strange pf speed behaviour when doing bittorrent

Wed, 31 Jan 2007 08:27:43 -0800 

hi there,

all day today, my openbsd box (3.9 release) was dog slow
to respond.  after looking a bit, it seems that bittorrent
(BitTorrent-4.2.2) is slowing it down, making pf choke.

i don't do much torrenting and upload is limited to 30K.
the moment i start any torrent that is also seeding, response
time drops dramatically, even if only uploading 5-10K.  when
i kill bittorrent, response time gets back to normal.

i don't think i am hitting some bandwidth limit because
i started some big downloads via apache/http and it's
doing 130K/s.  response time stays nice too.

here follows a simple ping session from an external linux box:

--> starting bittorrent
64 bytes from 195.168.x.y: icmp_seq=6294 ttl=253 time=47.2 ms
64 bytes from 195.168.x.y: icmp_seq=6295 ttl=253 time=19.6 ms
64 bytes from 195.168.x.y: icmp_seq=6296 ttl=253 time=23.4 ms
64 bytes from 195.168.x.y: icmp_seq=6297 ttl=253 time=635 ms
64 bytes from 195.168.x.y: icmp_seq=6298 ttl=253 time=681 ms
64 bytes from 195.168.x.y: icmp_seq=6299 ttl=253 time=225 ms
64 bytes from 195.168.x.y: icmp_seq=6300 ttl=253 time=100 ms
64 bytes from 195.168.x.y: icmp_seq=6301 ttl=253 time=24.0 ms
64 bytes from 195.168.x.y: icmp_seq=6302 ttl=253 time=15.9 ms
64 bytes from 195.168.x.y: icmp_seq=6303 ttl=253 time=14.2 ms
64 bytes from 195.168.x.y: icmp_seq=6304 ttl=253 time=19.7 ms
64 bytes from 195.168.x.y: icmp_seq=6305 ttl=253 time=20.1 ms
64 bytes from 195.168.x.y: icmp_seq=6306 ttl=253 time=15.9 ms
64 bytes from 195.168.x.y: icmp_seq=6307 ttl=253 time=16.6 ms
64 bytes from 195.168.x.y: icmp_seq=6308 ttl=253 time=18.2 ms
64 bytes from 195.168.x.y: icmp_seq=6309 ttl=253 time=16.2 ms
64 bytes from 195.168.x.y: icmp_seq=6310 ttl=253 time=22.8 ms
64 bytes from 195.168.x.y: icmp_seq=6311 ttl=253 time=40.4 ms
64 bytes from 195.168.x.y: icmp_seq=6312 ttl=253 time=14.6 ms
64 bytes from 195.168.x.y: icmp_seq=6313 ttl=253 time=12.5 ms
64 bytes from 195.168.x.y: icmp_seq=6314 ttl=253 time=15.0 ms
64 bytes from 195.168.x.y: icmp_seq=6315 ttl=253 time=16.9 ms
64 bytes from 195.168.x.y: icmp_seq=6316 ttl=253 time=17.2 ms
64 bytes from 195.168.x.y: icmp_seq=6317 ttl=253 time=21.3 ms
64 bytes from 195.168.x.y: icmp_seq=6318 ttl=253 time=17.2 ms
64 bytes from 195.168.x.y: icmp_seq=6319 ttl=253 time=17.2 ms
64 bytes from 195.168.x.y: icmp_seq=6320 ttl=253 time=23.5 ms
64 bytes from 195.168.x.y: icmp_seq=6321 ttl=253 time=13.1 ms
64 bytes from 195.168.x.y: icmp_seq=6322 ttl=253 time=21.7 ms
64 bytes from 195.168.x.y: icmp_seq=6323 ttl=253 time=599 ms
64 bytes from 195.168.x.y: icmp_seq=6324 ttl=253 time=29.8 ms
64 bytes from 195.168.x.y: icmp_seq=6325 ttl=253 time=511 ms
64 bytes from 195.168.x.y: icmp_seq=6326 ttl=253 time=1874 ms
64 bytes from 195.168.x.y: icmp_seq=6327 ttl=253 time=1654 ms
64 bytes from 195.168.x.y: icmp_seq=6328 ttl=253 time=1200 ms
64 bytes from 195.168.x.y: icmp_seq=6329 ttl=253 time=1112 ms
64 bytes from 195.168.x.y: icmp_seq=6330 ttl=253 time=990 ms
64 bytes from 195.168.x.y: icmp_seq=6331 ttl=253 time=599 ms
64 bytes from 195.168.x.y: icmp_seq=6332 ttl=253 time=1724 ms
64 bytes from 195.168.x.y: icmp_seq=6333 ttl=253 time=1146 ms
64 bytes from 195.168.x.y: icmp_seq=6334 ttl=253 time=352 ms
64 bytes from 195.168.x.y: icmp_seq=6335 ttl=253 time=560 ms
64 bytes from 195.168.x.y: icmp_seq=6336 ttl=253 time=18.6 ms
64 bytes from 195.168.x.y: icmp_seq=6337 ttl=253 time=10.7 ms
64 bytes from 195.168.x.y: icmp_seq=6338 ttl=253 time=39.0 ms
64 bytes from 195.168.x.y: icmp_seq=6339 ttl=253 time=218 ms
64 bytes from 195.168.x.y: icmp_seq=6340 ttl=253 time=791 ms
64 bytes from 195.168.x.y: icmp_seq=6341 ttl=253 time=1788 ms
64 bytes from 195.168.x.y: icmp_seq=6342 ttl=253 time=1185 ms
64 bytes from 195.168.x.y: icmp_seq=6343 ttl=253 time=1273 ms
64 bytes from 195.168.x.y: icmp_seq=6344 ttl=253 time=1023 ms
64 bytes from 195.168.x.y: icmp_seq=6345 ttl=253 time=1661 ms
--> killing bittorrent, going back to normal
64 bytes from 195.168.x.y: icmp_seq=6346 ttl=253 time=1391 ms
64 bytes from 195.168.x.y: icmp_seq=6347 ttl=253 time=655 ms
64 bytes from 195.168.x.y: icmp_seq=6348 ttl=253 time=13.4 ms
64 bytes from 195.168.x.y: icmp_seq=6349 ttl=253 time=15.6 ms
64 bytes from 195.168.x.y: icmp_seq=6350 ttl=253 time=23.6 ms
64 bytes from 195.168.x.y: icmp_seq=6351 ttl=253 time=11.9 ms
64 bytes from 195.168.x.y: icmp_seq=6352 ttl=253 time=16.0 ms
64 bytes from 195.168.x.y: icmp_seq=6353 ttl=253 time=20.0 ms
64 bytes from 195.168.x.y: icmp_seq=6354 ttl=253 time=14.3 ms
64 bytes from 195.168.x.y: icmp_seq=6355 ttl=253 time=16.4 ms
64 bytes from 195.168.x.y: icmp_seq=6356 ttl=253 time=20.0 ms
64 bytes from 195.168.x.y: icmp_seq=6357 ttl=253 time=12.6 ms
64 bytes from 195.168.x.y: icmp_seq=6358 ttl=253 time=16.5 ms
64 bytes from 195.168.x.y: icmp_seq=6359 ttl=253 time=24.7 ms

i can reproduce this anytime (it seems).
here's my pf.conf:


#       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="rl0"

#  135 = msrpc
#  137 = netbios-ns
#  139 = netbios-ssn
#  445 = Microsoft print and file sharing, Samba
# 1025 = messenger, icq (thru 1030)
# 1080 = socks proxy server, wingate proxy server
# 1433 = Microsoft SQL Server
TCP_NOISE = "{ 135 137 139 445 1080 1433 3128 mysql }"
UDP_NOISE = "{ 137 1025:1030 }"

torrent = "{ 6881:6999 }"

SSH_LIMIT="(max-src-conn-rate 5/30, overload <bad_ssh> flush global)"

table <bad_ssh>         persist

table <spamd_my>        persist file "/etc/spamd_whitelist"
table <spamd>           persist
table <spamd-white>     persist

set skip on lo
set loginterface $ext_if

scrub in

no rdr      on $ext_if proto tcp from <spamd_my>     to port smtp
   rdr pass on $ext_if proto tcp from <spamd>        to port smtp \
        -> 127.0.0.1 port spamd
   rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
        -> 127.0.0.1 port spamd


block in
block in log inet to $ext_if
block in inet proto tcp to $ext_if port $TCP_NOISE
block in inet proto udp to $ext_if port $UDP_NOISE
block return-rst log quick inet proto tcp from <bad_ssh> label "ssh-pirate"


pass out on $ext_if inet proto tcp all modulate state flags S/SA
pass out on $ext_if inet proto { udp, icmp } all keep state


pass in inet proto icmp all icmp-type { 8, 11} keep state
pass in on $ext_if inet proto tcp to $ext_if port { ssh, 443 } \
        flags S/SA keep state $SSH_LIMIT label "ssh"

pass in on $ext_if inet proto tcp to $ext_if port www \
        flags S/SA keep state

pass in on $ext_if inet proto { tcp udp } to $ext_if port domain \
        flags S/SA keep state

pass in on $ext_if inet proto { tcp udp } to $ext_if port $torrent \
        flags S/SA keep state label "torrent"

pass in  log on $ext_if inet proto tcp              to $ext_if port smtp \
        keep state
pass out log on $ext_if inet proto tcp from $ext_if to         port smtp \
        keep state

-f
-- 
many would be cowards if they had enough courage.

Reply via email to