcram' '--prefix=/usr/local' '--build=i386-portbld-freebsd4.8' 'LDFLAGS=-I/usr/local/lib/mysql' 'CFLAGS=-O -pipe -march=pentiumpro' 'CPPFLAGS=-I/usr/local/include/mysql' 'build_alias=i386-portbld-freebsd4.8' 'CC=cc' --with-authchangepwdir=/usr/local/libexec/courier-imap/authlib --with-db=db --with-makedatprog='/usr/local/libexec/courier-imap/makedatprog' --with-mailuser=root --without-socks --with-authchangepwdir=/var/tmp/dev/null --with-package=courier-imap --with-version=2.0.0 --cache-file=/dev/null --srcdir=. --- However, when it finishes without complaint there is no authvchkpw authentication program. --- qmail# ls /usr/local/libexec/courier-imap/authlib/ authdaemon authdaemond authdaemond.plain authuserdb --- Several weeks ago with version 1.7.0 I did manage to get it to work, but I can't reproduce it. I did save my original Makefile, and tried rolling the port back to 1.7 but it still won't build. Here's the authentication daemons I got to build last time. These are what I want. --- qmail# pwd /usr/home/das/qmail_backup/courier-imap qmail# ll total 544 -rwxr-xr-x 1 root wheel 85093 Jun 24 17:45 authcustom -r-xr-xr-x 1 root wheel 15672 Jun 19 11:06 authdaemon -rwxr-xr-x 1 root wheel 408 Jun 19 11:06 authdaemond -r-xr-xr-x 1 root wheel 68572 Jun 19 11:06 authdaemond.plain -rwxr-xr-x 1 root wheel 59973 Jun 24 17:45 authpam -rwxr-xr-x 1 root wheel 116737 Jun 24 17:45 authuserdb -rwxr-xr-x 1 root wheel 181293 Jun 24 17:45 authvchkpw --- thanks, Dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[vqadmin] Create Domain: open .qmailadmin-limits failed?
Greetings, I posted a question the other day and haven't had any response at all. Error relates to creating domains, and getting error Create Domain: open .qmailadmin-limits failed. I've since started trying to understand the source. I'm not much of a C person, but it looks to me like the domain gets created before the error, so maybe I could just comment out the section that's giving me the error? This is part of /usr/ports/mail/vqadmin/work/vqadmin-2.3.5/domain.c This little section precedes the section with the error. --- /* add the domain with defaults */ ret = vadddomain(domain, VPOPMAILDIR, VPOPMAILUID, VPOPMAILGID ); if (ret != VA_SUCCESS) { global_warning(verror(ret)); t_open(T_MAIN, 1); } else { global_warning(Created Domain); } --- So it looks like the domain has been added ok. Then this bit follows, with the error. --- /* setup the .qmailadmin-limits file */ vget_assign(domain,dir,156,uid,gid); strncat(dir,/.qmailadmin-limits, 156); if ( (fs = fopen(dir,w+)) == NULL ) { global_warning(Create Domain: open .qmailadmin-limits failed); t_open(T_MAIN, 1); } --- Looks like it's just trying to open a file, in append mode if it's already there. So I'm not sure why it would fail this. The /usr/local/vpopmail/domains dir permissions look ok. --- qmail# cd /home/vpopmail/domains/ qmail# ll total 12 -rw--- 1 vpopmail vchkpw34 Jun 19 16:00 .dir-control drwx-- 2 vpopmail vchkpw 4096 Jun 23 16:23 test.com.au --- I discovered that perhaps the vqadmin.cgi is the wrong user. --- qmail# pwd /usr/local/www/cgi-bin.default/vqadmin qmail# ll total 82 -rw-r--r-- 1 nobodyvchkpw113 May 28 16:49 .htaccess -rw-r--r-- 1 root vchkpw113 May 28 16:49 .htaccess.backup drwxr-xr-x 2 vpopmail vchkpw 1024 Jun 23 16:23 html -rw-r--r-- 1 vpopmail vchkpw882 May 28 16:49 vqadmin.acl -rw-r--r-- 1 vpopmail vchkpw882 May 28 14:56 vqadmin.acl.backup -rwsr-sr-x 1 root wheel 73220 Jun 23 16:23 vqadmin.cgi --- so I changed that... --- qmail# chown vpopmail:vchkpw vqadmin.cgi qmail# ll total 82 -rw-r--r-- 1 nobodyvchkpw113 May 28 16:49 .htaccess -rw-r--r-- 1 root vchkpw113 May 28 16:49 .htaccess.backup drwxr-xr-x 2 vpopmail vchkpw 1024 Jun 23 16:23 html -rw-r--r-- 1 vpopmail vchkpw882 May 28 16:49 vqadmin.acl -rw-r--r-- 1 vpopmail vchkpw882 May 28 14:56 vqadmin.acl.backup -rwsr-sr-x 1 vpopmail vchkpw 73220 Jun 23 16:23 vqadmin.cgi --- And now things are even worse. Still getting the same error, plus a bunch more errors. --- could not open lock file /var/qmail/users/assign.lock could not open lock file /var/qmail/control/rcpthosts.lock could not open lock file /var/qmail/control/virtualdomains.lock could not open lock file /var/qmail/control/locals.lock Created Domain Create Domain: open .qmailadmin-limits failed --- Clearly the CGI needs to run as root to get permissions to play with /var/qmail stuff. So what should I do? Should I try commenting out the whole section that creates this file? /* setup the .qmailadmin-limits file */ vget_assign(domain,dir,156,uid,gid); strncat(dir,/.qmailadmin-limits, 156); if ( (fs = fopen(dir,w+)) == NULL ) { global_warning(Create Domain: open .qmailadmin-limits failed); t_open(T_MAIN, 1); } if (lusers!=NULLstrlen(lusers)0) fprintf(fs, maxpopaccounts: %s\n, lusers); if (lalias!=NULLstrlen(lalias)0) fprintf(fs, maxaliases: %s\n, lalias); if (lfor!=NULLstrlen(lfor)0) fprintf(fs, maxforwards: %s\n, lfor); if (lresponder!=NULLstrlen(lresponder)0) fprintf(fs, maxautoresponders: %s\n, lresponder); if (llists!=NULLstrlen(llists)0) fprintf(fs, maxmailinglists: %s\n, llists); if (quota!=NULL strlen(quota)0) fprintf(fs,default_quota: %s\n,quota); if (upop!=NULL) fprintf(fs, disable_pop\n); if (uimap!=NULL) fprintf(fs, disable_imap\n); if (udialup!=NULL) fprintf(fs, disable_dialup\n); if (upassc!=NULL) fprintf(fs, disable_password_changing\n); if (uweb!=NULL) fprintf(fs, disable_webmail\n); if (urelay!=NULL) fprintf(fs, disable_external_relay\n); fclose(fs); -- thanks, Dave
[vqadmin] vpopmail and vqadmin
Greetings, I'm trying to setup vpopmail vqadmin using MySQL authentication on FreeBSD 4.8. Seems to build ok from the ports, but when I try to add domains with vqadmin I get this error: Create Domain: open .qmailadmin-limits failed I've found reference to this error in the mailing list, however I still can't solve the problem. The directory at /usr/local/vpopmail/domains/new_domain_name.example get created, and /var/qmail/users/assign gets updated, but the MySQL database does not get any entries in the vpopmail table (two tables are created, vpopmail dir_control). The database server is a separate box running mysql 3.23.56. I also tried using a Solaris 9 box with MySQL 4.0, which didn't work either, but I wasn't sure about the MySQL version compatibility. -- does it matter if the DB is 4.0? I've tried defining and un-defining: # WITH_MYSQL_LIMITS - enables the MySQL mailbox limit code WITH_MYSQL_LIMITS=yes in the vpopmail Makefile, but I still get the same error either way. The /usr/local/vpopmail/domains is mounted via NFS. thanks, Dave
Cisco AvPairs and MySQL (and VRF)
Greetings, Thanks to those who responded to by questions about DSL billing I'll get back to you no that. However I have another issue. We're trying to configure PPP sessions to authenticate within VRFs. We want to do something like this, this is the non-MySQL version: - DEFAULT Suffix = @test1.vpdn, Strip-User-Name = No Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = lcp:interface-config=ip vrf forwarding vrf1\\n ip unnumbered loopback1\\n peer default ip address pool vpn1 - I don't know what the \ns are supposed do, perhaps these get interpreted by freeradius or the cisco as new line or the enter key, like in c. -- not sure at all So we've got this in the mysql: - +-+--+---+-+--+ | id | UserName | Attribute | Value | op | +-+--+---+-+--+ | 4 | shdslTST@SMARTER | Framed-IP-Address | xxx.x.xxx.x | == | | 5 | shdslTST@SMARTER | Framed-IP-Netmask | 255.255.255.255 | == | | 6 | shdslTST@SMARTER | Framed-Route | xxx..xxx.xx/29 xxx.x.xxx.x 1 | == | | 209 | shdslTST@SMARTER | Cisco-AVPair | lcp:interface-config=ip vrf forwarding hocking\n ip unnumbered Loopback 3\n | == | +-+--+---+-+--+ When the authentication happens we don't see any mention in the cisco debug of ppp. Should the lcp bit be there? I would have lcp was over before any interface commands. thanks, Dave Seddon - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
Greetings, Yeah IP accouting is how I do it now. I use a FreeBSD bridge box, so nobody can even see it. Works well, however it makes billing on-net traffic difficult if you aren't billing the PPP sessions. thanks, Dave - Original Message - From: Simon White [EMAIL PROTECTED] Date: Tuesday, January 28, 2003 7:55 pm Subject: Re: DSL Accouting? 28-Jan-03 at 12:20, Dave Seddon ([EMAIL PROTECTED]) wrote : Thanks for your responce. If your DSL box produces RADIUS accounting packets, then I don't see why this would be necessary. Most ISP billing packages are designed to bill stardard dialup, where there is a start and a stop. DSL ppp sessions stay up for ages, so a seesion might go for more than a month. Also, billing packages usually show pretty graphs of usage, based on starts and stops. Therefore, it would make billing really easy if for each 'Alive' recieved, a start and a stop was sent to the Billing system. It would appear as if each DSL customer connected and disconnected every ten minutes. Maybe you have an idea of an easier way? The way I have heard of is to use Linux traffic shaping on a 2.4.x kernel, where iptables will keep track of how much bandwidth each IP has used as long as you get the rules right. However that's not trivial either if DHCP allocates a different IP each time there is an on/off, but then that can be tracked in liaison with Radius logs. Good luck. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
Thanks for your responce. If your DSL box produces RADIUS accounting packets, then I don't see why this would be necessary. Most ISP billing packages are designed to bill stardard dialup, where there is a start and a stop. DSL ppp sessions stay up for ages, so a seesion might go for more than a month. Also, billing packages usually show pretty graphs of usage, based on starts and stops. Therefore, it would make billing really easy if for each 'Alive' recieved, a start and a stop was sent to the Billing system. It would appear as if each DSL customer connected and disconnected every ten minutes. Maybe you have an idea of an easier way? Generating new packets is always problematic. I would suggest avoiding it if you can. Why is generating new packets problematic? Surely proxying generates packets reliably? The billing system we use backeds to oracle, so I guess I could do inserts directly into that, however I thought the community would be better served by a module like I'm suggesting, that could input standard dail-up radius into any billing system. This would be better don't you think? Why would it be necessary to create a new start/stop packet? Any thoughts on whether it should be a seperate module or a modification to the proxy code? A module. Cool. It looks like I can just copy the rlm_detail module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thanks, Dave Seddon - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
Greetings, OK. I have a Cisco Terminating PPPoX and it also sends accounting updates. I found I had to modify the update sql statements for them to do anything. Normal sql accounting is one record per call. I havent checked the detail files. What modifications did you make? Could you send me the sql.conf file? How did you cope with counter roll? If you keep doing UPDATE and the counter rolls, at 32bits, then you'll get an update of a low number and miss out on one metic s#it load of data. The boss wouldn't be very happy. If you have any method of graphing resulting data, I would appreciate a holler There are lots of billing system and other programs to graph standard dialup radius accounting. I'm currently thinking a module could recieve an 'alive' and generate a start and a stop, with the difference between two 'alives' calculated. thanks, Dave Seddon - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
Greetings, What exactly is it that you want to do? Make Extent work better, or switch to freeradius. I want to make it easy for small dailup based ISPs to bill DSL customers. Most small ISPs use billing systems based on stop starts, so it would be good for DSL wholesalers to be able to generate simple radius packets for smaller ISPs. It sounds like freeradius is doing exactly what it is configured to do by default, and that is to UPDATE and exisiting session record when it recieves a ALIVE packet, NOT add a new record. I suggest you have a good read of sql.conf (or mysql.conf of whatever) and understand the queries that are being executed at different stages. I myself am using Freeradius with a large VoIP setup, and I found that the default queries were useless to me as they would kill the database. I switched all queries to INSERTS, set different types of records to go to different tables, and and threw away most of the default fields that were being stored and replaced them with Cisco VoIP specific attributes (VSAs). You should not have to use a cron script to parse your detail files. Just modify the freeradius queries so it stores the information that you want. Different tables for different types of session? or was that for load reasons? Perhaps different tables for different realms? I also found that MySQL simply could not handle the load I was throwing at it, so I switched to Postgres and have been happy ever since. The fact that postgres can do sub selects and views, makes it much more usefull if you have split your radacct table up into multiple tables too. Not to mention that I use the start and stop times as reported by the ciscos instead of having freeradius timestamp the records, which is much more accurate, and postgres supports cisco timestamp format while mysql does not. Very intersting. Thanks. Also thanks to Kostas Kalevras for his comment on MySQL. Looks like Postgres could be the go for lots of reasons. Which part of freeradius creates the timestamps? thanks, Dave On Sun, 26 Jan 2003 04:16 am, Dave Seddon wrote: Greetings, Still wondering how to convert DSL interum updates to standard dail-up type radius accounting. I've done some digging through the source code, and have decided that perhaps I need to create a module, perhaps rlm_alive_to_dialup. If the new module was based on rlm_detail, it would just be a matter of linking to a mysql database to see the last update, calculate the difference, then generate the new radius packets, for start and stop. I'm also wondering if this should be part of the proxy (which seems to be in the realm code) functionality, eg. Make the proxy feature break RFC and allow it to modify the 'alive' and create a 'start' and a 'stop'. Any thoughts on whether it should be a seperate module or a modification to the proxy code? thanks, Dave Seddon - Original Message - From: Dave Seddon [EMAIL PROTECTED] Date: Saturday, January 25, 2003 4:20 pm Subject: DSL Accouting? Greetings, I'm new to the list. I have two issues: -Problem logging accounting -Alive packet processing and integration with dial-up billing I use Freeradius(7.0) with MySQL(3.23.54) on FreeBSD(4.7) to authenticate lots of xDSL PPP sessions via an L2TP tunnel terminated on a big Cisco box. It works very well, however for some reason accounting records do not get put in the 'radacct' mysql table. There are some records in the table, but no where near as many as their should be since Interim updates or Alive packets get sent by the Cisco every 10 minutes. However I do get all the accouting records in /var/log/radacct/ip_address/detail. Here is some of the /usr/local/etc/raddb/radius.conf. The accounting section seems correct. The sql.conf is untouched from the example (except for the password and username). authorize { preprocess suffix sql files } authenticate { } preacct { preprocess suffix files } accounting { detail # unix sql radutmp } So what could be wrong? To see what data I was getting in the detail log, I wote a little perl script to parse the detail log and stick the data in MySQL so I could easily do select statements. I discovered that the records I created where structured differently, so perhaps that's why it's not going to the Freeradius radacct table? Essentially, the difference is the Tunnel attributes. The database structure I created is: - drop database radiusaccounting; create database radiusaccounting; use radiusaccounting; CREATE TABLE radacct
Re: DSL Accouting?
How did you cope with counter roll? If you keep doing UPDATE and thecounter rolls, at 32bits, then you'll get an update of a low number and miss out on one metic s#it load of data. The boss wouldn't be very happy. Sorry, I just checked and it seems that the counter roll is at 31 bits (on a cisco). dave - NEW to mBox, receive faxes to any email address! Find out more http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
Greetings, Still wondering how to convert DSL interum updates to standard dail-up type radius accounting. I've done some digging through the source code, and have decided that perhaps I need to create a module, perhaps rlm_alive_to_dialup. If the new module was based on rlm_detail, it would just be a matter of linking to a mysql database to see the last update, calculate the difference, then generate the new radius packets, for start and stop. I'm also wondering if this should be part of the proxy (which seems to be in the realm code) functionality, eg. Make the proxy feature break RFC and allow it to modify the 'alive' and create a 'start' and a 'stop'. Any thoughts on whether it should be a seperate module or a modification to the proxy code? thanks, Dave Seddon - Original Message - From: Dave Seddon [EMAIL PROTECTED] Date: Saturday, January 25, 2003 4:20 pm Subject: DSL Accouting? Greetings, I'm new to the list. I have two issues: -Problem logging accounting -Alive packet processing and integration with dial-up billing I use Freeradius(7.0) with MySQL(3.23.54) on FreeBSD(4.7) to authenticate lots of xDSL PPP sessions via an L2TP tunnel terminated on a big Cisco box. It works very well, however for some reason accounting records do not get put in the 'radacct' mysql table. There are some records in the table, but no where near as many as their should be since Interim updates or Alive packets get sent by the Cisco every 10 minutes. However I do get all the accouting records in /var/log/radacct/ip_address/detail. Here is some of the /usr/local/etc/raddb/radius.conf. The accounting section seems correct. The sql.conf is untouched from the example (except for the password and username). authorize { preprocess suffix sql files } authenticate { } preacct { preprocess suffix files } accounting { detail # unix sql radutmp } So what could be wrong? To see what data I was getting in the detail log, I wote a little perl script to parse the detail log and stick the data in MySQL so I could easily do select statements. I discovered that the records I created where structured differently, so perhaps that's why it's not going to the Freeradius radacct table? Essentially, the difference is the Tunnel attributes. The database structure I created is: - drop database radiusaccounting; create database radiusaccounting; use radiusaccounting; CREATE TABLE radacct ( RadAcctId int unsigned NOT NULL auto_increment, NASIPAddress varchar(15) NOT NULL default '', NASPortId tinyint unsigned default NULL, NASPortType varchar(32) default NULL, UserName varchar(64) NOT NULL default '', AcctStatusType varchar(20) NOT NULL default '', AcctAuthentic varchar(20) NOT NULL default '', ServiceType varchar(32) default NULL, AcctSessionID varchar(12) NOT NULL default '', FramedProtocol varchar(6) default NULL, TunnelServerEndpoint varchar(15) NOT NULL default '', TunnelClientEndpoint varchar(15) NOT NULL default '', TunnelType varchar(10) NOT NULL default '', TunnelClientAuthID varchar(25) NOT NULL default '', TunnelServerAuthID varchar(25) NOT NULL default '', AcctTunnelConnection int unsigned default NULL, FramedIPAddress varchar(15) NOT NULL default '', AcctInputOctets int unsigned default NULL, AcctOutputOctets int unsigned default NULL, AcctInputPackets int unsigned default NULL, AcctOutputPackets int unsigned default NULL, AcctSessionTime int unsigned default NULL, AcctDelayTime int unsigned default NULL, ClientIPAddress varchar(15) NOT NULL, TimeStamp bigint unsigned default NULL, HumanTime varchar(10) default NULL, PRIMARY KEY (RadAcctId), KEY UserName (UserName) ); - So I've kind of solved the problem of getting the accouting data into the MySQL database, however it's a bit crap cos I need to process the logs with a cron job, instead of automatically inserting from FreeRadius. My company has lots of dialup also, and an ISP billing system called Extent (with built in radius) that works fine fo these dialup customers, however is unaware of 'Alive' packets. I'd really like to feed the accounting data from Freeradius to the Extent billing package. I'm thinking that for every Alive packet recieved from the RAS box perhaps I could calculate the difference in Octets between now and the last 'Alive', and then send a fake radius start and stop record to Extent, such that Extent would think the DSL user had dialed up for 10 minutes, used X amount of data, and hungup. This way the standard way of calculating usage would occur, and usage graphs, etc, would all work fine. It would be very nice to build
DSL Accouting?
Greetings, I'm new to the list. I have two issues: -Problem logging accounting -Alive packet processing and integration with dial-up billing I use Freeradius(7.0) with MySQL(3.23.54) on FreeBSD(4.7) to authenticate lots of xDSL PPP sessions via an L2TP tunnel terminated on a big Cisco box. It works very well, however for some reason accounting records do not get put in the 'radacct' mysql table. There are some records in the table, but no where near as many as their should be since Interim updates or Alive packets get sent by the Cisco every 10 minutes. However I do get all the accouting records in /var/log/radacct/ip_address/detail. Here is some of the /usr/local/etc/raddb/radius.conf. The accounting section seems correct. The sql.conf is untouched from the example (except for the password and username). authorize { preprocess suffix sql files } authenticate { } preacct { preprocess suffix files } accounting { detail # unix sql radutmp } So what could be wrong? To see what data I was getting in the detail log, I wote a little perl script to parse the detail log and stick the data in MySQL so I could easily do select statements. I discovered that the records I created where structured differently, so perhaps that's why it's not going to the Freeradius radacct table? Essentially, the difference is the Tunnel attributes. The database structure I created is: - drop database radiusaccounting; create database radiusaccounting; use radiusaccounting; CREATE TABLE radacct ( RadAcctId int unsigned NOT NULL auto_increment, NASIPAddress varchar(15) NOT NULL default '', NASPortId tinyint unsigned default NULL, NASPortType varchar(32) default NULL, UserName varchar(64) NOT NULL default '', AcctStatusType varchar(20) NOT NULL default '', AcctAuthentic varchar(20) NOT NULL default '', ServiceType varchar(32) default NULL, AcctSessionID varchar(12) NOT NULL default '', FramedProtocol varchar(6) default NULL, TunnelServerEndpoint varchar(15) NOT NULL default '', TunnelClientEndpoint varchar(15) NOT NULL default '', TunnelType varchar(10) NOT NULL default '', TunnelClientAuthID varchar(25) NOT NULL default '', TunnelServerAuthID varchar(25) NOT NULL default '', AcctTunnelConnection int unsigned default NULL, FramedIPAddress varchar(15) NOT NULL default '', AcctInputOctets int unsigned default NULL, AcctOutputOctets int unsigned default NULL, AcctInputPackets int unsigned default NULL, AcctOutputPackets int unsigned default NULL, AcctSessionTime int unsigned default NULL, AcctDelayTime int unsigned default NULL, ClientIPAddress varchar(15) NOT NULL, TimeStamp bigint unsigned default NULL, HumanTime varchar(10) default NULL, PRIMARY KEY (RadAcctId), KEY UserName (UserName) ); - So I've kind of solved the problem of getting the accouting data into the MySQL database, however it's a bit crap cos I need to process the logs with a cron job, instead of automatically inserting from FreeRadius. My company has lots of dialup also, and an ISP billing system called Extent (with built in radius) that works fine fo these dialup customers, however is unaware of 'Alive' packets. I'd really like to feed the accounting data from Freeradius to the Extent billing package. I'm thinking that for every Alive packet recieved from the RAS box perhaps I could calculate the difference in Octets between now and the last 'Alive', and then send a fake radius start and stop record to Extent, such that Extent would think the DSL user had dialed up for 10 minutes, used X amount of data, and hungup. This way the standard way of calculating usage would occur, and usage graphs, etc, would all work fine. It would be very nice to build this functionality into Freeradius. -- Perhaps I should email the developers list about how to do this? thanks, Dave Seddon - Would you like to receive faxes to your personal email address? You can with mBox. Visit http://www.mbox.com.au/fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html