Hi, I''ve just realized that something seems to be wrong with traffic shaping on two systems which were running RHEL4 and are now running RHEL6. While trying to find what is wrong I even simplified the config but it just doesn''t seem to work as it has with EL4. The test config looks like this (eth2 is the "internet" interface): in shorewall.conf I have: TC_ENABLED=Internal tcdevices: #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE INTERFACES eth2 20000kbit 2000kbit tcclasses: #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX eth2 1 full/4 full 1 tcp-ack,tos-minimize-delay eth2 2 full/4 full 2 default eth2 3 full/8 full*8/10 2 Now, on the completely idle link I can do what I want, downloading http or doing rsync via ssh, I get download speeds of 200-500 kB/s. Setting TC_ENABLED=No immediately increases the downstream to its full speed. Looks like I''m missing the obvious, but what is it? The output of "shorewall show tc eth2" is attached. Thanks for any ideas! Regards, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 10:31 +0200, Simon Matter wrote:> > > Now, on the completely idle link I can do what I want, downloading http or > doing rsync via ssh, I get download speeds of 200-500 kB/s. Setting > TC_ENABLED=No immediately increases the downstream to its full speed. > > Looks like I''m missing the obvious, but what is it? > The output of "shorewall show tc eth2" is attached. >Hi Simon, Have you checked FAQ 97? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 10:31 +0200, Simon Matter wrote:> eth2 3 full/8 full*8/10 2 > > > Now, on the completely idle link I can do what I want, downloading http or > doing rsync via ssh, I get download speeds of 200-500 kB/s. Setting > TC_ENABLED=No immediately increases the downstream to its full speed. > > Looks like I''m missing the obvious, but what is it? > The output of "shorewall show tc eth2" is attached. > > Thanks for any ideas!Please disregard my earlier post -- Your problem is download speed where FAQ 97 addresses upload speed. I''ll take a look. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 10:31 +0200, Simon Matter wrote:> Hi, > > I''ve just realized that something seems to be wrong with traffic shaping > on two systems which were running RHEL4 and are now running RHEL6. While > trying to find what is wrong I even simplified the config but it just > doesn''t seem to work as it has with EL4. The test config looks like this > (eth2 is the "internet" interface): > > in shorewall.conf I have: > TC_ENABLED=Internal > > tcdevices: > #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED > #INTERFACE INTERFACES > eth2 20000kbit 2000kbit > > tcclasses: > #INTERFACE:CLASS MARK RATE: CEIL PRIORITY > OPTIONS > # DMAX:UMAX > eth2 1 full/4 full 1 > tcp-ack,tos-minimize-delay > eth2 2 full/4 full 2 default > eth2 3 full/8 full*8/10 2 > > > Now, on the completely idle link I can do what I want, downloading http or > doing rsync via ssh, I get download speeds of 200-500 kB/s. Setting > TC_ENABLED=No immediately increases the downstream to its full speed. > > Looks like I''m missing the obvious, but what is it? > The output of "shorewall show tc eth2" is attached.You might try this suggestion from the Shorewall TC HOWTO: Note For fast lines, the actually download speed may be well below what you specify here. If you have this problem, then follow the bandwidth with a ":" and a burst size. The default burst is 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb). -tOM -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote:> > You might try this suggestion from the Shorewall TC HOWTO: > > Note > > For fast lines, the actually download speed may be well below > what you specify here. If you have this problem, then follow the > bandwidth with a ":" and a burst size. The default burst is > 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb).I shouldn''t email before I have my morning coffee. This suggestion only works with simple TC. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote:> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: > > > > > You might try this suggestion from the Shorewall TC HOWTO: > > > > Note > > > > For fast lines, the actually download speed may be well below > > what you specify here. If you have this problem, then follow the > > bandwidth with a ":" and a burst size. The default burst is > > 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb). > > I shouldn''t email before I have my morning coffee. This suggestion only > works with simple TC. >Okay -- one more time, now that I have had my coffee. Specifying a burst on your IN-BANDWIDTH should definitely help your problem. I would start at 100kb. I seem to recall a user on IRC, however, that was experiencing a similar problem. In that case, adding a burst did not solve the issue. Don''t recall which distro and version that user was running. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> > what you specify here. If you have this problem, then follow >> the >> > bandwidth with a ":" and a burst size. The default burst is >> > 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb). >> >> I shouldn''t email before I have my morning coffee. This suggestion only >> works with simple TC. >> > > Okay -- one more time, now that I have had my coffee. > > Specifying a burst on your IN-BANDWIDTH should definitely help your > problem. I would start at 100kb. I seem to recall a user on IRC, > however, that was experiencing a similar problem. In that case, > adding a burst did not solve the issue. Don''t recall which distro and > version that user was running.Hi Tom, Thanks for your effort in the early morning :) I''ll try what you suggested. The funny thing is that the RHEL4 boxes with ancient 2.6.9 kernel have always worked exactly as expected. Now on RHEL6 with kernel 2.6.32 it just doesn''t do what I expect. I''ll give feedback soon. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote:> Thanks for your effort in the early morning :) > I''ll try what you suggested. The funny thing is that the RHEL4 boxes with > ancient 2.6.9 kernel have always worked exactly as expected. Now on RHEL6 > with kernel 2.6.32 it just doesn''t do what I expect. I''ll give feedback > soon. >There is a bad defect in complex TC that was introduced in 4.4.23. The net effect is that output shaping is completely broken. I''ll be releasing 4.4.24.1 today. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote:> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote: > > > Thanks for your effort in the early morning :) > > I''ll try what you suggested. The funny thing is that the RHEL4 boxes with > > ancient 2.6.9 kernel have always worked exactly as expected. Now on RHEL6 > > with kernel 2.6.32 it just doesn''t do what I expect. I''ll give feedback > > soon. > > > > There is a bad defect in complex TC that was introduced in 4.4.23. The > net effect is that output shaping is completely broken. > > I''ll be releasing 4.4.24.1 today.The problem is not so severe as I originally thought. It only occurs when a logical device name is used on an interface that is named in tcdevices. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote: >> >> > Thanks for your effort in the early morning :) >> > I''ll try what you suggested. The funny thing is that the RHEL4 boxes >> with >> > ancient 2.6.9 kernel have always worked exactly as expected. Now on >> RHEL6 >> > with kernel 2.6.32 it just doesn''t do what I expect. I''ll give >> feedback >> > soon. >> > >> >> There is a bad defect in complex TC that was introduced in 4.4.23. The >> net effect is that output shaping is completely broken. >> >> I''ll be releasing 4.4.24.1 today. > > The problem is not so severe as I originally thought. It only occurs > when a logical device name is used on an interface that is named in > tcdevices.OK, IIRC when I made some tests I was using 4.4.23.X on all systems and only the RHEL6 based ones had the problem. I''ll redo all tests tomorrow maybe after you released 4.4.24.1. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 21:58 +0200, Simon Matter wrote:> > On Tue, 2011-10-11 at 10:55 -0700, Tom Eastep wrote: > >> On Tue, 2011-10-11 at 19:33 +0200, Simon Matter wrote: > >> > >> > Thanks for your effort in the early morning :) > >> > I''ll try what you suggested. The funny thing is that the RHEL4 boxes > >> with > >> > ancient 2.6.9 kernel have always worked exactly as expected. Now on > >> RHEL6 > >> > with kernel 2.6.32 it just doesn''t do what I expect. I''ll give > >> feedback > >> > soon. > >> > > >> > >> There is a bad defect in complex TC that was introduced in 4.4.23. The > >> net effect is that output shaping is completely broken. > >> > >> I''ll be releasing 4.4.24.1 today. > > > > The problem is not so severe as I originally thought. It only occurs > > when a logical device name is used on an interface that is named in > > tcdevices. > > OK, IIRC when I made some tests I was using 4.4.23.X on all systems and > only the RHEL6 based ones had the problem. I''ll redo all tests tomorrow > maybe after you released 4.4.24.1.Given that the problem only affects users that have different logical and physical names for their interfaces, I''m inclined to wait a few days and see if another defect shows up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Tue, 2011-10-11 at 06:50 -0700, Tom Eastep wrote: >> On Tue, 2011-10-11 at 06:37 -0700, Tom Eastep wrote: >> >> > >> > You might try this suggestion from the Shorewall TC HOWTO: >> > >> > Note >> > >> > For fast lines, the actually download speed may be well below >> > what you specify here. If you have this problem, then follow >> the >> > bandwidth with a ":" and a burst size. The default burst is >> > 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb). >> >> I shouldn''t email before I have my morning coffee. This suggestion only >> works with simple TC. >> > > Okay -- one more time, now that I have had my coffee. > > Specifying a burst on your IN-BANDWIDTH should definitely help your > problem. I would start at 100kb. I seem to recall a user on IRC, > however, that was experiencing a similar problem. In that case, > adding a burst did not solve the issue. Don''t recall which distro and > version that user was running.Tom, I tried this but it doesn''t seem to help. I''m not sure about the syntax of the burst parameter, the unit "kb" is not mentioned in tcdevices manpage, but I tried "kb" and "kbit". If I set it to "10kbit" then the connection stalls, if I set "100kb" oder "500kb" it doesn''t change anything, I get about 1/20 of the full downstream speed. The only thing which helps is to set IN-BANDWIDTH to 0 which immediately makes it jump to full speed. To test I''m running a big wget job on the firewall itself over the otherwise unused link and it shows something like "96.3K/s" while any IN-BANDWIDTH is defined, and it jumps to "2.32M/s" if IN-BANDWIDTH is set to 0. The full mandwith is very constant while the limited bandwith is not, it stays between ~70K/s and ~200K/s. The same also happened on a faster link with 100Mbps symmetric line. Update: I''ve just tried on a RHEL4 system with 50Mbps link. Without burst defined, the wget shows about 2.4M/s, after adding "100kb" burst, it shows 4.93M/s, so the effect is visible. All systems are running the same shorewall 4.4.24 with almost identical configurations. The main difference is RHEL4<>RHEL6. Any more ideas? Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 11 Oct 2011 10:31:19 +0200 "Simon Matter" <simon.matter@invoca.ch> wrote:> Hi, > > I''ve just realized that something seems to be wrong with traffic > shaping on two systems which were running RHEL4 and are now running > RHEL6. While trying to find what is wrong I even simplified the > config but it just doesn''t seem to work as it has with EL4. The test > config looks like this (eth2 is the "internet" interface): > > in shorewall.conf I have: > TC_ENABLED=Internal > > tcdevices: > #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS > REDIRECTED > #INTERFACE > INTERFACES eth2 20000kbit 2000kbit > > tcclasses: > #INTERFACE:CLASS MARK RATE: CEIL > PRIORITY OPTIONS > # DMAX:UMAX > eth2 1 full/4 full 1 > tcp-ack,tos-minimize-delay > eth2 2 full/4 full 2 default > eth2 3 full/8 full*8/10 2Your config is wrong: RATE - rate[:dmax[:umax]] The minimum bandwidth this class should get, when the traffic load rises. If the sum of the rates in this column exceeds the INTERFACE''s OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be honored. Similarly, if the sum of the rates of sub-classes of a class exceed the CEIL of the parent class, things don''t work well. I use this which works fine with kernel 2.6.32-131.17.1.el6: eth2 1 5*full/10 full 1 tcp-ack,tos-minimize-delay eth2 2 3*full/10 9*full/10 2 default eth2 3 2*full/10 8*full/10 2 -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Wed, 2011-10-12 at 13:32 +0300, Tuomo Soini wrote:> Your config is wrong: > > RATE - rate[:dmax[:umax]] > The minimum bandwidth this class should get, when the > traffic load rises. If the sum of the rates in this column > exceeds the INTERFACE''s OUT-BANDWIDTH, then the OUT-BANDWIDTH > limit may not be honored. Similarly, if the sum of the rates of > sub-classes of a class exceed the CEIL of the parent class, > things don''t work well. > > I use this which works fine with kernel 2.6.32-131.17.1.el6: > > eth2 1 5*full/10 full 1 tcp-ack,tos-minimize-delay > eth2 2 3*full/10 9*full/10 2 default > eth2 3 2*full/10 8*full/10 2 >Simon''s problem is with download, not upload. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Wed, 2011-10-12 at 09:49 +0200, Simon Matter wrote:> Tom, I tried this but it doesn''t seem to help. I''m not sure about the > syntax of the burst parameter, the unit "kb" is not mentioned in tcdevices > manpage, but I tried "kb" and "kbit". If I set it to "10kbit" then the > connection stalls, if I set "100kb" oder "500kb" it doesn''t change > anything, I get about 1/20 of the full downstream speed. The only thing > which helps is to set IN-BANDWIDTH to 0 which immediately makes it jump to > full speed. > > To test I''m running a big wget job on the firewall itself over the > otherwise unused link and it shows something like "96.3K/s" while any > IN-BANDWIDTH is defined, and it jumps to "2.32M/s" if IN-BANDWIDTH is set > to 0. The full mandwith is very constant while the limited bandwith is > not, it stays between ~70K/s and ~200K/s. > > The same also happened on a faster link with 100Mbps symmetric line. > > Update: > I''ve just tried on a RHEL4 system with 50Mbps link. Without burst defined, > the wget shows about 2.4M/s, after adding "100kb" burst, it shows 4.93M/s, > so the effect is visible. > > All systems are running the same shorewall 4.4.24 with almost identical > configurations. The main difference is RHEL4<>RHEL6. Any more ideas?No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which is RHEL6-based and I''m seeing no problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:> No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which is > RHEL6-based and I''m seeing no problem.I''ve done a bit more testing. Foobar6.1 is running kernel 2.6.32-131.17.1 whereas my Centos6 installation is running 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows download speeds significantly below IN-BANDWIDTH. I''m seeing 22-23Mbit when I set the IN-BANDWIDTH to 30mbit. While that is not as bad as you are seeing, it shows that there are significant differences between RHEL6 kernel versions. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: > >> No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which is >> RHEL6-based and I''m seeing no problem. > > I''ve done a bit more testing. Foobar6.1 is running kernel > 2.6.32-131.17.1 whereas my Centos6 installation is running > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows download > speeds significantly below IN-BANDWIDTH. I''m seeing 22-23Mbit when I set > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are seeing, > it shows that there are significant differences between RHEL6 kernel > versions.Hm, I have to redo my tests then. My initial testing was with CentOS 6 on box A. Box B also and still runs CentOS 6 while box A now runs stock RHEL6.1 kernel. So, it may be that only the testbox running CentOS is affected, I''ll test it later today. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: > > > >> No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which is > >> RHEL6-based and I''m seeing no problem. > > > > I''ve done a bit more testing. Foobar6.1 is running kernel > > 2.6.32-131.17.1 whereas my Centos6 installation is running > > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows download > > speeds significantly below IN-BANDWIDTH. I''m seeing 22-23Mbit when I set > > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are seeing, > > it shows that there are significant differences between RHEL6 kernel > > versions. > > Hm, I have to redo my tests then. My initial testing was with CentOS 6 on > box A. Box B also and still runs CentOS 6 while box A now runs stock > RHEL6.1 kernel. So, it may be that only the testbox running CentOS is > affected, I''ll test it later today.I added the centos-cr repo and updated my CentOS 6 VM. It now runs at full speed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I''m seeing no problem. >> > >> > I''ve done a bit more testing. Foobar6.1 is running kernel >> > 2.6.32-131.17.1 whereas my Centos6 installation is running >> > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows >> download >> > speeds significantly below IN-BANDWIDTH. I''m seeing 22-23Mbit when I >> set >> > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are >> seeing, >> > it shows that there are significant differences between RHEL6 kernel >> > versions. >> >> Hm, I have to redo my tests then. My initial testing was with CentOS 6 >> on >> box A. Box B also and still runs CentOS 6 while box A now runs stock >> RHEL6.1 kernel. So, it may be that only the testbox running CentOS is >> affected, I''ll test it later today. > > I added the centos-cr repo and updated my CentOS 6 VM. It now runs at > full speed.The testbox I''m using is CentOS6 with CR enabled. Now, I also updated the kernel to 2.6.32-131.17.1.el6.x86_64 from RedHat, and it doesn''t change anything. Download with wget shows something between 30 and 200K/s, while after disabling TC it gets 2.2M/s. The only solution I found is TC_ENABLED=Internal -> TC_ENABLED=No :( Regards, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote: >> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote: >> > >> >> No, sorry - I''ve tried to reproduce this problem on Foobar6.1 which >> is >> >> RHEL6-based and I''m seeing no problem. >> > >> > I''ve done a bit more testing. Foobar6.1 is running kernel >> > 2.6.32-131.17.1 whereas my Centos6 installation is running >> > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows >> download >> > speeds significantly below IN-BANDWIDTH. I''m seeing 22-23Mbit when I >> set >> > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are >> seeing, >> > it shows that there are significant differences between RHEL6 kernel >> > versions. >> >> Hm, I have to redo my tests then. My initial testing was with CentOS 6 >> on >> box A. Box B also and still runs CentOS 6 while box A now runs stock >> RHEL6.1 kernel. So, it may be that only the testbox running CentOS is >> affected, I''ll test it later today. > > I added the centos-cr repo and updated my CentOS 6 VM. It now runs at > full speed.Tom, did you test with complex TC or simple TC? I''ve just tested adding burst on one of the existing EL4 systems and it indeed increases the download speed to almost full speed. However, the same config on the EL6 box just doesn''t work at all even with the latest official RHEL6.1 kernel. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 13, 2011, at 1:22 PM, Simon Matter wrote:> > Tom, did you test with complex TC or simple TC? > I''ve just tested adding burst on one of the existing EL4 systems and it > indeed increases the download speed to almost full speed. However, the > same config on the EL6 box just doesn''t work at all even with the latest > official RHEL6.1 kernel.Simon, I tested using Simple TC. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote:> > On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >> >> Tom, did you test with complex TC or simple TC? >> I''ve just tested adding burst on one of the existing EL4 systems and it >> indeed increases the download speed to almost full speed. However, the >> same config on the EL6 box just doesn''t work at all even with the latest >> official RHEL6.1 kernel. > > > Simon, > > I tested using Simple TC. >As far as I know, IN-BANDWIDTH handling is identical in Internal and Simple. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote:> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: > >> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>> >>> Tom, did you test with complex TC or simple TC? >>> I''ve just tested adding burst on one of the existing EL4 systems and it >>> indeed increases the download speed to almost full speed. However, the >>> same config on the EL6 box just doesn''t work at all even with the latest >>> official RHEL6.1 kernel. >> >> >> Simon, >> >> I tested using Simple TC. >> > > As far as I know, IN-BANDWIDTH handling is identical in Internal and Simple. >I just configured my Centos6 box with complex TC and it worked just the same. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote:> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: > > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: > >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: > >>> > >>> Tom, did you test with complex TC or simple TC? > >>> I''ve just tested adding burst on one of the existing EL4 systems and it > >>> indeed increases the download speed to almost full speed. However, the > >>> same config on the EL6 box just doesn''t work at all even with the latest > >>> official RHEL6.1 kernel. > >> > >> I tested using Simple TC. > >> > > As far as I know, IN-BANDWIDTH handling is identical in Internal and Simple. > > > I just configured my Centos6 box with complex TC and it worked just the same. >Grasping at straws, here is the Tc.pm that I''m releasing in 4.4.25 Beta 2. While my testing shows that it makes IN-BANDWIDTH enforcement more accurate, I am not hopeful that it will help your issue. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >> >>> >> >>> Tom, did you test with complex TC or simple TC? >> >>> I''ve just tested adding burst on one of the existing EL4 systems and >> it >> >>> indeed increases the download speed to almost full speed. However, >> the >> >>> same config on the EL6 box just doesn''t work at all even with the >> latest >> >>> official RHEL6.1 kernel. >> >> >> >> I tested using Simple TC. >> >> >> > As far as I know, IN-BANDWIDTH handling is identical in Internal and >> Simple. >> > >> I just configured my Centos6 box with complex TC and it worked just the >> same. >> > > Grasping at straws, here is the Tc.pm that I''m releasing in 4.4.25 Beta > 2. While my testing shows that it makes IN-BANDWIDTH enforcement more > accurate, I am not hopeful that it will help your issue.Thanks Tom, I appreciate your help! I have tried the whole thing as you did with KVM - and of course it worked as it did for you. Finally, before giving up, I went to the box, put in a simple USB ethenet adapter, and voilà - it works perfec :) That means to me it must be some of the offloading stuff. I tried the settings from the shorewall FAQ but without success, so I have to check again, I either did something wrong in the tests or my adapter needs other settings. I''ll come back with more infos. Regards, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Fri, 2011-10-14 at 16:40 +0200, Simon Matter wrote:> Thanks Tom, I appreciate your help! > I have tried the whole thing as you did with KVM - and of course it worked > as it did for you.> Finally, before giving up, I went to the box, put in a simple USB ethenet > adapter, and voilà - it works perfec :)> That means to me it must be some of the offloading stuff. I tried the > settings from the shorewall FAQ but without success, so I have to check > again, I either did something wrong in the tests or my adapter needs other > settings. I''ll come back with more infos.Simon, Interesting - so far, the offloading problems have only produced slow upload and not slow download. I''ll look forward to hearing what you find out. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>> >>> >>> >>> Tom, did you test with complex TC or simple TC? >>> >>> I''ve just tested adding burst on one of the existing EL4 systems >>> and >>> it >>> >>> indeed increases the download speed to almost full speed. However, >>> the >>> >>> same config on the EL6 box just doesn''t work at all even with the >>> latest >>> >>> official RHEL6.1 kernel. >>> >> >>> >> I tested using Simple TC. >>> >> >>> > As far as I know, IN-BANDWIDTH handling is identical in Internal and >>> Simple. >>> > >>> I just configured my Centos6 box with complex TC and it worked just the >>> same. >>> >> >> Grasping at straws, here is the Tc.pm that I''m releasing in 4.4.25 Beta >> 2. While my testing shows that it makes IN-BANDWIDTH enforcement more >> accurate, I am not hopeful that it will help your issue. > > Thanks Tom, I appreciate your help! > I have tried the whole thing as you did with KVM - and of course it worked > as it did for you. > Finally, before giving up, I went to the box, put in a simple USB ethenet > adapter, and voilà - it works perfec :) > That means to me it must be some of the offloading stuff. I tried the > settings from the shorewall FAQ but without success, so I have to check > again, I either did something wrong in the tests or my adapter needs other > settings. I''ll come back with more infos.Finally, disabling generic-receive-offload fixes the whole mess :) Tom, maybe you could update the FAQ like this: - ethtool -k ethN tso off gso off + ethtool -K ethN tso off gso off gro off (Note the -K instead -k as well) Of maybe even like this to be sure: ethtool -K ethN tso off ufo off gso off gro off I''m wondering if it would make sense to integrate some means into shorewall to handle offloading on all devices where tc rules apply? Thanks for you patience! Regards, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
>>> On Thu, 2011-10-13 at 19:57 -0700, Tom Eastep wrote: >>>> On Oct 13, 2011, at 7:27 PM, Tom Eastep wrote: >>>> > On Oct 13, 2011, at 7:18 PM, Tom Eastep wrote: >>>> >> On Oct 13, 2011, at 1:22 PM, Simon Matter wrote: >>>> >>> >>>> >>> Tom, did you test with complex TC or simple TC? >>>> >>> I''ve just tested adding burst on one of the existing EL4 systems >>>> and >>>> it >>>> >>> indeed increases the download speed to almost full speed. However, >>>> the >>>> >>> same config on the EL6 box just doesn''t work at all even with the >>>> latest >>>> >>> official RHEL6.1 kernel. >>>> >> >>>> >> I tested using Simple TC. >>>> >> >>>> > As far as I know, IN-BANDWIDTH handling is identical in Internal and >>>> Simple. >>>> > >>>> I just configured my Centos6 box with complex TC and it worked just >>>> the >>>> same. >>>> >>> >>> Grasping at straws, here is the Tc.pm that I''m releasing in 4.4.25 Beta >>> 2. While my testing shows that it makes IN-BANDWIDTH enforcement more >>> accurate, I am not hopeful that it will help your issue. >> >> Thanks Tom, I appreciate your help! >> I have tried the whole thing as you did with KVM - and of course it >> worked >> as it did for you. >> Finally, before giving up, I went to the box, put in a simple USB >> ethenet >> adapter, and voilà - it works perfec :) >> That means to me it must be some of the offloading stuff. I tried the >> settings from the shorewall FAQ but without success, so I have to check >> again, I either did something wrong in the tests or my adapter needs >> other >> settings. I''ll come back with more infos. > > Finally, disabling generic-receive-offload fixes the whole mess :) > > Tom, maybe you could update the FAQ like this: > > - ethtool -k ethN tso off gso off > + ethtool -K ethN tso off gso off gro off > > (Note the -K instead -k as well) > > Of maybe even like this to be sure: > > ethtool -K ethN tso off ufo off gso off gro offPlease forget this one ^^^^^^^^^, udp-fragmentation-offload can not be disabled at least on my systems, is is off by default for me. Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Fri, 2011-10-14 at 17:45 +0200, Simon Matter wrote:> > > > Finally, disabling generic-receive-offload fixes the whole mess :) > > > > Tom, maybe you could update the FAQ like this: > > > > - ethtool -k ethN tso off gso off > > + ethtool -K ethN tso off gso off gro off > > > > (Note the -K instead -k as well) > > > > Of maybe even like this to be sure: > > > > ethtool -K ethN tso off ufo off gso off gro off > > Please forget this one ^^^^^^^^^, udp-fragmentation-offload can not be > disabled at least on my systems, is is off by default for me.Thanks, Simon I''ve added FAQ 97a which deals with slow download. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 14, 2011, at 8:45 AM, Simon Matter wrote:>> >> Finally, disabling generic-receive-offload fixes the whole mess :) >>For future reference, what type of NIC do you have that shows this behavior? Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote:> > On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>> >>> Finally, disabling generic-receive-offload fixes the whole mess :) >>> > > For future reference, what type of NIC do you have that shows this behavior? >Two bits of good news: 1) I''ve been able to reproduce this with a common Realtek Gigabit card: 02:03.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet (rev 10) Subsystem: Netgear GA311 Flags: bus master, 66MHz, medium devsel, latency 64, IRQ 23 I/O ports at b400 [size=256] Memory at ff5ff400 (32-bit, non-prefetchable) [size=256] Expansion ROM at ff5c0000 [disabled] [size=128K] Capabilities: [dc] Power Management version 2 Kernel driver in use: r8169 2) I have been able to modify Shorewall IN-BANDWIDTH handling to avoid the problem. Up to this time, Shorewall has generated a rate/burst policing filter. This type of filter seems particularly incompatible with GRO. The attached Tc.pm allows you to configure a rate estimated policing filter. To do that, precede the bandwidth with ''~''. Example: ~40mbit There are two optional parameters that can be added - interval and decay interval. Example: ~40mbit:1sec:8sec If not specified, the defaults for these two parameters are 250ms and 4sec. For an excellent explanation of the parameters, see http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> > On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>> >>> Finally, disabling generic-receive-offload fixes the whole mess :) >>> > > For future reference, what type of NIC do you have that shows this > behavior?It''s an intel adapter as shown below. Regards, Simon 02:00.1 Ethernet controller: Intel Corporation 82575EB Gigabit Network Connection (rev 02) Subsystem: Super Micro Computer Inc Device 10a7 Flags: bus master, fast devsel, latency 0, IRQ 19 Memory at fe8a0000 (32-bit, non-prefetchable) [size=128K] Memory at fe200000 (32-bit, non-prefetchable) [size=2M] I/O ports at e400 [size=32] Memory at fe8d8000 (32-bit, non-prefetchable) [size=16K] Expansion ROM at fe000000 [disabled] [size=2M] Capabilities: [40] Power Management version 2 Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+ Capabilities: [60] MSI-X: Enable+ Count=10 Masked- Capabilities: [a0] Express Endpoint, MSI 00 Capabilities: [100] Advanced Error Reporting Capabilities: [140] Device Serial Number 00-25-90-ff-ff-35-ad-ac Kernel driver in use: igb Kernel modules: igb ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> > On Oct 15, 2011, at 1:17 PM, Tom Eastep wrote: > >> >> On Oct 14, 2011, at 8:45 AM, Simon Matter wrote: >>>> >>>> Finally, disabling generic-receive-offload fixes the whole mess :) >>>> >> >> For future reference, what type of NIC do you have that shows this >> behavior? >> > > Two bits of good news: > > 1) I''ve been able to reproduce this with a common Realtek Gigabit card: > > 02:03.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169 > Gigabit Ethernet (rev 10) > Subsystem: Netgear GA311 > Flags: bus master, 66MHz, medium devsel, latency 64, IRQ 23 > I/O ports at b400 [size=256] > Memory at ff5ff400 (32-bit, non-prefetchable) [size=256] > Expansion ROM at ff5c0000 [disabled] [size=128K] > Capabilities: [dc] Power Management version 2 > Kernel driver in use: r8169Thanks Tom, I guess then it''s quite common with many systems now. I''ve checked different cards now. A Intel 82574L and a Broadcom BCM5723 have GRO disabled while on a Intel 82575EB it''s enabled, all on RHEL6.> > 2) I have been able to modify Shorewall IN-BANDWIDTH handling to avoid the > problem. > > Up to this time, Shorewall has generated a rate/burst policing filter. > This type of filter seems particularly incompatible with GRO. > > The attached Tc.pm allows you to configure a rate estimated policing > filter. To do that, precede the bandwidth with ''~''. > > Example: ~40mbit > > There are two optional parameters that can be added - interval and > decay interval. > > Example: ~40mbit:1sec:8sec > > If not specified, the defaults for these two parameters are 250ms and > 4sec. For an excellent explanation of the parameters, see > http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txtThanks, I quickly tested it on one of the existing systems with 4.4.24 but it fails to compile - I guess I need 4.4.25beta for it. How about the upload issue in FAQ97, I guess it doesn''t change even with the new code? I think I may still switch off the offloading on all adapters where shaping is used just to be sure. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote:> > Thanks, I quickly tested it on one of the existing systems with 4.4.24 but > it fails to compile - I guess I need 4.4.25beta for it.Just tested the attached version on 4.4.24.1.> How about the upload issue in FAQ97, I guess it doesn''t change even with > the new code?No - the new code strictly deals with IN-BANDWIDTH while FAQ97 deals with OUT-BANDWIDTH.> I think I may still switch off the offloading on all > adapters where shaping is used just to be sure.Hopefully, you can use the new estimator-based policing and can avoid having to switch it off. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Mon, 2011-10-17 at 13:14 +0200, Simon Matter wrote: > >> >> Thanks, I quickly tested it on one of the existing systems with 4.4.24 >> but >> it fails to compile - I guess I need 4.4.25beta for it. > > Just tested the attached version on 4.4.24.1.That''s what I get: # shorewall check Checking... Global symbol "$rate" requires explicit package name at /usr/libexec/shorewall/Shorewall/Tc.pm line 583. BEGIN not safe after errors--compilation aborted at /usr/libexec/shorewall/Shorewall/Tc.pm line 831. Compilation failed in require at /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. BEGIN failed--compilation aborted at /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. Compilation failed in require at /usr/libexec/shorewall/compiler.pl line 44. BEGIN failed--compilation aborted at /usr/libexec/shorewall/compiler.pl line 44. What am I missing? Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote:> That''s what I get: > > # shorewall check > Checking... > Global symbol "$rate" requires explicit package name at > /usr/libexec/shorewall/Shorewall/Tc.pm line 583. > BEGIN not safe after errors--compilation aborted at > /usr/libexec/shorewall/Shorewall/Tc.pm line 831. > Compilation failed in require at > /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. > BEGIN failed--compilation aborted at > /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. > Compilation failed in require at /usr/libexec/shorewall/compiler.pl line 44. > BEGIN failed--compilation aborted at /usr/libexec/shorewall/compiler.pl > line 44. > > What am I missing?Looks like you still have the first version installed. The second version has $rate replaced by $in_rate at line 583. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
> On Tue, 2011-10-18 at 07:25 +0200, Simon Matter wrote: > >> That''s what I get: >> >> # shorewall check >> Checking... >> Global symbol "$rate" requires explicit package name at >> /usr/libexec/shorewall/Shorewall/Tc.pm line 583. >> BEGIN not safe after errors--compilation aborted at >> /usr/libexec/shorewall/Shorewall/Tc.pm line 831. >> Compilation failed in require at >> /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. >> BEGIN failed--compilation aborted at >> /usr/libexec/shorewall/Shorewall/Compiler.pm line 31. >> Compilation failed in require at /usr/libexec/shorewall/compiler.pl line >> 44. >> BEGIN failed--compilation aborted at /usr/libexec/shorewall/compiler.pl >> line 44. >> >> What am I missing? > > Looks like you still have the first version installed. The second > version has $rate replaced by $in_rate at line 583.You''re right, I tested the wrong one. Now it works and I can confirm that it also works with GRO enabled. Thanks, Simon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 18, 2011, at 9:24 AM, Simon Matter wrote:> You''re right, I tested the wrong one. > Now it works and I can confirm that it also works with GRO enabled.Excellent! Thanks, Simon -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct