Slashdot Mirror
How To Get The Most Out Of Dummynet
An anonymous reader writes "BSDVault has published a tutorial on using dummynet to weight and queue traffic based on classes and type of service. The tutorial is called 'IPFW NAT firewall with WF2Q+ (Worst-case Fair Weighted Fair Queuing) Policy' and details how to add queuing and priority to the traffic flowing in and out of your network. There is also an example script to get you started in writing your own rules with plenty of self explanatory configurations that you should find very useful for getting a similar config up and working. If you are into this kind of thing a worthy read ... "
fp niggaroos
Too bad it's dead. Here's hoping it has a good life in hell with Stephen King.
I am a Computer Information Systems Professional at a major Fortune 500 corporation. Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional. We had previously been running OpenBSD on all our quad processor Xeons. Some of them had had uptimes approaching a year! My personal favourite, Gerbil, had been running without a reboot for three years.
One day one of those Microsoft shills that you often read about on The Register came by for a visit. I grew very suspicious about what was going on when my boss and the Microsoft representative walked by my desk, and entered the server room. I could hear muffled voices through the closed door. The Microsoft representative was asking what we were running on our servers! My worst fears had come true. I sat at my desk for the rest of the day, silently awaiting the bad news. The news did not come until the next day. It was worse than I had feared. We were to be a Microsoft only shop from that day on! I could not believe it. The Microsoft representative had told my boss that the operating and support costs would actually go down. And my boss had fully bought into it, hook, line, and sinker.
Tough times hit our company in the last month, and we were forced to lay off a few of the less experienced IS/IT workers. One of them took this rather hard. As a last minute attempt at corporate sabotage, he decided to change all of the Computer Administrator passwords on a few of the XP Professional boxes sitting around in the server room. This caused absolute havoc, as Dell had failed to send along administrator passwords for the new boxes. Our company could not make use of these computers for three days. It took Dell that long to get us the administrator passwords. It is strictly because of Microsoft's poor implementation of a multi-user computing environment that our company lost three days of productivity.
Needless to say, I had our quad Xeons back running OpenBSD by the end of the week. Gerbil is back on its way to another glorious 3 years of uptime.
I was looking at options for managing bandwidth at work. We already do priority queuing but this could give a more fine grain control over who gets the bandwidth and when.
I was going to do some testing at home. My wife just browses the internet and chats while I have some higher priority realtime traffic (Counterstrike, MOHAA, UT2003, etc). I was thinking about giving her 1/4-1/3 of the bandwidth so it didn't affect my ping as much. Her traffic is fairly light and she goes to bed early so it hasn't really been a big deal. Most of what I do at home isn't necessary but it's a good place to tinker and learn.
There are a lot of good tidbits in this article. Very good timing for me.
I was looking at options for managing bandwidth at work. We already do priority queuing but this could give a more fine grain control over who gets the bandwidth and when.
I was going to do some testing at home. My wife just browses the internet and chats while I have some higher priority realtime traffic (Counterstrike, MOHAA, UT2003, etc). I was thinking about giving her 1/4-1/3 of the bandwidth so it didn't affect my ping as much. Her traffic is fairly light and she goes to bed early so it hasn't really been a big deal. Most of what I do at home isn't necessary but it's a good place to tinker and learn.
There are a lot of good tidbits in this article. Very good timing for me.
I'm sure they have something to say.
I am experimenting with IPFW/DUMMYNET for bandwidth shaping, but using ipfilter for the firewall. A little more complicated, but I think it gives me the best of everything (I really like ipfilter, but it lacks bandwidth shaping features). This is for an ISP, so it will handle workstations and a variety of different servers. We use a PCI T1 card from Sangoma, and multiple port ethernet cards. This allows me to create a DMZ (or several) quite easily. The config, overall, looks confusing at first but really isn't.
Once it is fully implemented, I plan to publish the details (network diagram and config files). FreeBSD is perfect for this task.
BTW- for the curious, what I describe is a poor man's Juniper switch.
[note, in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]
When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.
Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.
FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.
It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.
So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.
Discussion
I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.
From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.
There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.
Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.
Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?
Shouts
To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.
To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It's when you get distracted by the politickers that they sideline you. The tireless work that you perform keeping the system clean and building is what provides the platform for the obsessives and the prima donnas to have their moments in the sun. In the end, we need you all; in order to go forwards we must first avoid going backwards.
To the paranoid conspiracy theorists - yes, I work for Apple too. No, my resignation wasn't on Steve's direct orders, or in any way related to work I'm doing, may do, may not do, or indeed what was in the tea I had at lunchtime today. It's about real problems that the project faces, real problems that the project has brought upon itself. You can't escape them by inventing excuses about outside influence, the problem stems from within.
To the politically obsessed - give it a break, if you can. No, the project isn't a lemonade stand anymore, but it's not a world-spanning corporate juggernaut either and some of the more grandiose visions going around are in need of a solid dose of reality. Keep it simple, stupid.
To the grandstanders, the prima donnas, and anyone that thinks that they can hold the project to ransom for their own agenda - give it a break, if you can. When the current core were elected, we took a conscious stand against vigorous sanctions, and some of you have exploited that. A new core is going to have to decide whether to repeat this mistake or get tough. I hope they learn from our errors.
Future
I started work on FreeBSD because it was fun. If I'm going to continue, it has to be fun again. There are things I still feel obligated to do, and with any luck I'll find the time to meet those obligations.
However I don't feel an obligation to get involved in the political mess the project is in right now. I tried, I burnt out. I don't feel that my efforts were worthwhile. So I won't be standing for election, I won't be shouting from the sidelines, and I probably won't vote in the next round of ballots.
You could say I'm packing up my toys. I'm not going home just yet, but I'm not going to play unless you can work out how to make the project somewhere fun to be again.
= Mike
--
I am experimenting with IPFW/DUMMYNET for bandwidth shaping, but using ipfilter for the firewall. A little more complicated, but I think it gives me the best of everything (I really like ipfilter, but it lacks bandwidth shaping features). This is for an ISP, so it will handle workstations and a variety of different servers. We use a PCI T1 card from Sangoma, and multiple port ethernet cards. This allows me to create a DMZ (or several) quite easily. The config, overall, looks confusing at first but really isn't.
Once it is fully implemented, I plan to publish the details (network diagram and config files). FreeBSD is perfect for this task.
BTW- for the curious, what I describe is a poor man's Juniper switch.
I only started doing it as a way to learn how to do it.
I began with a working ipfw/natd firewall script and added in the dummynet stuff... Funny how if the wife is holding out, I can restrict her bandwidth with a few clicks. Netsurfing at 14400bps is the pits... but it worked... that's another story.
Then I saw queues... and what kind of power they had. I realize I'm only scratching the surface of using queues with DUMMYNET, but I wanted some flexibility of which ports I could prioritize and I didn't want to rewrite a fixed script every time.
The result is at http://bsdvault.net. The beauty of my script is that it doesn't limit the user to a fixed number of queues. Luigi Rizzo seems to think thousands of queues are possible with a very minimal performance hit.
potentially I could modify the script to limit certain ports at certain bandwidths... I am only scratching the surface.
Enjoy!
smn
GPG Key 0xD869AB48
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
It was at 4:25am on the morning of September 15th 2002 that, after many failed attempts to resuscitate the dying OS, *BSD finally passed away. While *BSD has been in its death throes for many months now and it's death has been foreseen for many years, this is still a very sad moment; a great loss for OS dilettante dabblers and *BSD lovers the world over. Though *BSD has passed away, it will surely be fondly remembered for years to come by users, developers, and trolls alike. Even if you didn't enjoy using *BSD, there's no denying it's contributions to popular OS culture. Truly a Berkeley icon. It will be missed :(
only started doing it as a way to learn how to do it.
I began with a working ipfw/natd firewall script and added in the dummynet stuff... Funny how if the wife is holding out, I can restrict her bandwidth with a few clicks. Netsurfing at 14400bps is the pits... but it worked... that's another story.
Then I saw queues... and what kind of power they had. I realize I'm only scratching the surface of using queues with DUMMYNET, but I wanted some flexibility of which ports I could prioritize and I didn't want to rewrite a fixed script every time.
The result is at http://bsdvault.net. The beauty of my script is that it doesn't limit the user to a fixed number of queues. Luigi Rizzo seems to think thousands of queues are possible with a very minimal performance hit.
potentially I could modify the script to limit certain ports at certain bandwidths... I am only scratching the surface.
Enjoy!
smn
GPG Key 0xD869AB48
I've been toying with dummynet on my FreeBSD router on my home network, I especially wanted to improve the effectiveness of the Internet connection under higher loads, and looking at the documentation reveals dummynet has huge possibilities with it's level of flexibility and configuration options, and how it integrates with IPFW. However, the documentation lacks real world examples of how dummynet could be used in a practical situation.
I found this article is somewhat helpful to me.
--jquirke
I've been toying with dummynet on my FreeBSD router on my home network, I especially wanted to improve the effectiveness of the Internet connection under higher loads, and looking at the documentation reveals dummynet has huge possibilities with it's level of flexibility and configuration options, and how it integrates with IPFW. However, the documentation lacks real world examples of how dummynet could be used in a practical situation.
I found this article is somewhat helpful to me.
--jquirke
W2FQ has nice delay guarantees when composed on an end2end basis with routers employing FQ. The reality is that having RSVP signaling and FQ deployed on an end2end basis will never happen, so you're better off using diff-serv and priority queuing instead.
It is official; Netcraft now confirms: *BSD is dying
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
take a look at the howto on http://www.ezunix.org 's freebsd section - it contains a slightly more understandable example
For doing more sophisticated work look into altq.
r e. html#ALTQ
http://www.csl.sony.co.jp/person/kjc/kjc/softwa
Ezunix has an article on this same subject.
Net: Dummynet Traffic Shaping with WF2Q
W2FQ has nice delay guarantees when composed on an end2end basis with routers employing FQ. The reality is that having RSVP signaling and FQ deployed on an end2end basis will never happen, so you're better off using diff-serv and priority queuing instead.
take a look at the howto on http://www.ezunix.org 's freebsd section - it contains a slightly more understandable example
For doing more sophisticated work look into altq.
r e. html#ALTQ
http://www.csl.sony.co.jp/person/kjc/kjc/softwa
Ezunix has an article on this same subject.
Net: Dummynet Traffic Shaping with WF2Q
I've been doing some speed tests. The box is a 1Ghz Celeron and builtin SIS ethernet card going off to a cable modem and a second realtek card which my home network is on.
/24 and passing through one /28 of real internet space. I expect to have at least 5 rules per ip address. I haven't looked into using the skipto rules yet. I want to make sure some stuff has priority and has priority over the junk but I don't want to have to get draconian if I can help it.
With about 25000 rules (that all get checked), the ping times go from 7.479ms (12 rules) to 61ms. 14k rules is about 37ms.
What I'm looking at is a bandwidth controller for a wireless isp like application. I'm figuring on NAT directly dealing with 3 seperate
What I want to do is count all port 25 traffic so I can find virused pc's with ease. I would also like to count all the web traffic per IP address. I also want to be able to track down those funky spikes when they show up but I think other tools will be better for that.
I like IPFW's ability to change rules by rule number and get a count per rule number. This allows me to have a script so I can "lart 192.1.100.23". I want to pull useage stats off to mrtg.
One problem I haven't solved is how do I count web traffic? For example:
00015 74 20143 count tcp from 10.219.144.247 to any 3128 keep-state
00015 39 6917 count tcp from 10.219.144.247 to any 3128
it appears that keep-state keeps track of both sides
I'm not sure if thats counting both inbound or outbound or both.
The IPFW system seems very powerful and I'm just getting into some of its cool features (like divert). About the only thing I can't find out how to do is specifc a inverted port range. They syntax allows you to say anything that isn't 1.2.3.4 port 45 but you can't say "anything that is 1.2.3.4 but not port 45"
It would be cool if there as a way to rewrite addresses on the divert. Right now you can divert to an interface but it would be cool to be able to say divert any port 80 stuff to the squid proxy. I'm getting what I think is strange behavior. If I divert to a port that apache is looking at, it can't id the port but for some reason inetd can tell.
I've been doing some speed tests. The box is a 1Ghz Celeron and builtin SIS ethernet card going off to a cable modem and a second realtek card which my home network is on.
/24 and passing through one /28 of real internet space. I expect to have at least 5 rules per ip address. I haven't looked into using the skipto rules yet. I want to make sure some stuff has priority and has priority over the junk but I don't want to have to get draconian if I can help it.
With about 25000 rules (that all get checked), the ping times go from 7.479ms (12 rules) to 61ms. 14k rules is about 37ms.
What I'm looking at is a bandwidth controller for a wireless isp like application. I'm figuring on NAT directly dealing with 3 seperate
What I want to do is count all port 25 traffic so I can find virused pc's with ease. I would also like to count all the web traffic per IP address. I also want to be able to track down those funky spikes when they show up but I think other tools will be better for that.
I like IPFW's ability to change rules by rule number and get a count per rule number. This allows me to have a script so I can "lart 192.1.100.23". I want to pull useage stats off to mrtg.
One problem I haven't solved is how do I count web traffic? For example:
00015 74 20143 count tcp from 10.219.144.247 to any 3128 keep-state
00015 39 6917 count tcp from 10.219.144.247 to any 3128
it appears that keep-state keeps track of both sides
I'm not sure if thats counting both inbound or outbound or both.
The IPFW system seems very powerful and I'm just getting into some of its cool features (like divert). About the only thing I can't find out how to do is specifc a inverted port range. They syntax allows you to say anything that isn't 1.2.3.4 port 45 but you can't say "anything that is 1.2.3.4 but not port 45"
It would be cool if there as a way to rewrite addresses on the divert. Right now you can divert to an interface but it would be cool to be able to say divert any port 80 stuff to the squid proxy. I'm getting what I think is strange behavior. If I divert to a port that apache is looking at, it can't id the port but for some reason inetd can tell.
Repeat: BSD is dying.
That is all.
...is a simple-to-use (read: GUI) interface on either AltQ or Dummynet so that I can dynamically adjust the rate of different traffic classes. That is, I'd like to be able to manually lower the bandwidth allowed for some traffic that is going through my firewall.
As an example; sometimes I've already started up a huge download (4.6.2-disc1.iso, for instance). But, now I want to play UT and so I want to make sure that as the download runs, but doesn't eat up all of the DSL line. Since most user apps don't have rate limiting built in, I just want to tweak the firewall so that all non-UT traffic to use only 50% of the DSL bandwidth.
I want to just pull up a control panel and click.
3 years ago at a previous employer, I helped build something just like this. For various reasons it sucked (not the least being that it was encumbered and unavailable). I had hoped that Altq or Dummynet would get something like this since then.
...is a simple-to-use (read: GUI) interface on either AltQ or Dummynet so that I can dynamically adjust the rate of different traffic classes. That is, I'd like to be able to manually lower the bandwidth allowed for some traffic that is going through my firewall.
As an example; sometimes I've already started up a huge download (4.6.2-disc1.iso, for instance). But, now I want to play UT and so I want to make sure that as the download runs, but doesn't eat up all of the DSL line. Since most user apps don't have rate limiting built in, I just want to tweak the firewall so that all non-UT traffic to use only 50% of the DSL bandwidth.
I want to just pull up a control panel and click.
3 years ago at a previous employer, I helped build something just like this. For various reasons it sucked (not the least being that it was encumbered and unavailable). I had hoped that Altq or Dummynet would get something like this since then.
You bunch of naysayers, doomsday prophets.
Don't you see than now, BSD has the largest desktop marketshare of any *nix?
OSX or Darwin on PPC, and Darwin on Intel.
Why doesn't someone port Dummynet to OSX?
The Xserve is quite a nice server... don't you believe there would be a potential for a traffic shaper (Dummynet or ALTQ based, with modern queuing algs) as an add-on to it?
Get to work, people!