From adrian at ucc.gu.uwa.edu.au Sun May 6 20:22:15 2007 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Sun, 6 May 2007 20:22:15 +0800 Subject: [tech] madako and ipsets Message-ID: <20070506122215.GB3518@ucc.gu.uwa.edu.au> I'm doing some uh, 'throughput testing' from an UCC-hosted machine to a WAIX connected host and I'm not able to push above 30mbit/sec. It turns out madako's FREENETSIN and FREENETSOUT rulesets are.. well, linearly evaluated, and this puts a clamp on the throughput. I max out madako's CPU at ~30mbit/sec with a single stream from 203.56.168.1 with whever it was in the freenets list. I placed a specific rule for my /24 at the top of FREENETSIN and FREENETSOUT and madako can now pass 50mbit/sec without using up all the CPU. There's two things to do: * do proper connection marking, so we can pass established flows without having to re-evaluate every rule again, and * use something like ip sets in iptables to store the set of freenets ips, not linearly evaluated firewall rulesets. I'd like to recompile the kernel to include ipset support so I can see what benefit it has. I'll probably do that in a couple of weeks when I've got my spare time. Do people mind? Adrian From zanchey at ucc.gu.uwa.edu.au Sun May 6 20:25:47 2007 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Sun, 6 May 2007 20:25:47 +0800 (WST) Subject: [tech] madako and ipsets In-Reply-To: <20070506122215.GB3518@ucc.gu.uwa.edu.au> References: <20070506122215.GB3518@ucc.gu.uwa.edu.au> Message-ID: On Sun, 6 May 2007, Adrian Chadd wrote: > There's two things to do: > > * do proper connection marking, so we can pass established flows > without having to re-evaluate every rule again, and > * use something like ip sets in iptables to store the set of > freenets ips, not linearly evaluated firewall rulesets. I think you mean three! * Throw more hardware at the problem David Adam zanchey@ From adrian at ucc.gu.uwa.edu.au Sun May 6 20:28:30 2007 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Sun, 6 May 2007 20:28:30 +0800 Subject: [tech] madako and ipsets In-Reply-To: References: <20070506122215.GB3518@ucc.gu.uwa.edu.au> Message-ID: <20070506122829.GC3518@ucc.gu.uwa.edu.au> On Sun, May 06, 2007, David Adam wrote: > On Sun, 6 May 2007, Adrian Chadd wrote: > > There's two things to do: > > > > * do proper connection marking, so we can pass established flows > > without having to re-evaluate every rule again, and > > * use something like ip sets in iptables to store the set of > > freenets ips, not linearly evaluated firewall rulesets. > > I think you mean three! > > * Throw more hardware at the problem You are a candidate for my O(wtf) T-shirt. Adrian From cameron at ucc.asn.au Sun May 6 20:44:40 2007 From: cameron at ucc.asn.au (Cameron Patrick) Date: Sun, 6 May 2007 20:44:40 +0800 Subject: [tech] madako and ipsets In-Reply-To: References: <20070506122215.GB3518@ucc.gu.uwa.edu.au> Message-ID: <20070506124440.GA7893@mersenne.largestprime.net> David Adam wrote: > On Sun, 6 May 2007, Adrian Chadd wrote: > > There's two things to do: > > > > * do proper connection marking, so we can pass established flows > > without having to re-evaluate every rule again, and > > * use something like ip sets in iptables to store the set of > > freenets ips, not linearly evaluated firewall rulesets. > > I think you mean three! > > * Throw more hardware at the problem I hear Mac Minis are popular for routers. From adrian at ucc.gu.uwa.edu.au Sun May 6 20:49:30 2007 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Sun, 6 May 2007 20:49:30 +0800 Subject: [tech] madako and ipsets In-Reply-To: <20070506124440.GA7893@mersenne.largestprime.net> References: <20070506122215.GB3518@ucc.gu.uwa.edu.au> <20070506124440.GA7893@mersenne.largestprime.net> Message-ID: <20070506124930.GD3518@ucc.gu.uwa.edu.au> On Sun, May 06, 2007, Cameron Patrick wrote: > > * Throw more hardware at the problem > > I hear Mac Minis are popular for routers. Lol. I'd support a Mac Mini to replace Madako. It'd take less space, less power, and free up that shiny 2ru case for another server. Say, a Xen server. Adrian From cameron at ucc.asn.au Sun May 6 20:50:57 2007 From: cameron at ucc.asn.au (Cameron Patrick) Date: Sun, 6 May 2007 20:50:57 +0800 Subject: [tech] madako and ipsets In-Reply-To: <20070506124930.GD3518@ucc.gu.uwa.edu.au> References: <20070506122215.GB3518@ucc.gu.uwa.edu.au> <20070506124440.GA7893@mersenne.largestprime.net> <20070506124930.GD3518@ucc.gu.uwa.edu.au> Message-ID: <20070506125057.GA10793@mersenne.largestprime.net> Adrian Chadd wrote: > On Sun, May 06, 2007, Cameron Patrick wrote: > > > > * Throw more hardware at the problem > > > > I hear Mac Minis are popular for routers. > > Lol. I'd support a Mac Mini to replace Madako. It'd take > less space, less power, and free up that shiny 2ru case for > another server. Say, a Xen server. I'd argue that that's one of the worst possible uses I've heard for a mac mini in UCC ;-) Cameron (who wants more non-Windows machines in the clubroom...) From coxymla at gmail.com Mon May 7 09:51:35 2007 From: coxymla at gmail.com (James Cox) Date: Mon, 7 May 2007 09:51:35 +0800 Subject: [tech] SNAP -> mussel routing broken in upgrade/fiddle? Message-ID: I know there's been some fiddling with madako and various managed switches lately, and suddenly the 10.11.0.13 SNAP address normally routed to mussel no longer works. Coincedence? Anyway, if this could be reapplied then I'd be very grateful. [RME] ~Coxy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20070507/2ad98949/attachment.htm From splintax at ucc.asn.au Mon May 7 10:00:34 2007 From: splintax at ucc.asn.au (Scott Young) Date: Mon, 7 May 2007 10:00:34 +0800 Subject: [tech] SNAP -> mussel routing broken in upgrade/fiddle? In-Reply-To: References: Message-ID: <2bc799480705061900o18155381kab129435ea482b98@mail.gmail.com> Confirming that this happened to me too; I had to disconnect from SNAP on Saturday afternoon in order to SSH into mussel. IIRC it happened around 5pm? -- Scott On 5/7/07, James Cox wrote: > > I know there's been some fiddling with madako and various managed switches > lately, and suddenly the 10.11.0.13 SNAP address normally routed to mussel > no longer works. > Coincedence? > > Anyway, if this could be reapplied then I'd be very grateful. > > [RME] ~Coxy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20070507/a3413a39/attachment.htm From adrian at ucc.gu.uwa.edu.au Mon May 7 11:13:40 2007 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Mon, 7 May 2007 11:13:40 +0800 Subject: [tech] SNAP -> mussel routing broken in upgrade/fiddle? In-Reply-To: <2bc799480705061900o18155381kab129435ea482b98@mail.gmail.com> References: <2bc799480705061900o18155381kab129435ea482b98@mail.gmail.com> Message-ID: <20070507031340.GA2132@ucc.gu.uwa.edu.au> On Mon, May 07, 2007, Scott Young wrote: > Confirming that this happened to me too; I had to disconnect from SNAP on > Saturday afternoon in order to SSH into mussel. IIRC it happened around 5pm? The SNAP VLAN (11) disappeared from Olive's VLAN database and thus the switch wouldn't carry any traffic for it. I've added the VLAN back. Adrian From trs80 at ucc.gu.uwa.edu.au Mon May 7 22:39:13 2007 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 7 May 2007 22:39:13 +0800 (WST) Subject: [tech] actinic (the plotter) Message-ID: I installed the new (well, mfd 2004) PSU, and it seems happy. I also upgraded the ram with two 32MB sticks. The print heads are a bit gummed up, but using them a lot improves the print quality. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /