Better Bandwidth Utilization 196
jtorin writes "Daniel Hartmeier (of OpenBSD fame) has written a short but interesting article which explains how to better utilize available bandwidth. In short it gives priority to TCP ACKs over other types of traffic, thereby making it possible to max both upload and download bandwidth simultaenously. Be sure to check ot the nice graphs! Also note the article on OpenBSD Journal. OpenBSD 3.3 beta is now stable enough for daily use, so why not download a snapshot from one of the mirrors and try it out?"
How ironic (Score:4, Funny)
Re:How ironic (Score:5, Funny)
Re:How ironic (Score:3, Funny)
Re:How ironic (Score:2)
Re:How ironic (Score:2)
I know that, and you know that... those that have written me, thinking I was in Niue, obviously don't.
How to better utilize bandwidth (Score:4, Funny)
Slashdotting and DOS (Score:2, Insightful)
rule 2: Have a backup plan in case someone sends you a bunch of ACK ACK ACK ACK ACK ACK to cause a denial of service.
Re:Slashdotting and DOS (Score:2)
Oh, that's where OpenBSD is... (Score:4, Funny)
Now if only I could find that Linux thing...
Re:Oh, that's where OpenBSD is... (Score:2, Funny)
This [mslinux.org] is where you need to go to get your Linux Desktop Replacement!
Regards,
Joel
--
Boys, Keep It Wrinkled...
Re:Oh, that's where OpenBSD is... (Score:2)
Re:Oh, that's where OpenBSD is... (Score:2)
Luckily, there's more than enough karma on my profile for me to be able to make light-hearted jokes about Linux and Microsoft and still withstand the hyper-militant types who happen to have some mod points at the time.
like wondershaper does for months now? (Score:5, Informative)
Re:like wondershaper does for months now? (Score:5, Informative)
Re:like wondershaper does for months now? (Score:5, Informative)
Re:like wondershaper does for months now? (Score:5, Interesting)
# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class:
tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:10
Re:like wondershaper does for months now? (Score:4, Informative)
"To make sure that uploads don't hurt downloads,
we also move ACK packets to the front of the queue."
It's pretty cool, it throttles your speeds to just under what the maximum should be, so that queueing will only happen on your linux box, and then you can prioritize what you want.
To quote Fry on Futurama (Score:2)
Re:like wondershaper does for months now? (Score:1)
not tested, but should work (I think)
Re:like wondershaper does for months now? (Score:4, Informative)
Would this be useful to a WISP like myself? (Score:2)
This will be of most use to ... (Score:4, Insightful)
Corporate networks are already optimized under 100 or gigabit ethernet with Cisco routers which automatically handle collisions and error corrections.
Re:This will be of most use to ... (Score:5, Informative)
Uh, no, I don't think so (Score:5, Informative)
Someone far more knowledgable than myself will get to correct me, but I seem to recall there was a process of-
Send some stuff-wait for ACK.
When you get the ACK, send some more.
By turbocharging the ACKs, you are reducing that lag time
Re:Uh, no, I don't think so (Score:2)
pre-emptive ACKs before you get the data, right
about when they would be expected.
What, you lost a packet? Go back and fetch it
later using the application-layer protocol.
Voila, hyper-http.
Re:Uh, no, I don't think so (Score:2)
Re:Uh, no, I don't think so (Score:2)
(OK, newer HTTP versions can fetch multiple pages while keeping the connection open - but still it seems that UDP would be a better fit. Except, perhaps, for POST requests, since those are not usually idempotent.)
Re:Uh, no, I don't think so (Score:3, Interesting)
Why design a stateless protocol and then put it on top of TCP, requiring a connection to be set up and torn down for each HTTP request?
Because you want reliability. Unfortunately, reliable UDP (or transactional TCP) is not widely supported.
Also, because many HTTP responses don't fit in a single UDP packet.
Re:Uh, no, I don't think so (Score:2)
Good point about the response not fitting in a UDP packet: does NFS avoid this problem by always requesting small enough chunks of data to fit in a single packet?
Once you start having to do both rerequesting dropped packets and reordering those that arrive out of sequence it does start to look as though TCP is a better bet, since it does these things for you. Nonetheless, since dropped UDP packets are fairly uncommon in practice it might be quicker most of the time to save on the overhead of setting up a TCP connection and just send a single UDP packet instead.
Re:Uh, no, I don't think so (Score:2)
If UDP is reliable enough for NFS, it should be reliable enough for web pages, right?
NFS is designed for local area networks, which drop packets much more rarely.
Once you start having to do both rerequesting dropped packets and reordering those that arrive out of sequence it does start to look as though TCP is a better bet, since it does these things for you. Nonetheless, since dropped UDP packets are fairly uncommon in practice it might be quicker most of the time to save on the overhead of setting up a TCP connection and just send a single UDP packet instead.
Dropped UDP packets are not uncommon at all when sending files over the internet. There is a certain optimal bandwidth available between the webserver and the client. Send too fast, and you'll start losing packets. Send too slowly, and you're not utilizing your bandwidth. TCP does a (fairly) good job discovering that optimal bandwidth. One problem occurs when the link is asynchronous. Acknowledgement packets get dropped, and bandwidth is underutilized. Prioritizing ACKs largely solves that problem.
Re:Uh, no, I don't think so (Score:2, Insightful)
If you're only sending a single UDP packet, sure. But if you're exceeding the end to end bandwidth of the network, then clearly packets need to either be queued or dropped. If you're exceeding the maximum bandwidth by more than just a little, then you're going to fill up the buffers, and packets will get dropped.
Without seeing the quote I'd only be speculating on what the textbook was talking about. Could be LANs, but it could be that they were talking about single UDP packets, rather than pounding a few megs of HTML and images all at once. Or maybe the quote was that UDP packets rarely get dropped for reasons other than congestion. Perhaps they could have been talking about packets that are mangled en route? That is something which could happen in theory but in reality rarely (if ever) happens.
Of course, maybe I'm just wrong. It does happen from time to time :).
Re: Kinda been done with TFTP (Score:3, Informative)
Take FTP and strip the overhead error checking and if something doesn't come out right, refresh and download it again.
For streaming, you get more throughput, and every now and them you might miss a frame in exchange for the higher quality you can obtain with the lower overhead
TCP Daytona (Score:4, Informative)
The technique you suggest is one of several proposed by Stefan Savage in TCP Congestion Control with a Misbehaving Receiver [washington.edu]. He called it TCP Daytona. :)
Re:Uh, no, I don't think so (Score:5, Informative)
When you get the ACK, send some more.
By turbocharging the ACKs, you are reducing that lag time
Not quite. TCP streams use pipelining: you send N packets (N is the "window size"), and each time you get an ACK you send one more. So in the ideal case there's no lag, because the ACK for packet 3 lets you go ahead and send packet 10 (if N=7).
When a packet (or its ACK) gets dropped, TCP assumes the network is congested, and cuts N in half, and very slowly increases it back to where it was. So after each dropped packet or ACK you have a while during which you're not using the full link. Several drops in a row can reduce your throughput by a factor of 100 or more.
Prioritizing ACKs doesn't reduce the lag time. It reduces the likelihood that TCP will overreact and reduce its sending rate due to perceived congestion.
Re:Uh, no, I don't think so (Score:2)
Prioritizing ACKs may prevent drops but the main feature is essentially reducing lag time. TCP is self clocking, in that the sender can't send any more packets until it sees an ACK. If you get the ACKs out faster you'll get the replies faster. Thus prioritizing ACKs will make your downloads go faster. Since they are small packets this probably won't too adversely affect your upload bandwidth (may increase latency slightly).
This won't incorrectly set TCP's RTT timer because if anything you've shaved a few ms off your RTT. The new RTT may be less but it's not a lie.
Re:Uh, no, I don't think so (Score:2)
No, no, no. The article showed a 10:1 drop in average throughput, and extreme variability in instantaneous throughput. That cannot be explained away as just a matter of latency.
You can increase the latency of a link, and it will still run at full speed, once TCP's estimate of RTT is properly updated. Except in extreme cases (a T3 to Mars, say), a TCP pipe will be full regardless of its latency, as long as the drop rate is low and the latency is roughly constant.
So what's happening here is that the ACKs are either getting dropped (falling off the end of a queue) or are getting delayed so far past the average RTT that TCP thinks they've been dropped. When an ACK is dropped (or presumed dropped), the sender halves its outgoing bandwidth. Each additional drop, the bandwidth gets halved again.
Prioritizing ACKs here is about keeping them at the head of the queue so that they don't get dropped. It has almost nothing to do with latency.
Re:Uh, no, I don't think so (Score:2)
Correct, mostly. The congestion window is measured in bytes, but it is incremented by one full packet (by SMSS bytes) whenever a new ACK is received. So the self-clocking behavior I described (get an ACK, send one new packet) and the multiplicative decrease (lose a packet, cut your window in half) are both true. Referring to N=7 packets instead of the equivalent number of bytes was an oversimplification to make the Van Jacobsen paper and RFC-2581 fit in a Slashdot comment. :)
The fact that the congestion window is measured in bytes, but incrementing it is measured in full segments leads to interesting vulnerabilities [washington.edu].
same bandwidth in relation to what ? (Score:1, Flamebait)
if your route is long then the chances are that along the way you will have a bottleneck and when you go across water it gets worse as all the repeaters get in on the act
saying things like " internet comes through at the same bandwidth" is plain silly
regards
John Jones
Re:same bandwidth in relation to what ? (Score:2)
A T1 to T1 connection usually gets me no better gameplay or internet page render speed than a cable modem connection or DSL connection or WiFi connection.
Re:This will be of most use to ... (Score:2)
Optimized ACKs (Score:1)
It appears that server ACKs have been optimized as well.
SERVER-ACK*wheez*ouch*ACK*sizzle*Damnit*
I am sure, however, that the bandwidth is being optimized as it came back almost immediately unreachable
Joking aside, this is the ultimate hack if it works as breezed through in the summary-just tweaking the priorities, more bandwidth!
We figured this before (Score:5, Interesting)
The problem is (Score:2, Interesting)
Re:The problem is (Score:5, Informative)
Interesting (Score:3, Interesting)
Very nice solution! (Score:1, Insightful)
Still, a very simple and effective solution to an age-old problem. I like.
Re:Very nice solution! (Score:1)
Linux solution (Score:3, Informative)
The Linux Advanced Routing & Traffic Control HOWTO [lartc.org] discuss how to achieve the same thing on linux using QoS. See section 9.2.2.2 [lartc.org](Sample configuration)
Re:Linux solution (Score:5, Informative)
It is a differend solution to a different problem caused by the same thing....
The cause is the big cache in the modem, it results in a delay on outgoing traffic.
One problem is that interactive traffic gets, well, less interactive (e.g. the echo characters in a remote shell have a delay). This is solved in the HOWTO you refered to.
Another problem is that the downstream acks get delayed resulting in less downstream data. This is solved in the mentioned article.
A combination of the two would be really great and could probably be done in both linux and openbsd.
Jeroen
Re:Linux solution (Score:1)
Yes it dows. It's not a different problem. I can only read the description; "how to better utilize available bandwidth", which is exactly what the FAQ describes how to do (that is, making sure the ACKs get through so that uploading doesn't kill your downloads, which gives better utilization).
If the article _IS NOT_ about "how to better utilize available bandwidth" then I guess you have a point, but then I can only suggest you address the submitter and ask him to properly describe his submissions in the future.
Re:Linux solution (Score:2, Insightful)
Who needs BSD?
People that love UNIX. The Finnish hack is for people that hate Microsoft.
My solution: (Score:5, Funny)
Put lower priorities on p0rn, MP3s, Windows viruses, and Slashdot referrals. That should speed everything else up by about two orders of magnitude.
Re:My solution: (Score:1, Funny)
Re:My solution: (Score:5, Funny)
Note the article is all about low bandwidth setups (Score:5, Insightful)
A little off topic but I always find it interesting that people with hicap gear (Foundry, Cisco, etc.) are always talking about QOS when it really only makes sense most times on low bandwidth lines. So his work is really important when you look at where it is in scheme of things - out at the end users line.
Re:Note the article is all about low bandwidth set (Score:1)
Not just low bandwidth (Score:5, Interesting)
A fair number of protocols do transmit windows of a certain size. They'll send a certain amount of data, and not send more data until the oldest packest in the window gets an ACK back. You therefore only have so much data "in-flight" at any one time. Strongly asynchronous link (like aDSL and cablemodems) can require strikingly different window sizes than synchronous links.
The right amount of in-flight data is dependent on the speed of your pipe, obviously, but a lot of applications still use defaults set for low-bandwidth pipes. You can argue that the proper solution for this is to change the defaults, but if you just give ACKs priority, you don't need to worry about it, and the less you force users to change, the better. (The transmit window size has to be a user setting, directly or indirectly, either by asking a window size, or by asking "what kind of pipe do you have?" and guessing a window size from that.)
This is dependent on the protocol, true, but giving ACKs priority is actually a decent generic solution to what many consider an application-specific problem.
QOS is also often about bandwidth guarantees, not necessarily throughput. You have a 155mbit link shared among several applications, and an application that *requires* 45mbit. So you use QOS to guarantee that application gets 45mbit if it wants it, and everything else shares the remainder. If the app isn't going, then that 45mbit it requires can be made available to other apps until it is required.
Re:Note the article is all about low bandwidth set (Score:2, Informative)
For example, I have the equivilent of a T1 (1.544mb CIR Frame) going to Qwest. From Qwest, I have a 256k CIR Frame link going to a remote office.
When the office sends data to me, it's fine. When I send back, there are massive amounts of Red Frames. Dropped packets means re-transmits which means delay. Delay is bad when you are running an interactive application over these links. Think of a garden hose connected to a fire hydrant. The garden hose could dump water into the fire hydrant fine (assuming the water for the hydrant is turned off elsewhere...). When the fire hydrant turns on, however...
Now I have QoS maps based off of the DLCI for each office, so it throttles back our link to Qwest to match the remote connection, so everyone talks happily, instead of blasting the little link into oblivion. Now, Red Frames aren't seen very often, unless the Qwest circuit is saturated, and we get chopped back to our base CIR. It makes a difference. Not a huge one, but a noticeable difference.
Traffic Shaping is your friend. It's all about making the mose efficient use of what you have. (Or making sure that you still have bandwidth when your roommate is leeching gigs of pr0n...) M
Very Usefull (Score:2, Interesting)
Re:Very Usefull (Score:2)
Is this related to another article? (Score:3, Funny)
Ask Slashdot: What percentage of internet traffic is pr0n? [slashdot.org]
erm... (Score:1, Offtopic)
so exactly how many people is this comment directed to? I mean, might we get as much as 1% of the readership checking out the graphs before certain unfortunate server suffers a horrible death / temporary trauma?
Daniels original email (Score:5, Informative)
http://marc.theaimsgroup.com/?l=openbsd-pf&m
It contains a little more of the pf rules than the article does, and has all the relevant information you need except for the nice
Working Link (Score:3, Insightful)
link [theaimsgroup.com]
./ed (Score:1)
Article title should read: reduce latency (Score:1, Informative)
Title is correct! (Score:5, Interesting)
The article is
The bandwidth is there, it;s just under utilised. By prioritisng the ACK's, so that they get boosted through, it becomes possible to saturate both upstream and downstream pipes at once, at peak efficency, rather than one of the coasting along, waithing for the other.
Note that this only applies for TCP/IP and similar, reliable, protocols. If you had a UDP app (e.g. media streaming done properly), then this trick won't affect it at all, as it doesn't wait for an ACK.
Trip down memory lane... (Score:3, Interesting)
Re:Trip down memory lane... (Score:1)
Re:Trip down memory lane... (Score:4, Informative)
A) Zmodem is still around, at least in the *nix world. You can get lrzsz from here [www.ohse.de].
Some telnet clients still support Zmodem, and you can use lrzsz to transfer files via telnet. Personally, I'd rather use ssh as it's a lot more secure, but in cases where either you can only use telnet or when you are on network you can trust (i.e., not the Internet), you can still use Zmodem.
b) Zmodem is not, nor has it ever been a bidirectional protocol -- you can't upload and download at the same time unless you have two different connections. There *were* protocols that would let you do this (Puma comes to mind), but you most decidedly could NOT do this with Zmodem.
Re:Trip down memory lane... (Score:2)
it had chat too which was extra cool during big downloads or when trading files with friend..
(and it was simple to use and needed no by hand synchronising if you had setup the terminal program ok, if my memory serves me well you could initiate the uploads during downloads too, though i barely dialed up to any bbs's after we got isdn circa summer of '96..)
Re:Trip down memory lane... (Score:2)
Maybe had something to do with T.A.G. or Telegard (one of the two) having a default config for Puma, I think.
Re:Trip down memory lane... (Score:1)
Re:Trip down memory lane... (Score:1)
Re:Trip down memory lane... (Score:1)
It was released on December 7, 1988.
Here's a link to textfiles.com timeline [textfiles.com]
Re:Trip down memory lane... (Score:2, Informative)
Maybe puma or one of those oddball protocols are bidirectional, but that was pretty useless to warez runners back in the day, because everybody knows that real k-k00l warez runners use USRobotics Courier HST 9600 high-speed modems, and they were only fast in one direction. Real warez runners spit on v.32 modems...Ahhh the good old days
Re:Trip down memory lane... (Score:2)
Poorly written BBS software would only remember the last block downloaded as an indicator of how much you downloaded.
Re:Trip down memory lane... (Score:2)
.CX Domain (Score:4, Funny)
Security hole (Score:3, Funny)
Or maybe it was flooded with SYN's? Damn. I can't remember.
Re:Security hole (Score:5, Interesting)
For each SYN packet you send, you eat up a little bit more memory and CPU time on the victim. Do it enough times, and the system runs out of memory or processor time, and the system becomes unable to perform its regular operations. Effectively causing a Denial of Service.
If you're smart, you'll form the SYN packets to have source addresses that differ from your real IP, otherwise a) you're traceable; and b) your machine will be flooded with SYN/ACKS. If you are even smarter, you'll use an IP that, while valid and routable, belongs to a host that either doesn't exist, or is currently off. Otherwise the 2nd level victim recieving the SYN/ACKs from your initial target will send RSETs for every SYN/ACK, since it never requested to initial the connection. When your target gets the RSET for the SYN/ACK, it will close the session, freeing up the memory and CPU time that you are desparately trying to fill. Essentially, a non-existant host will never respond to a SYN/ACK, so the target system has to wait for a timeout duration before closing the session, which makes it easier for you to eat up CPU and memory. Unfortunately though, the fake spirce IP on your SYN packets will likely have to be within your ISP's network range, as all smart ISP network administrators perform egress packet filtering to prevent such attacks from originating within their network.
Better tactics include sending the SYNs from multiple machines that have different providers. Thus preventing load from the SYN/ACKs from filling your ISPs pipe. This effectively makes the attack a DDoS, rather than a DoS.
Either way, you can't really perform these attacks in much safety, as competent network administrators will have sniffers in place to detect these attacks as they cross their network. So #1) if your ISP admin is smart, you're busted by them regardless; and #2) if the chain of smart admins follows you all the way back to your sources, you're busted by the authorities (which if you cross state lines means the Feds, which will suck quite adamently).
So, that is how it works, but I wouldn't recommend trying it.
You're not fooling me (Score:1, Offtopic)
It looks like..... (Score:1)
Trace Routing to the author's link
<a href ="http://www.benzedrine.cx">Insomnia Site</a> yields the following path:
....
6 pop1-hou-P7-2.atdn.net [66.185.136.77]
7 bb2-hou-P0-2.atdn.net [66.185.150.146]
8 bb2-tby-P7-0.atdn.net [66.185.152.247]
9 bb1-tby-P1-0.atdn.net [66.185.152.242]
10 bb2-atm-P7-0.atdn.net [66.185.152.245]
11 bb2-cha-P6-0.atdn.net [66.185.152.31]
12 bb2-ash-P13-0.atdn.net [66.185.152.50]
13 pop1-ash-P1-0.atdn.net [66.185.139.195]
14 BritishTelecom.atdn.net [66.185.151.110]
15 t2c1-ge6-2.us-ash.concert.net [166.49.208.221]
16 t2c1-p8-0.nl-ams2.concert.net [166.49.208.133]
17 t2c1-p8-0.uk-lon2.concert.net [166.49.208.90]
18 t2c1-p2-1.ch-zur.concert.net [166.49.164.46]
19 t2a1-ge5-0-0.ch-zur.concert.net [166.49.186.17]
20 ixp1-p0-0-0.ch-zur.concert.net [166.49.223.10]
21 gw.dl.zhl-zhh-00.netstream.ch [62.65.130.1]
22 gw.fiber.dd-zh-00.netstream.ch [62.65.128.133]
23 gw.fiber.dd-dd-01.netstream.ch [62.65.128.146]
24
.................
I think he was expecting 'nightmares' anywayz,that'z why he chose to name his machine INSOMNIA:-)
Slashdotted - Mirror (Score:5, Informative)
Better Bandwidth Utilization... (Score:1, Insightful)
Try it (Score:5, Funny)
"OpenBSD 3.3 beta is now stable enough for daily use, so why not download a snapshot [openbsd.org] from one of the mirrors [openbsd.org]and try it out?"
Windows XP is now stable enough for daily use, so why not download a snapshot [kazaalite.tk] from one of the mirrors [sharereactor.com] and try it out?"
(intended as a joke)
Broadband implications (Score:3, Insightful)
Then again, since when have most broadband providers really ever cared about supplying good speeds when the user maxes out the outrageously capped upstream...
this may break TCP flow control! (Score:5, Interesting)
So if the network is congested and an ACK SHOULD time out but doesn't, TCP will keep on flooding the network, ruining the pool for everyone.(see: Tragedy of the commons [dieoff.com])
Yes, I agree that this is a big-O style worse case scenario, but its something to consider.
Re:this may break TCP flow control! (Score:5, Informative)
So if the network is congested and an ACK SHOULD time out but doesn't, TCP will keep on flooding the network, ruining the pool for everyone.
No. If the downstream is flooded, the packets won't be received, and no ACK will be sent. ACKs have higher priority, but even that can't make them appear out of thin air.
W. Richard Stevens TCP/IP Illustrated, Volume 1 (Score:5, Informative)
It seems to me that a great many
Reading that book will give you a foundation to understanding how a single endpoint behaves in an IP network. If you want some understanding of the guts of a large scale internetwork I'd suggest the Cisco Press IP Quality of Service book.
There are a great many things near and dear to
If you're impatient you can look at my journal - I've covered some of the issues there.
OpenBSD and why I don't use it... (Score:1)
I won't use OpenBSD until SMP gets in. Until then, I'll stick with FreeBSD.
are there any floppy based routers that do this? (Score:2, Interesting)
Server got /.'ed before 0 comments... (Score:4, Informative)
http://www.benzedrine.cx/ackpri-norm.jpg
http://www.benzedrine.cx/ackpri-priq.jpg
benzedrine.cx - Prioritizing empty TCP ACKs with pf and ALTQ Prioritizing empty TCP ACKs with pf and ALTQ
Introduction ALTQ is a framework to manage queueing disciplines on network interfaces. It manipulates output queues to enforce bandwidth limits and priorize traffic based on classification.
While ALTQ was part of OpenBSD and has been enabled by default since several releases, the next release will merge the ALTQ and pf configuration into a single file and let pf assign packets to queues. This both simplifies the configuration and greatly reduces the cost of queue assignment.
This article presents a simple yet effective example of what the pf/ALTQ combination can be used for. It's meant to illustrate the new configuration syntax and queue assignment. The code used in this example is already available in the -current OpenBSD source branch.
Problem I'm using an asymmetric DSL with 512 kbps downstream and 128 kbps upstream capacity (minus PPPoE overhead). When I download, I get transfer rates of about 50 kB/s. But as soon as I start a concurrent upload, the download rate drops significantly, to about 7 kB/s.
Explanation Even when a TCP connection is used to send data only in one direction (like when downloading a file through ftp), TCP acknowledgements (ACKs) must be sent in the opposite direction, or the peer will assume that its packets got lost and retransmit them. To keep the peer sending data at the maximum rate, it's important to promptly send the ACKs back.
When the uplink is saturated by other connections (like a concurrent upload), all outgoing packets get delayed equally by default. Hence, a concurrent upload saturating the uplink causes the outgoing ACKs for the download to get delayed, which causes the drop in the download throughput.
Solution The outgoing ACKs related to the download are small, as they don't contain any data payload. Even a fast download saturating the 512 kbps downstream does not require more than a fraction of upstream bandwidth for the related outgoing ACKS.
Hence, the idea is to priorize TCP ACKs that have no payload. The following pf.conf fragment illustrates how to set up the queue definitions and assign packets to the defined queues:
ext_if="kue0"
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)
First, a macro is defined for the external interface. This makes it easier to adjust the ruleset when the interface changes.
Next, altq is enabled on the interface using the priq scheduler, and the upstream bandwidth is specified.
I'm using 100 kbps instead of 128 kbps as this is the real maximum I can reach (due to PPPoE encapsulation overhead). Some experimentation might be needed to find the best value. If it's set too high, the priority queue is not effective, and if it's set too low, the available bandwidth is not fully used.
Then, two queues are defined with (arbitrary) names q_pri and q_def. The queue with the lower priority is made the default.
Finally, the rules passing the relevant connections (statefully) are extended to specify what queues to assign the matching packets to. The first queue specified in the parentheses is used for all packets by default, while the second (and optional) queue is used for packets with ToS (type of service) 'lowdelay' (for instance interactive ssh sessions) and TCP ACKs without payload.
Both incoming and outgoing TCP connections will pass by those two rules, create state, and all packets related to the connections will be assigned to either the q_def or q_pri queues. Packets assigned to the q_pri queue will have priority and will get sent before any pending packets in the q_def queue.
Result The following test was performed first without and then with the ALTQ rules explained above:
The first graphs shows the results of the test without ALTQ, and the second one with ALTQ:
Image 1, ACK PRI Normal [benzedrine.cx]
Image 2, ACK PRI PRIq [benzedrine.cx]
The improvement is quite significant, the saturated uplink no longer delays the outgoing empty ACKs, and the download rate doesn't drop anymore.
This effect is not limited to asymmetric links, it occurs whenever one direction of the link is saturated. With an asymmetric link this occurs more often, obviously.
Related links
How does this compare to a DDR Fairness? (Score:4, Informative)
See "QoS for Modems and Remote Access" at this KB article [microsoft.com].
Same concept for WANs (Score:2, Informative)
ACK Shaping (Score:4, Informative)
Unlike most conventional traffic shapers which queue and control the data rate on the outgoing channel, PacketShaper controls the rate of acknowledgements on the reverse channel.
This is usually used to *slow* traffic. I.e., instead of having the router drop packets (thereby wasting resources until the source TCP understands that the net is congested and reduces load) it just slows the ACKs and the sender automatically reduces its sending rate.
Anyway, the real nice thing about the OpenBSD implementation is that they merge their packet filter (pf) with the ALTQ queuing code. Now this is really powerful.
Sounds like a good time for all BSDs to adopt this new combination instead of relying on less-capable mechanisms. E.g. FreeBSD has ipfw for filtering and dummynet for queue management. I don't know how pf compares with ipfw but ALTQ is definitely better than dummynet.
Nimrod.
throttled (Score:3, Informative)
Re:From one of the links - Script for linux (Score:1)
Re:So, how to do this on freebsd (Score:2, Informative)
I just need to find out how to do this with ipf [freebsd.org] instead of ipfw [freebsd.org].
Re:Yeah well... (Score:2)
Do some moderators actually believe that someone would seriously make this statement? If so, then I suppose the real joke is on the moderators themselves - probably the same folks with a basement full of duct tape and plastic.