DNCTL(8) | System Manager's Manual | DNCTL(8) |
dnctl
— Traffic
shaper control program
dnctl |
[-anqs ] {list |
show } |
dnctl |
[-f | -q ]
flush |
dnctl |
[-q ] {delete }
[number ...] |
dnctl |
{pipe | queue }
number config
config-options |
dnctl |
[-s [field]]
{pipe | queue }
{delete | list |
show } [number ...] |
dnctl |
[-nq ] [-p
preproc [preproc-flags]]
pathname |
The dnctl
utility is the user interface
for controlling the dummynet(4) traffic shaper.
dummynet
operates by first
using a packet filter to classify packets and divide them into
flows, using any
match pattern that can be used in dnctl
rules.
Depending on local policies, a flow can contain packets for a single TCP
connection, or from/to a given host, or entire subnet, or a protocol type,
etc.
Packets belonging to the same flow are then passed to either of two different objects, which implement the traffic regulation:
In practice, pipes can be used to set hard limits to the bandwidth that a flow can use, whereas queues can be used to determine how different flow share the available bandwidth.
The pipe and queue configuration commands are the following:
pipe
number config
pipe-configuration
queue
number
config
queue-configuration
The following parameters can be configured for a pipe:
bw
bandwidth | deviceK
|M
]{bit/s
|Byte/s
}.
A value of 0 (default) means unlimited bandwidth. The unit must immediately follow the number, as in
dnctl pipe 1 config bw
300Kbit/s
If a device name is specified instead of a numeric value, as in
dnctl pipe 1 config bw
tun0
then the transmit clock is supplied by the specified device. At the moment no device supports this functionality.
delay
ms-delayThe following parameters can be configured for a queue:
pipe
pipe_nrweight
weightFinally, the following parameters can be configured for both pipes and queues:
buckets
hash-table-sizemask
mask-specifierdnctl
rule can be further classified into multiple flows, each of which is then
sent to a different dynamic pipe or queue. A flow
identifier is constructed by masking the IP addresses, ports and protocol
types as specified with the mask
options in the
configuration of the pipe or queue. For each different flow identifier, a
new pipe or queue is created with the same parameters as the original
object, and matching packets are sent to it.
Thus, when dynamic pipes are used, each flow
will get the same bandwidth as defined by the pipe, whereas when
dynamic queues are used, each flow will share the
parent's pipe bandwidth evenly with other flows generated by the same
queue (note that other queues with different weights might be connected
to the same pipe).
Available mask specifiers are a combination of one or more of the
following:
dst-ip
mask,
dst-ip6
mask,
src-ip
mask,
src-ip6
mask,
dst-port
mask,
src-port
mask,
proto
mask or
all
,
where the latter means all bits in all fields are significant.
noerror
plr
packet-loss-ratequeue
{slots |
sizeKbytes
}KBytes
. Default value is 50 slots, which is the
typical queue size for Ethernet devices. Note that for slow speed links
you should keep the queue size short or your traffic might be affected by
a significant queueing delay. E.g., 50 max-sized ethernet packets (1500
bytes) mean 600Kbit or 20s of queue on a 30Kbit/s pipe. Even worse effect
can result if you get packets from an interface with a much larger MTU,
e.g. the loopback interface with its 16KB packets.
red
|
gred
w_q/min_th/max_th/max_pThree sysctl(8) variables can be used to control the RED behaviour:
The following options are available:
-a
show
command just implies this option.-f
flush
. If
there is no tty associated with the process, this is implied.-h
-n
-q
add
ing, zero
ing,
resetlog
ging or flush
ing,
be quiet about actions (implies -f
). This is
useful for adjusting rules by executing multiple
dnctl
commands in a script or by processing a file
of many dnctl
rules across a remote login session.
If a flush
is performed in normal (verbose) mode
(with the default kernel configuration), it prints a message. Because all
rules are flushed, the message might not be delivered to the login
session, causing the remote login session to be closed and the remainder
of the ruleset to not be processed. Access to the console would then be
required to recover.-s
[field]-v
To ease configuration, rules can be put into a file which is
processed using dnctl
as shown in the last synopsis
line. An absolute pathname must be used. The file will
be read line by line and applied as arguments to the
dnctl
utility.
Optionally, a preprocessor can be specified using
-p
preproc where
pathname is to be piped through. Useful preprocessors
include cpp(1) and m4(1). If
preproc doesn't start with a slash
(‘/
’) as its first character, the
usual PATH
name search is performed. Care should be
taken with this in environments where not all file systems are mounted (yet)
by the time dnctl
is being run (e.g. when they are
mounted over NFS). Once -p
has been specified, any
additional arguments as passed on to the preprocessor for interpretation.
This allows for flexible configuration files (like conditionalizing them on
the local hostname) and the use of macros to centralize frequently required
arguments like IP addresses.
Here are some important points to consider when designing your rules:
in
and
out
. Most connections need packets going in both
directions.A set of sysctl(8) variables controls the
behaviour of the dummynet
module. These are shown
below together with their default value (but always check with the
sysctl(8) command what value is actually in use) and
meaning:
buckets
option is specified when
configuring a pipe/queue.max_chain_len*hash_size
is used to
determine the threshold over which empty pipes/queues will be expired even
when net.inet.ip.dummynet.expire=0
.The following rules show some of the applications of for simulations and the like by using dummynet rules in pf.conf(8) configuration files.
To drop random incoming IPv4 and IPv6 ICMP packets with a probability of 5%, create a pipe:
dnctl pipe 10 config plr
0.05
and add these rules in your pf.conf file:
dummynet in inet proto icmp all pipe
10
dummynet in inet6 proto ipv6-icmp all
pipe 10
Should we want to simulate a bidirectional link with bandwidth limitations, the correct way is to create a pipe for each direction:
dnctl pipe 1 config bw 14Kbit/s queue
10Kbytes
dnctl pipe 2 config bw 1Kbit/s queue
10Kbytes
and add these rules in your pf.conf file:
dummynet in all pipe 1
dummynet out all pipe 2
The above can be very useful, e.g. if you want to see how your fancy Web page will look for a residential user who is connected only through a slow link. You should not use only one pipe for both directions, unless you want to simulate a half-duplex medium (e.g. AppleTalk, Ethernet, IRDA).
Note that with the above rules the pipes receive traffic for both the IPv4 and IPv6 protocols.
Should we want to verify network performance with the RED queue management algorithm, create this pipe:
dnctl pipe 1 config bw 500Kbit/s
queue 100 red 0.002/30/80/0.1
and then add these rules to you pf.conf file:
dummynet all pipe 1
Another typical application of the traffic shaper is to introduce some delay in the communication. This can significantly affect applications which do a lot of Remote Procedure Calls, and where the round-trip-time of the connection often becomes a limiting factor much more than bandwidth:
dnctl pipe 1 config delay 250ms bw
1Mbit/s
dnctl pipe 2 config delay 250ms bw
1Mbit/s
and add these rules in your pf.conf file:
dummynet in all pipe 1
dummynet out all pipe 2
Per-flow queueing can be useful for a variety of purposes. A very simple one is counting traffic:
dnctl pipe 1 config mask
all
and add these statements in your pf.conf file:
dummynet in quick proto tcp all pipe
1
dummynet out quick proto tcp all pipe
1
dummynet in quick proto udp all pipe
1
dummynet out quick proto udp all pipe
1
dummynet in quick all pipe
1
dummynet out quick all pipe
1
The above set of rules will create queues (and collect statistics)
for all traffic. Because the pipes have no limitations, the only effect is
collecting statistics. Note that we need six rules, not just the last two
one, because when dnctl
tries to match IP packets it
will not consider ports, so we would not see connections on separate ports
as different ones.
cpp(1), dummynet(4), m4(1), ip(4), pfctl(8), pf.conf(5), protocols(5), services(5), sysctl(8)
Ugen J. S. Antsilevich,
Poul-Henning Kamp,
Alex Nash,
Archie Cobbs,
Luigi Rizzo.
API based upon code written by Daniel Boulet for BSDI.
Work on dummynet(4) traffic shaper supported by Akamba Corp.
The dnctl
utility first appeared in
FreeBSD 2.0. dummynet(4) was
introduced in FreeBSD 2.2.8. Stateful extensions
were introduced in FreeBSD 4.0.
August 13, 2002 | Darwin |