From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 08:27:05 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 313AF16A4CE for ; Sun, 31 Oct 2004 08:27:05 +0000 (GMT) Received: from web13009.mail.yahoo.com (web13009.mail.yahoo.com [216.136.172.90]) by mx1.FreeBSD.org (Postfix) with SMTP id E4D5D43D2D for ; Sun, 31 Oct 2004 08:27:04 +0000 (GMT) (envelope-from rosey_kc@yahoo.com) Message-ID: <20041031082704.30632.qmail@web13009.mail.yahoo.com> Received: from [202.70.91.5] by web13009.mail.yahoo.com via HTTP; Sun, 31 Oct 2004 01:27:04 PDT Date: Sun, 31 Oct 2004 01:27:04 -0700 (PDT) From: kamal kc To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Bridge--using Packet Capture Library(libpcap.a) -- efficiency ????? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 08:27:05 -0000 I have made a bridge using the Packet Capture Library I set the two nics to promiscous mode and transfer packet between the two packet capture handles A piece of the code I use for initializing the packet capture device descriptor--- ..... pcap_t *pd; pd = (pcap_t *)malloc(sizeof(*pd)); if (pd == NULL) { printf("memory allocation error"); } if((pd=pcap_open_live(device,BUFFSIZE,1,0,errbuf))==NULL) {printf("pcap_open_live: %s",errbuf); exit(1); }; v = 1; if (ioctl(pd->fd, BIOCIMMEDIATE, &v) < 0) { printf("can't set BIOCIMMEDIATE"); exit(1); } .................. Now the problem is efficiency !!! The RTT for a ping packet to traverse across the bridge takes a fastest of about 3ms when run as normal process and about 2ms when run as daemon. But when setting gateway_enable="YES" in rc.conf the RTT is less than 1 ms. (i.e. FreeBSD Box acting as bridge) I have FreeBSD 5.1 BOX. I used Packet Capture Library(libpcap.a) because I could find of none libraries in capturing packets that could return with the ethernet header. Further I could not find good usage maunal on BPF. In the above code setting the TIMEOUT value to 0 also didn't improve the time taken to capture and transmit the packets across the network. Each packet is processed by a separate thread that is envoked by the main thread listening on the packet capture handle. ++++++++++++++++ So finally Could anyone suggest a way on improving the time delay and making the bridge process packets faster with improved response time. Solutions using Packet Capture Library would be great !! Thanks in advance Kamal ++++++++++++++++++++ --------------------------------- Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 09:44:59 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D0A916A4CE for ; Sun, 31 Oct 2004 09:44:59 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4432E43D2F for ; Sun, 31 Oct 2004 09:44:59 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i9V9iHH5048255; Sun, 31 Oct 2004 04:44:17 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i9V9iHkX048252; Sun, 31 Oct 2004 09:44:17 GMT (envelope-from robert@fledge.watson.org) Date: Sun, 31 Oct 2004 09:44:17 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: kamal kc In-Reply-To: <20041031082704.30632.qmail@web13009.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: Bridge--using Packet Capture Library(libpcap.a) -- efficiency ????? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 09:44:59 -0000 On Sun, 31 Oct 2004, kamal kc wrote: > I have made a bridge using the Packet Capture Library I set the two nics > to promiscous mode and transfer packet between the two packet capture > handles A piece of the code I use for initializing the packet capture Copying every packet into and out of user space along with the at least two system calls to do each packet will necessarily be expensive. However, 3ms sounds far to high to me, do you have other processes running (such as tcpdump) that might result in additional context switches? I have used BPF to do bridging previously with a lot of success; I have some sample code bridging over a tap interface and a TCP socket -- the source (functional but not pretty) is at: http://www.watson.org/~robert/freebsd/netbridge/ The only complicated bit is walking through the BPF buffer, where sample code is invaluable. Everything else is very straight forward. If you're doing a bridge, you probably want to set the BPF flag so you don't loop any packets. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 09:47:55 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B441816A4CE for ; Sun, 31 Oct 2004 09:47:55 +0000 (GMT) Received: from mail.trippynames.com (mail.trippynames.com [38.113.223.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8965943D2D for ; Sun, 31 Oct 2004 09:47:55 +0000 (GMT) (envelope-from sean@chittenden.org) Received: from localhost (localhost [127.0.0.1]) by mail.trippynames.com (Postfix) with ESMTP id 7BB95A6CDE for ; Sun, 31 Oct 2004 01:47:54 -0800 (PST) Received: from mail.trippynames.com ([127.0.0.1]) by localhost (rand.nxad.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 07469-06 for ; Sun, 31 Oct 2004 01:47:53 -0800 (PST) Received: from [192.168.1.3] (dsl081-069-073.sfo1.dsl.speakeasy.net [64.81.69.73]) by mail.trippynames.com (Postfix) with ESMTP id 02FABA6CE3 for ; Sun, 31 Oct 2004 01:47:52 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v619) To: freebsd-net@freebsd.org Message-Id: Content-Type: multipart/mixed; boundary=Apple-Mail-2-649787049 From: Sean Chittenden Date: Sun, 31 Oct 2004 01:47:51 -0800 X-Mailer: Apple Mail (2.619) Subject: Irritation regarding precision of ping(8)... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 09:47:55 -0000 --Apple-Mail-2-649787049 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed This has long bugged me and tonight I finally snapped and had to do something about it. Example output: 64 bytes from a.b.c.d: icmp_seq=935 ttl=126 time=33.824 ms 64 bytes from a.b.c.d: icmp_seq=936 ttl=126 time=29.138 ms 64 bytes from a.b.c.d: icmp_seq=937 ttl=126 time=28.262 ms 64 bytes from a.b.c.d: icmp_seq=938 ttl=126 time=29.67 ms 64 bytes from a.b.c.d: icmp_seq=939 ttl=126 time=30.963 ms 64 bytes from a.b.c.d: icmp_seq=940 ttl=126 time=30.283 ms 64 bytes from a.b.c.d: icmp_seq=941 ttl=126 time=29.455 ms The source of irritation being line seq 930. The time should be 29.670 since we are accurately measuring the precision to the thousands place. On a less scientific basis (and the actual reason this bothered me), not having the trailing zero disrupts the continuity of a stream of ping times. The attached patch simply fixes the various formatting statements introduced in version 1.2(!!!!) to use %.30f instead of %.3f. It's now possible to see '28.200' ms ping times instead of just '28.2 ms'. Anyone mind if I commit the attached patch? I'm sure I'm not the only one who's wanted to commit the following. -sc --Apple-Mail-2-649787049 Content-Transfer-Encoding: 7bit Content-Type: text/plain; x-unix-mode=0644; name="patch.txt" Content-Disposition: attachment; filename=patch.txt Index: ping.c =================================================================== RCS file: /home/ncvs/src/sbin/ping/ping.c,v retrieving revision 1.106 diff -u -r1.106 ping.c --- ping.c 30 Sep 2004 07:35:56 -0000 1.106 +++ ping.c 31 Oct 2004 09:40:35 -0000 @@ -998,7 +998,7 @@ seq); (void)printf(" ttl=%d", ip->ip_ttl); if (timing) - (void)printf(" time=%.3f ms", triptime); + (void)printf(" time=%.30f ms", triptime); if (dupflag) (void)printf(" (DUP!)"); if (options & F_AUDIBLE) @@ -1293,7 +1293,7 @@ double avg = tsum / n; double vari = tsumsq / n - avg * avg; (void)printf( - "round-trip min/avg/max/stddev = %.3f/%.3f/%.3f/%.3f ms\n", + "round-trip min/avg/max/stddev = %.30f/%.30f/%.30f/%.30f ms\n", tmin, avg, tmax, sqrt(vari)); } --Apple-Mail-2-649787049 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed -- Sean Chittenden --Apple-Mail-2-649787049-- From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 10:39:46 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4700F16A4CE for ; Sun, 31 Oct 2004 10:39:46 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAB7C43D3F for ; Sun, 31 Oct 2004 10:39:45 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-246-51.ny325.east.verizon.net [68.160.246.51]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id i9VAdIYm032896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 31 Oct 2004 05:39:29 -0500 (EST) Message-ID: <4184C0D1.9040707@mac.com> Date: Sun, 31 Oct 2004 05:39:13 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sean Chittenden References: In-Reply-To: X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-4.0 required=5.5 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pi.codefab.com cc: freebsd-net@freebsd.org Subject: Re: Irritation regarding precision of ping(8)... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 10:39:46 -0000 Sean Chittenden wrote: [ ...cleaning up ping's output... ] > Anyone mind if I commit the attached patch? I'm sure I'm not the only > one who's wanted to commit the following. -sc Yay! By all means, please commit this change. -- -Chuck From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 11:06:14 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6FDE16A4CE for ; Sun, 31 Oct 2004 11:06:14 +0000 (GMT) Received: from mailout1.pacific.net.au (mailout1.pacific.net.au [61.8.0.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 237D343D1F for ; Sun, 31 Oct 2004 11:06:14 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.0.87])i9VB5xGx007421; Sun, 31 Oct 2004 22:05:59 +1100 Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) i9VB5uxc016348; Sun, 31 Oct 2004 22:05:57 +1100 Date: Sun, 31 Oct 2004 22:05:56 +1100 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Sean Chittenden In-Reply-To: Message-ID: <20041031214441.Q15594@delplex.bde.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@FreeBSD.org Subject: Re: Irritation regarding precision of ping(8)... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 11:06:14 -0000 On Sun, 31 Oct 2004, Sean Chittenden wrote: > This has long bugged me and tonight I finally snapped and had to do > something about it. Example output: > > 64 bytes from a.b.c.d: icmp_seq=935 ttl=126 time=33.824 ms > 64 bytes from a.b.c.d: icmp_seq=936 ttl=126 time=29.138 ms > 64 bytes from a.b.c.d: icmp_seq=937 ttl=126 time=28.262 ms > 64 bytes from a.b.c.d: icmp_seq=938 ttl=126 time=29.67 ms > 64 bytes from a.b.c.d: icmp_seq=939 ttl=126 time=30.963 ms > 64 bytes from a.b.c.d: icmp_seq=940 ttl=126 time=30.283 ms > 64 bytes from a.b.c.d: icmp_seq=941 ttl=126 time=29.455 ms > > The source of irritation being line seq 930. The time should be 29.670 > since we are accurately measuring the precision to the thousands place. I think you mean line seq 938. This seems to be a local bug in printf. The correct format for printing 3 digits after the decimal point (%.3f) is already used, and printf of 29.67 with format %.3f gives 29.67 here. % Index: ping.c % =================================================================== % RCS file: /home/ncvs/src/sbin/ping/ping.c,v % retrieving revision 1.106 % diff -u -r1.106 ping.c % --- ping.c 30 Sep 2004 07:35:56 -0000 1.106 % +++ ping.c 31 Oct 2004 09:40:35 -0000 % @@ -998,7 +998,7 @@ % seq); % (void)printf(" ttl=%d", ip->ip_ttl); % if (timing) % - (void)printf(" time=%.3f ms", triptime); % + (void)printf(" time=%.30f ms", triptime); % if (dupflag) % (void)printf(" (DUP!)"); % if (options & F_AUDIBLE) %.30f is a horribly wrong format. It gives 30 digits after the decimal point, and inexact representation of 0.001 gives garbage nonzero digits for about half of the extra 27. % @@ -1293,7 +1293,7 @@ % double avg = tsum / n; % double vari = tsumsq / n - avg * avg; % (void)printf( % - "round-trip min/avg/max/stddev = %.3f/%.3f/%.3f/%.3f ms\n", % + "round-trip min/avg/max/stddev = %.30f/%.30f/%.30f/%.30f ms\n", % tmin, avg, tmax, sqrt(vari)); % } % This part also has some style bugs. Bruce From owner-freebsd-net@FreeBSD.ORG Sun Oct 31 11:28:50 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22DF616A4CE for ; Sun, 31 Oct 2004 11:28:50 +0000 (GMT) Received: from mail.trippynames.com (mail.trippynames.com [38.113.223.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFB0C43D5F for ; Sun, 31 Oct 2004 11:28:49 +0000 (GMT) (envelope-from sean@chittenden.org) Received: from localhost (localhost [127.0.0.1]) by mail.trippynames.com (Postfix) with ESMTP id AC8F6A6C73; Sun, 31 Oct 2004 03:28:49 -0800 (PST) Received: from mail.trippynames.com ([127.0.0.1]) by localhost (rand.nxad.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 16494-01; Sun, 31 Oct 2004 03:28:48 -0800 (PST) Received: from [192.168.1.3] (dsl081-069-073.sfo1.dsl.speakeasy.net [64.81.69.73]) by mail.trippynames.com (Postfix) with ESMTP id 23C29A6C6F; Sun, 31 Oct 2004 03:28:48 -0800 (PST) In-Reply-To: <20041031214441.Q15594@delplex.bde.org> References: <20041031214441.Q15594@delplex.bde.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <05DE5D1C-2B30-11D9-8420-000A95C705DC@chittenden.org> Content-Transfer-Encoding: 7bit From: Sean Chittenden Date: Sun, 31 Oct 2004 03:28:44 -0800 To: Bruce Evans X-Mailer: Apple Mail (2.619) cc: freebsd-net@FreeBSD.org Subject: Re: Irritation regarding precision of ping(8)... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2004 11:28:50 -0000 >> This has long bugged me and tonight I finally snapped and had to do >> something about it. Example output: >> >> 64 bytes from a.b.c.d: icmp_seq=935 ttl=126 time=33.824 ms >> 64 bytes from a.b.c.d: icmp_seq=936 ttl=126 time=29.138 ms >> 64 bytes from a.b.c.d: icmp_seq=937 ttl=126 time=28.262 ms >> 64 bytes from a.b.c.d: icmp_seq=938 ttl=126 time=29.67 ms >> 64 bytes from a.b.c.d: icmp_seq=939 ttl=126 time=30.963 ms >> 64 bytes from a.b.c.d: icmp_seq=940 ttl=126 time=30.283 ms >> 64 bytes from a.b.c.d: icmp_seq=941 ttl=126 time=29.455 ms >> >> The source of irritation being line seq 930. The time should be >> 29.670 >> since we are accurately measuring the precision to the thousands >> place. > > I think you mean line seq 938. Yeah... my eyes are getting blurry... the 8 and 0 look similar at the moment... probably a good sign I should stop and crash for the night. > This seems to be a local bug in printf. The correct format for > printing > 3 digits after the decimal point (%.3f) is already used, and printf of > 29.67 with format %.3f gives 29.67 here. Inclined to agree with you... while poking at this I started to get desperate and something tickled the back of my mind about needing a trailing '0' to cause it zero pad data to the right. But, looks like this has long since been fixed (accidentally tested in an old 4.x tree). OS-X has the same bug (so I chased to FreeBSD to fix hoping apple picks up the fix), but, looks like 5.3 (maybe 5.2 too) has this fixed. Please disregard. Must remember to test more before posting, esp late at night. *blush* -sc -- Sean Chittenden From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 00:27:02 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 329FC16A4CE for ; Mon, 1 Nov 2004 00:27:02 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F1FD43D3F for ; Mon, 1 Nov 2004 00:27:01 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id AE1186520C for ; Mon, 1 Nov 2004 00:26:59 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 51357-04-5 for ; Mon, 1 Nov 2004 00:26:59 +0000 (GMT) Received: from empiric.dek.spc.org (adsl-66-127-57-108.dsl.snfc21.pacbell.net [66.127.57.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id AF729651F7 for ; Mon, 1 Nov 2004 00:26:58 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 70E8461EF; Sun, 31 Oct 2004 16:26:48 -0800 (PST) Date: Sun, 31 Oct 2004 16:26:48 -0800 From: Bruce M Simpson To: freebsd-net@FreeBSD.org Message-ID: <20041101002648.GB715@empiric.icir.org> Mail-Followup-To: freebsd-net@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: TCP future: SACK plus DCR = better TCP over 802.11? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 00:27:02 -0000 This looks promising: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcp-dcr-01.txt Sounds as if it has been prototyped under the Linux stack. I will try to find out more. Regards, BMS From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 02:23:46 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82D1916A4CE for ; Mon, 1 Nov 2004 02:23:46 +0000 (GMT) Received: from wyvern.icir.org (wyvern.icir.org [192.150.187.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D9CC43D45 for ; Mon, 1 Nov 2004 02:23:46 +0000 (GMT) (envelope-from mallman@icir.org) Received: from guns.icir.org (adsl-68-76-113-50.dsl.bcvloh.ameritech.net [68.76.113.50]) by wyvern.icir.org (8.12.9p1/8.12.8) with ESMTP id iA12Nj9l052905; Sun, 31 Oct 2004 18:23:46 -0800 (PST) (envelope-from mallman@icir.org) Received: from lawyers.icir.org (guns.icir.org [68.76.113.50]) by guns.icir.org (Postfix) with ESMTP id AD52F77A9D5; Sun, 31 Oct 2004 21:23:43 -0500 (EST) Received: from lawyers.icir.org (localhost [127.0.0.1]) by lawyers.icir.org (Postfix) with ESMTP id 5E9521F5B18; Sun, 31 Oct 2004 21:23:44 -0500 (EST) To: Bruce M Simpson From: Mark Allman In-Reply-To: <20041101002648.GB715@empiric.icir.org> Organization: ICSI Center for Internet Research (ICIR) Song-of-the-Day: 57 Channels MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Date: Sun, 31 Oct 2004 21:23:44 -0500 Sender: mallman@icir.org Message-Id: <20041101022344.5E9521F5B18@lawyers.icir.org> cc: freebsd-net@freebsd.org Subject: Re: TCP future: SACK plus DCR = better TCP over 802.11? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mallman@icir.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 02:23:46 -0000 --=-=-= Content-Type: text/plain > This looks promising: > http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcp-dcr-01.txt > > Sounds as if it has been prototyped under the Linux stack. I will > try to find out more. Ethan Blanton and I have started working with these folks and we are going to soon have a new i-d out. We are renaming it "NCR" for non-congestion response. The basic idea remains as it is now. But, we're planning to specify things a bit more tightly and nail down some of the remaining corners. I'll try to remember to post a link to the i-d when it gets issued. (Hopefully this will happen in a couple weeks -- right after i-d submission opens after the IETF meeting in DC.) Thanks, allman -- Mark Allman -- ICIR -- http://www.icir.org/mallman/ --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQFBhZ4wWyrrWs4yIs4RAjRFAJ92EuADiCP10yU9xzmXEXMFQugGSwCdF9V3 XR7jEOGTOQbe4iYuYRA8aiQ= =Nn6L -----END PGP SIGNATURE----- --=-=-=-- From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 02:43:44 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29C7816A4CF for ; Mon, 1 Nov 2004 02:43:44 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD4B443D5D for ; Mon, 1 Nov 2004 02:43:43 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so102162rnk for ; Sun, 31 Oct 2004 18:43:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=iULeYIKZMEMzFAMKmzbdf2eg7zbO5CZib6jSTZlp9BGTC9GqI+gm+koBc8IK/CJofvnOMbC82JDzjP0BfvDINuwMJK2smFnK8ujfR7ujRK5IuwBeM/oIXRZNqr8v3RbQLiYgKOuPtfZG591BFJQtPDjNRSROde0u6SXmwNNYfRg= Received: by 10.38.66.34 with SMTP id o34mr469021rna; Sun, 31 Oct 2004 18:43:42 -0800 (PST) Received: by 10.38.14.49 with HTTP; Sun, 31 Oct 2004 18:43:42 -0800 (PST) Message-ID: <429af92e04103118435b35f235@mail.gmail.com> Date: Sun, 31 Oct 2004 18:43:42 -0800 From: Vincent Poy To: Ari Suutari , Andre Oppermann , freebsd-net@freebsd.org, freebsd-current@freebsd.org In-Reply-To: <200410300927.51286.ari@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 02:43:44 -0000 I am experiencing the same problem as well when I updated from a March 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet for outgoing queues with the ACK packets having the highest priority in it's own queue. However, it seems like while the queues are there, the information on ipfw queue show doesn't update at all as the Source and Destination IP is still the same as the first packet after bootup while the counters change but the ACK packets are not sent on it's own queue but rather with all other packets. I know it is related with pfil_hook when ipfw was converted. Cheers, Vince On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari wrote: > Hi, > > I noticed that processing order of ipsec and ipfw (pfil_hook) is not > correct for outgoing packets. Currently, ipsec processing is done first, > which makes packets to go through without firewall inspection. > This might be a security problem for someone, but at least it > breaks stateful rule handling. > > My test setup is (all freebsd 5.3-rc1 machines): > > freebsd laptop <-> ipsec tunnel <->freebsd server > > When server sends packet to laptop, it now goes like this: > > ip_output -> ipsec -> ip_output -> ipfw -> network > > It should go like this: > > ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > > I think that this could be fixed by just moving pfil_hook > processing in ip_output before ipsec processing. > > Ari S. > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > > From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 07:36:34 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C40D16A4CF; Mon, 1 Nov 2004 07:36:34 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 383A143D45; Mon, 1 Nov 2004 07:36:27 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA17aFFw029818; Mon, 1 Nov 2004 09:36:22 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA17a3Ou017083; Mon, 1 Nov 2004 09:36:14 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Vincent Poy" , "Andre Oppermann" , , References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> Date: Mon, 1 Nov 2004 09:35:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 07:36:34 -0000 Hi, >I am experiencing the same problem as well when I updated from a March > 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still > exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet > for outgoing queues with the ACK packets having the highest priority > in it's own queue. However, it seems like while the queues are there, > the information on ipfw queue show doesn't update at all as the Source > and Destination IP is still the same as the first packet after bootup > while the counters change but the ACK packets are not sent on it's own > queue but rather with all other packets. I know it is related with > pfil_hook when ipfw was converted. This is not related to pfil_hook conversion. The problem is also present in FreeBSD 4.x-STABLE (just tested it). I think that history of ipfw and ipsec interaction goes like this: - in the very beginning, a packet that was processed by ipsec didn't hit ipfw at all in unencrypted form, ie. one was able to able to filter esp and ah protocols only. - someone fixed this, apparently for incoming packets only, but this some folks were upset by the fact that they would have to add a rule for unencrypted protocols into ipfw. At that time (in ipfw1), there was possibility to check that unencrypted packet actually came from ipsec (ie. ipfw ipsec flag wasn't implemented) - IPSEC_FILTERGIF option was added. If set, incoming packets go through ipfw twice (encrypted and unencrypted). If not set, packets go to ipfw only once (encrypted). Currently outgoing packets are always processed like IPSEC_FILTERGIF was not set (I like to have it set, because I need quite fine-grained firewalling even inside my ipsec tunnels, which are between different companies). What I was suggesting (ie. moving pfil_hook processing in ip_output before ipsec stuff) wasn't really correct: This change should be conditional based on IPSEC_FILTERGIF setting: The change I described should be done only when IPSEC_FILTERGIF is set. Now, ip_output is quite central part in ip stack. I would be happy if someone who knows that part better than me could implement this (I can sure test it easily). Ari S. > > Cheers, > Vince > > On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari > wrote: >> Hi, >> >> I noticed that processing order of ipsec and ipfw (pfil_hook) is not >> correct for outgoing packets. Currently, ipsec processing is done first, >> which makes packets to go through without firewall inspection. >> This might be a security problem for someone, but at least it >> breaks stateful rule handling. >> >> My test setup is (all freebsd 5.3-rc1 machines): >> >> freebsd laptop <-> ipsec tunnel <->freebsd server >> >> When server sends packet to laptop, it now goes like this: >> >> ip_output -> ipsec -> ip_output -> ipfw -> network >> >> It should go like this: >> >> ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network >> >> I think that this could be fixed by just moving pfil_hook >> processing in ip_output before ipsec processing. >> >> Ari S. >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" >> >> > From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 07:45:26 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9657E16A4CE for ; Mon, 1 Nov 2004 07:45:26 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1A5043D31 for ; Mon, 1 Nov 2004 07:45:25 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA17jOke029844; Mon, 1 Nov 2004 09:45:24 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA17jOA4017893; Mon, 1 Nov 2004 09:45:24 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Joost Bekkers" References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org> Date: Mon, 1 Nov 2004 09:45:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 07:45:26 -0000 Hi, > > I've been pondering the same issue and am currently running 5.3-R modified > in the > way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not > an > experienced kernel-hacker, so use at own risk) Great, I'll have to try this. > > For IPSEC this also means that the resulting ESP and AH packets don't > traverse the > firewall when leaving the system. (at least if I read the code correctly; > not tested) Yes, it looks like that with kame ipsec one should leave the or9iginal pfil_hook code *also* in place. Maybe something like ip_output() { #if defined (IPSEC) || defined(FAST_IPSEC) pfil_hooks() #endif #ifdef IPSEC kame_ipsec_stuff() #endif #ifdef FAST_IPSEC fast_ipsec_stuff() #endif #ifndef FAST_IPSEC pfil_hooks() #endif Ari S. From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 09:32:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02CD216A4CE for ; Mon, 1 Nov 2004 09:32:43 +0000 (GMT) Received: from amsfep18-int.chello.nl (amsfep18-int.chello.nl [213.46.243.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2075443D2F for ; Mon, 1 Nov 2004 09:32:42 +0000 (GMT) (envelope-from joost@jodocus.org) Received: from bps.jodocus.org ([80.57.157.16]) by amsfep18-int.chello.nl ESMTP <20041101093240.KUSU26310.amsfep18-int.chello.nl@bps.jodocus.org>; Mon, 1 Nov 2004 10:32:40 +0100 Received: from jodocus.org (localhost [127.0.0.1]) by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id iA19Wdj1034711; Mon, 1 Nov 2004 10:32:39 +0100 (CET) (envelope-from joost@jodocus.org) Received: (from joost@localhost) by jodocus.org (8.13.1/8.13.1/Submit) id iA19WdAr034710; Mon, 1 Nov 2004 10:32:39 +0100 (CET) (envelope-from joost) Date: Mon, 1 Nov 2004 10:32:39 +0100 From: Joost Bekkers To: Ari Suutari Message-ID: <20041101093239.GA34571@bps.jodocus.org> Mail-Followup-To: Joost Bekkers , Ari Suutari , freebsd-net@freebsd.org References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org> <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 09:32:43 -0000 On Mon, Nov 01, 2004 at 09:45:18AM +0200, Ari Suutari wrote: > Hi, > > > ip_output() > { > #if defined (IPSEC) || defined(FAST_IPSEC) > pfil_hooks() > #endif > #ifdef IPSEC > kame_ipsec_stuff() > #endif > #ifdef FAST_IPSEC > fast_ipsec_stuff() > #endif > #ifndef FAST_IPSEC > pfil_hooks() > #endif > But that gives us 2 blocks of identical code to maintain. To me that doesn't seem The Right Way(tm), but I haven't yet thought of a way that is better. I also noticed my patch violates pola if you are not using IPSEC_FILTERGIF because then things should remain as they were. -- greetz Joost joost@jodocus.org From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 09:42:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA87C16A4CE for ; Mon, 1 Nov 2004 09:42:56 +0000 (GMT) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.FreeBSD.org (Postfix) with SMTP id 1AE6843D49 for ; Mon, 1 Nov 2004 09:42:56 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 53596 invoked from network); 1 Nov 2004 09:42:53 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay03.pair.com with SMTP; 1 Nov 2004 09:42:53 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 1 Nov 2004 03:42:52 -0600 (CST) From: Mike Silbersack To: Ollie Cook In-Reply-To: <20041029123506.GG19662@mutare.noc.clara.net> Message-ID: <20041101033406.A37052@odysseus.silby.com> References: <20041029123506.GG19662@mutare.noc.clara.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-net@freebsd.org Subject: Re: Efficient copying between sockets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 09:42:56 -0000 On Fri, 29 Oct 2004, Ollie Cook wrote: > Good afternoon, > > I am currently writing a potentially high bandwidth (think fileserver) > application which will proxy data from one PF_INET socket to another (no reason > it has to be PF_INET, but that's how the application stands). > In actual fact, I know in advance exactly how many bytes need to be copied from > one socket to the other, so if there was any way of doing something like: > > socket_redirect(sock_src, sock_dst, bytes_to_copy); > > it would be ideal. However I'd be very surprised if such a trivial way to do > that did actually exist. > > If anyone has any advice at all on a more efficient way to copy data between > sockets I'd be very glad to hear about it. The software is very much prototype > at the moment, but I'd like to make it as efficient as possible from the > beginning and this seems like a prime area for optimisation. Splicing bytes from one socket's buffer to another socket's buffer should be relatively simple to do inside the kernel, but I don't think it's implemented anywhere at this point in time. If you're really need that functionality, the best place to do it would probably be in sendfile; you could just extend it so that if two sockets are passed to it instead of a socket and file, it would do what you've described above. Tell us how it works out. :) Mike "Silby" Silbersack From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 10:05:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0576916A4CF for ; Mon, 1 Nov 2004 10:05:06 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A91FB43D5D for ; Mon, 1 Nov 2004 10:05:04 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA1A4u0d030251; Mon, 1 Nov 2004 12:05:00 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA1A4tc6031082; Mon, 1 Nov 2004 12:04:55 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <02a901c4bffa$3c8a91e0$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Joost Bekkers" References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org> <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> <20041101093239.GA34571@bps.jodocus.org> Date: Mon, 1 Nov 2004 12:04:49 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 10:05:06 -0000 Hi, > But that gives us 2 blocks of identical code to maintain. To me that > doesn't > seem The Right Way(tm), but I haven't yet thought of a way that is better. My pseudo-code was more trying to point out the needed functionality. I wouldn't say either that just copying and pasting the similar block of code to two places is an optimal solution. Ari S. From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 10:06:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0242416A4CE for ; Mon, 1 Nov 2004 10:06:38 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id C621143D31 for ; Mon, 1 Nov 2004 10:06:37 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iA1A6fWd017464; Mon, 1 Nov 2004 02:06:41 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iA1A6f6V017463; Mon, 1 Nov 2004 02:06:41 -0800 Date: Mon, 1 Nov 2004 02:06:41 -0800 From: Brooks Davis To: Mike Silbersack Message-ID: <20041101100641.GB13309@odin.ac.hmc.edu> References: <20041029123506.GG19662@mutare.noc.clara.net> <20041101033406.A37052@odysseus.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2B/JsCI69OhZNC5r" Content-Disposition: inline In-Reply-To: <20041101033406.A37052@odysseus.silby.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Ollie Cook cc: freebsd-net@freebsd.org Subject: Re: Efficient copying between sockets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 10:06:38 -0000 --2B/JsCI69OhZNC5r Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 01, 2004 at 03:42:52AM -0600, Mike Silbersack wrote: >=20 > On Fri, 29 Oct 2004, Ollie Cook wrote: >=20 > >Good afternoon, > > > >I am currently writing a potentially high bandwidth (think fileserver) > >application which will proxy data from one PF_INET socket to another (no= =20 > >reason > >it has to be PF_INET, but that's how the application stands). >=20 > >In actual fact, I know in advance exactly how many bytes need to be copi= ed=20 > >from > >one socket to the other, so if there was any way of doing something like: > > > > socket_redirect(sock_src, sock_dst, bytes_to_copy); > > > >it would be ideal. However I'd be very surprised if such a trivial way t= o=20 > >do > >that did actually exist. > > > >If anyone has any advice at all on a more efficient way to copy data=20 > >between > >sockets I'd be very glad to hear about it. The software is very much=20 > >prototype > >at the moment, but I'd like to make it as efficient as possible from the > >beginning and this seems like a prime area for optimisation. >=20 > Splicing bytes from one socket's buffer to another socket's buffer should= =20 > be relatively simple to do inside the kernel, but I don't think it's=20 > implemented anywhere at this point in time. >=20 > If you're really need that functionality, the best place to do it would= =20 > probably be in sendfile; you could just extend it so that if two sockets= =20 > are passed to it instead of a socket and file, it would do what you've=20 > described above. I've thought about this on and off and think there's a good case for such a service, however, the sendfile API is a bit too focused for some of things you might want to do. I would encourage any intrested person to do a socket->socket or file->file version[0] with sendfile since it's already there and both cases would be useful, but I think an API that allows you to specify multiple pairs is necessicary in the general case. Think of netcat where you want to hook stdin and stdout to a socket. -- Brooks [0] think cp(1) in five syscalls (open, open, sendfile, close, close). --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --2B/JsCI69OhZNC5r Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBhgqwXY6L6fI4GtQRAi5GAJ91L7zIUjTJ5eFeI89inv3PECyQdACfd6C5 3tuIB4/TIdLbpAI2xAJisMc= =sAXS -----END PGP SIGNATURE----- --2B/JsCI69OhZNC5r-- From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 10:11:51 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF2F816A4CE for ; Mon, 1 Nov 2004 10:11:51 +0000 (GMT) Received: from mutare.noc.clara.net (mutare.noc.clara.net [195.8.70.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F5A243D46 for ; Mon, 1 Nov 2004 10:11:51 +0000 (GMT) (envelope-from ollie@mutare.noc.clara.net) Received: from ollie by mutare.noc.clara.net with local (Exim 4.43) id 1COZA5-000Hqz-Ds for freebsd-net@freebsd.org; Mon, 01 Nov 2004 10:11:41 +0000 Date: Mon, 1 Nov 2004 10:11:41 +0000 From: Ollie Cook To: freebsd-net@freebsd.org Message-ID: <20041101101141.GK19662@mutare.noc.clara.net> References: <20041029123506.GG19662@mutare.noc.clara.net> <20041101033406.A37052@odysseus.silby.com> <20041101100641.GB13309@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041101100641.GB13309@odin.ac.hmc.edu> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.10-STABLE i386 X-NCC-RegID: uk.claranet Sender: Ollie Cook Subject: Re: Efficient copying between sockets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 10:11:52 -0000 Thank you all for your advice. I'll look into netgraph(4) and sendfile(2). If I have anything worth sharing after I've played, I'll follow-up here. Thanks again. Ollie -- Ollie Cook Systems Architect, Claranet UK ollie@uk.clara.net +44 20 7685 8065 From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 10:16:44 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEBC916A4CF for ; Mon, 1 Nov 2004 10:16:44 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B53D43D76 for ; Mon, 1 Nov 2004 10:16:43 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so122441rnk for ; Mon, 01 Nov 2004 02:16:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=OIMXm/F7s+zHqKPDd5T9Ye1gtRbEALIg20gM+JjnGK7hrKcwvx7OULiUFup8IWbN2qZMQSI7cqhv1kBWxFr93LFe2TuVPZSylo6VxcTuqsuqEYyEVcwou8bNbfIRcrym5GQFJiJYU/OtbAu3qt79MnjefmPQGPNOY4RLCjB+Q3U= Received: by 10.38.150.78 with SMTP id x78mr646511rnd; Mon, 01 Nov 2004 02:16:42 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 02:16:42 -0800 (PST) Message-ID: <429af92e041101021638e8598e@mail.gmail.com> Date: Mon, 1 Nov 2004 02:16:42 -0800 From: Vincent Poy To: Ari Suutari In-Reply-To: <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 10:16:45 -0000 Hi, I don't know how to explain my problem but it goes something like this... root@bigbang [2:05am][/home/vince] >> ipfw show 00049 1557131 244839199 skipto 100 ip from 208.201.244.224/29 to any 00050 12072800468 917651580916 divert 8668 ip from any to any via xl0 00100 69518 8548222 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 63000 0 0 allow ip from any to 10.0.0.0/8 out 63001 0 0 allow ip from any to 172.16.0.0/12 out 63002 312 16048 allow ip from any to 192.168.0.0/16 out 63003 24237 2952214 allow ip from any to 208.201.244.224/29 out 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out 63006 38782 3364689 queue 2 udp from any to any not dst-port 80,443 out 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out 63008 5467 405319 queue 4 ip from any to any out 65000 1795325 424479044 allow ip from any to any 65535 0 0 deny ip from any to any The counters for queue 1 keeps increasing when I do a ftp out even for non-ACK packets but the other counters for queue 2-4 doesn't move at all so it seems like everything is going out one queue instead of what the rules actually say. I have one pipe configured as 480Kbit/sec which is what rules 63005-63008 does. ipfw pipe show and ipfw queue show would seem normal except the Source IP and Destination IP is stuck with the first processed queues information while only the counters for queue 1 updates. root@bigbang [2:12am][/home/vince] >> ipfw pipe show 00001: 480.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 673549 137223155 0 0 2303 q00002: weight 66 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 208.201.244.225/1026 208.201.224.11/53 40022 3470523 0 0 0 q00003: weight 33 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3750 199.181.132.105/80 43058 2196795 0 0 0 q00004: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 5492 407173 0 0 0 root@bigbang [2:12am][/home/vince] >> ipfw queue show q00001: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 673550 137223195 0 0 2303 q00002: weight 66 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 208.201.244.225/1026 208.201.224.11/53 40025 3470881 0 0 0 q00003: weight 33 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3750 199.181.132.105/80 43058 2196795 0 0 0 q00004: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 5493 407225 0 0 0 I don't know how else I would test this. Cheers, Vince On Mon, 1 Nov 2004 09:35:58 +0200, Ari Suutari wrote: > >I am experiencing the same problem as well when I updated from a March > > 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still > > exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet > > for outgoing queues with the ACK packets having the highest priority > > in it's own queue. However, it seems like while the queues are there, > > the information on ipfw queue show doesn't update at all as the Source > > and Destination IP is still the same as the first packet after bootup > > while the counters change but the ACK packets are not sent on it's own > > queue but rather with all other packets. I know it is related with > > pfil_hook when ipfw was converted. > > This is not related to pfil_hook conversion. The problem is also present > in > FreeBSD 4.x-STABLE (just tested it). I think that history of ipfw and > ipsec > interaction goes like this: > > - in the very beginning, a packet that was processed by ipsec didn't > hit ipfw at all in unencrypted form, ie. one was able to able to > filter esp > and ah protocols only. > > - someone fixed this, apparently for incoming packets only, but this > some folks were upset by the fact that they would have to add a rule > for unencrypted protocols into ipfw. At that time (in ipfw1), there > was > possibility to check that unencrypted packet actually came from ipsec > (ie. ipfw ipsec flag wasn't implemented) > > - IPSEC_FILTERGIF option was added. If set, incoming packets go > through ipfw twice (encrypted and unencrypted). If not set, packets > go > to ipfw only once (encrypted). > > Currently outgoing packets are always processed like IPSEC_FILTERGIF was > not set (I like to have it set, because I need quite fine-grained > firewalling > even inside my ipsec tunnels, which are between different companies). > What > I was suggesting (ie. moving pfil_hook processing in ip_output before > ipsec stuff) wasn't really correct: This change should be conditional > based on > IPSEC_FILTERGIF setting: The change I described should be done only > when IPSEC_FILTERGIF is set. > > Now, ip_output is quite central part in ip stack. I would be happy if > someone > who knows that part better than me could implement this (I can sure test > it easily). > > Ari S. > > > > > > > Cheers, > > Vince > > > > On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari > > wrote: > >> Hi, > >> > >> I noticed that processing order of ipsec and ipfw (pfil_hook) is not > >> correct for outgoing packets. Currently, ipsec processing is done first, > >> which makes packets to go through without firewall inspection. > >> This might be a security problem for someone, but at least it > >> breaks stateful rule handling. > >> > >> My test setup is (all freebsd 5.3-rc1 machines): > >> > >> freebsd laptop <-> ipsec tunnel <->freebsd server > >> > >> When server sends packet to laptop, it now goes like this: > >> > >> ip_output -> ipsec -> ip_output -> ipfw -> network > >> > >> It should go like this: > >> > >> ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > >> > >> I think that this could be fixed by just moving pfil_hook > >> processing in ip_output before ipsec processing. > >> > >> Ari S. > >> > >> _______________________________________________ > >> freebsd-current@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-current > >> To unsubscribe, send any mail to > >> "freebsd-current-unsubscribe@freebsd.org" > >> > >> > > > > From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 11:02:08 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26B8816A4CE for ; Mon, 1 Nov 2004 11:02:08 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E97143D48 for ; Mon, 1 Nov 2004 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA1B28lf094245 for ; Mon, 1 Nov 2004 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA1B27SU094240 for freebsd-net@freebsd.org; Mon, 1 Nov 2004 11:02:07 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 Nov 2004 11:02:07 GMT Message-Id: <200411011102.iA1B27SU094240@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 11:02:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/07/26] kern/41007 net overfull traffic on third and fourth adap o [2003/10/14] kern/57985 net [patch] Missing splx in ether_output_fram 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2001/02/08] kern/24959 net proper TCP_NOPUSH/TCP_CORK compatibility o [2003/07/11] kern/54383 net [nfs] [patch] NFS root configurations wit 2 problems total. From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 12:09:03 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E32D416A4CE for ; Mon, 1 Nov 2004 12:09:03 +0000 (GMT) Received: from amsfep13-int.chello.nl (nl-ams-slo-l4-01-pip-6.chellonetwork.com [213.46.243.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3A7543D53 for ; Mon, 1 Nov 2004 12:09:02 +0000 (GMT) (envelope-from joost@jodocus.org) Received: from bps.jodocus.org ([80.57.157.16]) by amsfep13-int.chello.nl ESMTP <20041101120901.RZYY16509.amsfep13-int.chello.nl@bps.jodocus.org>; Mon, 1 Nov 2004 13:09:01 +0100 Received: from jodocus.org (localhost [127.0.0.1]) by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id iA1C90Hu037068; Mon, 1 Nov 2004 13:09:00 +0100 (CET) (envelope-from joost@jodocus.org) Received: (from joost@localhost) by jodocus.org (8.13.1/8.13.1/Submit) id iA1C90ch037067; Mon, 1 Nov 2004 13:09:00 +0100 (CET) (envelope-from joost) Date: Mon, 1 Nov 2004 13:09:00 +0100 From: Joost Bekkers To: Vincent Poy Message-ID: <20041101120900.GA36917@bps.jodocus.org> Mail-Followup-To: Joost Bekkers , Vincent Poy , freebsd-net@freebsd.org References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <429af92e041101021638e8598e@mail.gmail.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 12:09:04 -0000 On Mon, Nov 01, 2004 at 02:16:42AM -0800, Vincent Poy wrote: > 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out > 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out > 63006 38782 3364689 queue 2 udp from any to any not > dst-port 80,443 out > 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out > 63008 5467 405319 queue 4 ip from any to any out > > The counters for queue 1 keeps increasing when I do a ftp out even for > non-ACK packets but the other counters for queue 2-4 doesn't move at > all so it seems like everything is going out one queue instead of what > the rules actually say. I have one pipe configured as 480Kbit/sec > which is what rules 63005-63008 does. > How do you define 'non-ack' packets in yopur mind? Your ipfw rule seems to define it as 'having the ack flag set' which is for all intents and purpouses every tcp packet. Only the very first SYN packet doesn't have the ack flag set. -- greetz Joost joost@jodocus.org From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 12:20:14 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD9E16A4CE; Mon, 1 Nov 2004 12:20:14 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F09943D1F; Mon, 1 Nov 2004 12:20:13 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA1CK8L6030602; Mon, 1 Nov 2004 14:20:09 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA1CK7b2043496; Mon, 1 Nov 2004 14:20:07 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Vincent Poy" References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> Date: Mon, 1 Nov 2004 14:20:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 12:20:15 -0000 Hi, > The counters for queue 1 keeps increasing when I do a ftp out even for > non-ACK packets but the other counters for queue 2-4 doesn't move at > all so it seems like everything is going out one queue instead of what > the rules actually say. I have one pipe configured as 480Kbit/sec > which is what rules 63005-63008 does. Are you using IPsec ? Ari S. From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 13:12:26 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AABB16A4CE for ; Mon, 1 Nov 2004 13:12:26 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1003043D49 for ; Mon, 1 Nov 2004 13:12:26 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so130249rnk for ; Mon, 01 Nov 2004 05:12:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=NrICZV4DmaoczWVh7QCZhV7h+gU71srJ/CM0gue+CZBlqsb1vkOhYU2vI+OyhysplgEFUrdPUdFJr/zO812Z2mFnAUG9JprG87QvbUSPCGCCPCdnQ2M6TJMsRA9GqUTJ+dA3KeSMFVerO8FfUyrlnP/oy0vJievrSOdffcdEFFA= Received: by 10.38.66.4 with SMTP id o4mr711166rna; Mon, 01 Nov 2004 05:12:18 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 05:12:18 -0800 (PST) Message-ID: <429af92e041101051237e534e3@mail.gmail.com> Date: Mon, 1 Nov 2004 05:12:18 -0800 From: Vincent Poy To: Joost Bekkers , Vincent Poy , freebsd-net@freebsd.org In-Reply-To: <20041101120900.GA36917@bps.jodocus.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> <20041101120900.GA36917@bps.jodocus.org> Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 13:12:26 -0000 On Mon, 1 Nov 2004 13:09:00 +0100, Joost Bekkers wrote: > On Mon, Nov 01, 2004 at 02:16:42AM -0800, Vincent Poy wrote: > > > > 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out > > 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out > > 63006 38782 3364689 queue 2 udp from any to any not > > dst-port 80,443 out > > 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out > > 63008 5467 405319 queue 4 ip from any to any out > > > > The counters for queue 1 keeps increasing when I do a ftp out even for > > non-ACK packets but the other counters for queue 2-4 doesn't move at > > all so it seems like everything is going out one queue instead of what > > the rules actually say. I have one pipe configured as 480Kbit/sec > > which is what rules 63005-63008 does. > > > > How do you define 'non-ack' packets in yopur mind? Your ipfw rule > seems to define it as 'having the ack flag set' which is for all > intents and purpouses every tcp packet. Only the very first SYN > packet doesn't have the ack flag set. > > -- > greetz Joost > joost@jodocus.org Well, how else would one prioritze outgoing acks? That was the way everyone has it done. What I want to do is have ACKs have priority going out as with ADSL, the outgoing pipe is always smaller than the incoming pipe and when you upload and download at the same time, unless the ACKs go out first, the downloads will be really slow. Cheers, Vince From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 13:13:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 102F116A4CE for ; Mon, 1 Nov 2004 13:13:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C12C43D46 for ; Mon, 1 Nov 2004 13:13:21 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so130315rnk for ; Mon, 01 Nov 2004 05:13:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=iXAalXBYT44OWlIM6Pen5lfuSUZcOCt3D8gklVEEiKZ6yfW3hnB3a++BEbNvdIyVVErUzOmhjMOq3bIfp5p3VbpIB5NwaH4UpP2kr4Xjn+H1v2XAwHJwsGybCz3cDvTX1pMae9T6Llb9AWRQdCnUmnDRj4kGQMU62INgc0UWfzM= Received: by 10.38.66.50 with SMTP id o50mr718621rna; Mon, 01 Nov 2004 05:13:21 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 05:13:21 -0800 (PST) Message-ID: <429af92e041101051357fc2384@mail.gmail.com> Date: Mon, 1 Nov 2004 05:13:21 -0800 From: Vincent Poy To: Ari Suutari In-Reply-To: <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 13:13:22 -0000 On Mon, 1 Nov 2004 14:20:10 +0200, Ari Suutari wrote: > > The counters for queue 1 keeps increasing when I do a ftp out even for > > non-ACK packets but the other counters for queue 2-4 doesn't move at > > all so it seems like everything is going out one queue instead of what > > the rules actually say. I have one pipe configured as 480Kbit/sec > > which is what rules 63005-63008 does. > > Are you using IPsec ? > > Ari S. Nope... As you can see, I'm just using ipfw2 with dummynet for pipe/queue just for traffic shaping. Cheers, Vince From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 13:24:07 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B59DD16A4CE for ; Mon, 1 Nov 2004 13:24:07 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59DC143D5F for ; Mon, 1 Nov 2004 13:24:07 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so92398rnl for ; Mon, 01 Nov 2004 05:24:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=M+3ZWmf5M/wVRoYvlnMrJ8G7TheJ1PwV722pcfiZfZEZOs31ZpA1XKHF6WZXCWgApqfHAc87mhZ12RGxg+f7BQcQ2r3sJwH8sspBX/W3YYJVAZKKyD/xXi04NK9O83U0W2KR0Yl5U9OFutnFWxBcq/D10bqwVhcDn4jo5e4z75Y= Received: by 10.38.150.54 with SMTP id x54mr716337rnd; Mon, 01 Nov 2004 05:24:06 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 05:24:06 -0800 (PST) Message-ID: <429af92e041101052447a808e6@mail.gmail.com> Date: Mon, 1 Nov 2004 05:24:06 -0800 From: Vincent Poy To: Ari Suutari In-Reply-To: <429af92e041101051357fc2384@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> <429af92e041101051357fc2384@mail.gmail.com> cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 13:24:07 -0000 On Mon, 1 Nov 2004 05:13:21 -0800, Vincent Poy wrote: > On Mon, 1 Nov 2004 14:20:10 +0200, Ari Suutari wrote: > > > > > The counters for queue 1 keeps increasing when I do a ftp out even for > > > non-ACK packets but the other counters for queue 2-4 doesn't move at > > > all so it seems like everything is going out one queue instead of what > > > the rules actually say. I have one pipe configured as 480Kbit/sec > > > which is what rules 63005-63008 does. > > > > Are you using IPsec ? > > > > Ari S. > > Nope... As you can see, I'm just using ipfw2 with dummynet for > pipe/queue just for traffic shaping. Maybe this will explain it better as this was what my rules are based on: http://www.topfx.com/prioritizingackfreebsd.shtml From owner-freebsd-net@FreeBSD.ORG Mon Nov 1 13:54:36 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F098416A4D0 for ; Mon, 1 Nov 2004 13:54:35 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43B9243D46 for ; Mon, 1 Nov 2004 13:54:35 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so132938rnk for ; Mon, 01 Nov 2004 05:54:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=ImGbuBSVAzRj+Nvs8MM3E4nwmo74w2VgE2+jT0PmlWciKLaLMe6f8xZOEFi20sqbLu7GZ/3HgDamYzNBRMmmLyvNmIGGo9Wp2DFTfmvsqE5zuDG6NA9xF7AFdzFtvR/RJCL0YGCCLncI8hMzqYGHFA02lmIFZ/ycUTcmFDkL2sI= Received: by 10.38.66.50 with SMTP id o50mr739172rna; Mon, 01 Nov 2004 05:54:34 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 05:54:33 -0800 (PST) Message-ID: <429af92e0411010554456059d9@mail.gmail.com> Date: Mon, 1 Nov 2004 05:54:33 -0800 From: Vincent Poy To: Ari Suutari In-Reply-To: <429af92e041101052447a808e6@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> <429af92e041101051357fc2384@mail.gmail.com> <429af92e041101052447a808e6@mail.gmail.com> cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vincent Poy List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2004 13:54:36 -0000 On Mon, 1 Nov 2004 05:24:06 -0800, Vincent Poy wrote: > On Mon, 1 Nov 2004 05:13:21 -0800, Vincent Poy wrote: > > > > On Mon, 1 Nov 2004 14:20:10 +0200, Ari Suutari wrote: > > > > > > > > The counters for queue 1 keeps increasing when I do a ftp out even for > > > > non-ACK packets but the other counters for queue 2-4 doesn't move at > > > > all so it seems like everything is going out one queue instead of what > > > > the rules actually say. I have one pipe configured as 480Kbit/sec > > > > which is what rules 63005-63008 does. > > > > > > Are you using IPsec ? > > > > > > Ari S. > > > > Nope... As you can see, I'm just using ipfw2 with dummynet for > > pipe/queue just for traffic shaping. > > Maybe this will explain it better as this was what my rules are based on: > > > http://www.topfx.com/prioritizingackfreebsd.shtml Looks like the problem fixed itself for whatever reason. Now I'm getting the 400KB/s down/52KB/s up when I do file transfers at the same time instead of 200KB/s down/52KB/s up like when I updated -CURRENT after 7 months. I guess it must be some coincidence that SBC's ATM network had problems. Cheers, Vince From owner-freebsd-net@FreeBSD.ORG Tue Nov 2 02:23:03 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DC0016A4CE for ; Tue, 2 Nov 2004 02:23:03 +0000 (GMT) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7656943D48 for ; Tue, 2 Nov 2004 02:23:02 +0000 (GMT) (envelope-from AndygreenNet@netscape.net) Received: from AndygreenNet@netscape.net by imo-d02.mx.aol.com (mail_out_v37_r3.8.) id n.1c.f208b5a (16240) for ; Mon, 1 Nov 2004 21:22:57 -0500 (EST) Received: from netscape.net (mow-d14.webmail.aol.com [205.188.139.130]) by air-in03.mx.aol.com (v103.7) with ESMTP id MAILININ34-3f704186ef8119d; Mon, 01 Nov 2004 21:22:57 -0500 Date: Mon, 01 Nov 2004 21:22:57 -0500 From: AndygreenNet@netscape.net To: freebsd-net@FreeBSD.org MIME-Version: 1.0 Message-ID: <7B24A164.35066CB5.0C457E44@netscape.net> X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 62.33.196.200 X-AOL-Language: english Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 02:23:03 -0000 Hi everybody! I'm try configure bridge on FreeBSD box. Box configuration: %uname -srp FreeBSD 5.3-RC1 i386 %ifconfig xl0: flags=8943 mtu 1500 options=9 ether 00:04:79:68:02:e6 media: Ethernet autoselect (none) status: no carrier fxp0: flags=8943 mtu 1500 options=48 inet 213.59.235.126 netmask 0xfffffff8 broadcast 213.59.235.127 ether 00:0e:0c:00:58:60 media: Ethernet autoselect (100baseTX ) status: active fxp1: flags=8943 mtu 1500 options=48 ether 00:07:e9:14:01:99 media: Ethernet autoselect (100baseTX ) status: active fxp2: flags=8943 mtu 1500 options=48 inet 213.59.128.190 netmask 0xfffffffc broadcast 213.59.128.191 ether 00:07:e9:14:05:be media: Ethernet autoselect (none) status: no carrier plip0: flags=108810 mtu 1500 pflog0: flags=0<> mtu 33208 pfsync0: flags=0<> mtu 2020 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 vlan0: flags=8943 mtu 1500 ether 00:07:e9:14:05:be media: Ethernet autoselect (none) status: no carrier vlan: 218 parent interface: fxp2 vlan1: flags=8943 mtu 1500 inet 62.33.196.254 netmask 0xffffff80 broadcast 62.33.196.255 ether 00:07:e9:14:01:99 media: Ethernet autoselect (100baseTX ) status: active vlan: 155 parent interface: fxp1 vlan2: flags=8943 mtu 1500 ether 00:07:e9:14:01:99 media: Ethernet autoselect (100baseTX ) status: active vlan: 156 parent interface: fxp1 vlan3: flags=8943 mtu 1500 ether 00:07:e9:14:01:99 media: Ethernet autoselect (100baseTX ) status: active vlan: 90 parent interface: fxp1 vlan4: flags=8943 mtu 1500 ether 00:0e:0c:00:58:60 media: Ethernet autoselect (100baseTX ) status: active vlan: 156 parent interface: fxp0 vlan5: flags=8943 mtu 1500 ether 00:04:79:68:02:e6 media: Ethernet autoselect (none) status: no carrier vlan: 90 parent interface: xl0 %vi /usr/local/etc/rc.d/bridge.sh #!/bin/sh # # if [ -z "${source_rc_confs_defined}"]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi case "$1" in start) case "${bridge_enable}" in [Yy][Ee][Ss]) echo -n 'Starting bridge' sysctl -w net.link.ether.bridge.enable=1 sysctl -w net.link.ether.bridge.ipfw=1 sysctl -w net.link.ether.bridge.config=vlan0:218,vlan1:155,vlan2:156,vlan3:90,vlan4:156,vlan5:90,xl0:218,fxp0:155 ;; esac ;; stop) sysctl -w net.link.ether.bridge.enable=0 ;; *) echo "Usage: `basename $0` {start|stop}" >&2 ;; esac exit %vi /etc/rc.conf firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) firewall_quiet="YES" # Set to YES to suppress rule display firewall_logging="YES" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file ip_portrange_first="49190" # Set first dynamically allocated port ip_portrange_last="65535" # Set last dynamically allocated port Bridge do not work! What do I do incorrectly? __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From owner-freebsd-net@FreeBSD.ORG Tue Nov 2 12:40:15 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1317316A4CE for ; Tue, 2 Nov 2004 12:40:15 +0000 (GMT) Received: from smtp.cegetel.net (mf01.sitadelle.com [212.94.174.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E1ED43D5F for ; Tue, 2 Nov 2004 12:40:14 +0000 (GMT) (envelope-from tataz@sitadelle.com) Received: from droopy.tech.sitadelle.com (213-223-184-193.dti.cegetel.net [213.223.184.193]) by smtp.cegetel.net (Postfix) with ESMTP id 3415837B0E; Tue, 2 Nov 2004 13:40:12 +0100 (CET) Received: by droopy.tech.sitadelle.com (Postfix, from userid 1000) id EDB20FC00E; Tue, 2 Nov 2004 13:40:27 +0100 (CET) Date: Tue, 2 Nov 2004 13:40:27 +0100 From: Jeremie Le Hen To: Aaron Nichols Message-ID: <20041102124027.GH10641@sitadelle.com> References: <62721446609.20041028214724@star-sw.com> <20041029141411.GE10641@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6+20040907i cc: freebsd-net@freebsd.org Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 12:40:15 -0000 > Yep, that seems to be exactly what I need. I don't suppose there are > any plans to implement something similar in FreeBSD anytime soon? > Considering I'm so close to getting this to work it's frustrating to > think that I would need to migrate to OpenBSD to have this > functionality and uproot everything else this server already does > (mail, dns, web, etc). Considering if_enc.c from OpenBSD's HEAD (see URLs at the bottom), it does not seem to be difficult to port to FreeBSD, but since I'm not a kernel guru at all, there may be some issues I don't even suspect.o I'm concious that making it FreeBSD's SMP compliant should require a little amount of work, but it could be maked with the IFF_NEEDSGIANT flag for a first step. Are there any reason why we would not need nor want this in FreeBSD ? http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_enc.c?rev=1.41&content-type=text/x-cvsweb-markup http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_enc.h?rev=1.8&content-type=text/x-cvsweb-markup -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-net@FreeBSD.ORG Tue Nov 2 16:44:04 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7853816A4CE for ; Tue, 2 Nov 2004 16:44:04 +0000 (GMT) Received: from blake.polstra.com (blake.polstra.com [64.81.189.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11CD843D2D for ; Tue, 2 Nov 2004 16:44:04 +0000 (GMT) (envelope-from jdp@polstra.com) Received: from strings.polstra.com (dsl081-189-067.sea1.dsl.speakeasy.net [64.81.189.67]) by blake.polstra.com (8.12.11/8.12.11) with ESMTP id iA2Gi2MC082770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Nov 2004 08:44:02 -0800 (PST) (envelope-from jdp@strings.polstra.com) Received: (from jdp@localhost) by strings.polstra.com (8.12.11/8.12.11/Submit) id iA2Gi1Kd022868; Tue, 2 Nov 2004 08:44:01 -0800 (PST) (envelope-from jdp) Message-ID: X-Mailer: XFMail 1.5.5 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <05DE5D1C-2B30-11D9-8420-000A95C705DC@chittenden.org> Date: Tue, 02 Nov 2004 08:44:01 -0700 (PST) From: John Polstra To: Sean Chittenden X-Bogosity: No, tests=bogofilter, spamicity=0.502249, version=0.14.5 cc: freebsd-net@freebsd.org Subject: Re: Irritation regarding precision of ping(8)... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 16:44:04 -0000 On 31-Oct-2004 Sean Chittenden wrote: >>> This has long bugged me and tonight I finally snapped and had to do >>> something about it. Example output: >>> >>> 64 bytes from a.b.c.d: icmp_seq=935 ttl=126 time=33.824 ms >>> 64 bytes from a.b.c.d: icmp_seq=936 ttl=126 time=29.138 ms >>> 64 bytes from a.b.c.d: icmp_seq=937 ttl=126 time=28.262 ms >>> 64 bytes from a.b.c.d: icmp_seq=938 ttl=126 time=29.67 ms >>> 64 bytes from a.b.c.d: icmp_seq=939 ttl=126 time=30.963 ms >>> 64 bytes from a.b.c.d: icmp_seq=940 ttl=126 time=30.283 ms >>> 64 bytes from a.b.c.d: icmp_seq=941 ttl=126 time=29.455 ms >>> >>> The source of irritation being line seq 930. The time should be >>> 29.670 >>> since we are accurately measuring the precision to the thousands >>> place. >> >> I think you mean line seq 938. > > Yeah... my eyes are getting blurry... the 8 and 0 look similar at the > moment... probably a good sign I should stop and crash for the night. You really just meant 9.4e2, right? :-) John From owner-freebsd-net@FreeBSD.ORG Tue Nov 2 17:31:00 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4999816A4CE for ; Tue, 2 Nov 2004 17:31:00 +0000 (GMT) Received: from unsane.co.uk (unsane.co.uk [82.152.23.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3695C43D2F for ; Tue, 2 Nov 2004 17:30:59 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (localhost [127.0.0.1]) by unsane.co.uk (8.13.1/8.12.10) with ESMTP id iA2HUvGP087900 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Nov 2004 17:30:57 GMT (envelope-from jhary@unsane.co.uk) Received: from localhost (jhary@localhost) by unsane.co.uk (8.13.1/8.12.10/Submit) with ESMTP id iA2HUukx087897; Tue, 2 Nov 2004 17:30:57 GMT (envelope-from jhary@unsane.co.uk) Date: Tue, 2 Nov 2004 17:30:56 +0000 (GMT) From: Vince Hoffman To: AndygreenNet@netscape.net In-Reply-To: <7B24A164.35066CB5.0C457E44@netscape.net> Message-ID: <20041102172918.A84007@unsane.co.uk> References: <7B24A164.35066CB5.0C457E44@netscape.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-net@freebsd.org Subject: Re: Bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 17:31:00 -0000 On Mon, 1 Nov 2004 AndygreenNet@netscape.net wrote: > Hi everybody! > > I'm try configure bridge on FreeBSD box. > > Box configuration: > %uname -srp > FreeBSD 5.3-RC1 i386 > %ifconfig > xl0: flags=8943 mtu 1500 > options=9 > ether 00:04:79:68:02:e6 > media: Ethernet autoselect (none) > status: no carrier > fxp0: flags=8943 mtu 1500 > options=48 > inet 213.59.235.126 netmask 0xfffffff8 broadcast 213.59.235.127 > ether 00:0e:0c:00:58:60 > media: Ethernet autoselect (100baseTX ) > status: active > fxp1: flags=8943 mtu 1500 > options=48 > ether 00:07:e9:14:01:99 > media: Ethernet autoselect (100baseTX ) > status: active > fxp2: flags=8943 mtu 1500 > options=48 > inet 213.59.128.190 netmask 0xfffffffc broadcast 213.59.128.191 > ether 00:07:e9:14:05:be > media: Ethernet autoselect (none) > status: no carrier > plip0: flags=108810 mtu 1500 > pflog0: flags=0<> mtu 33208 > pfsync0: flags=0<> mtu 2020 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > vlan0: flags=8943 mtu 1500 > ether 00:07:e9:14:05:be > media: Ethernet autoselect (none) > status: no carrier > vlan: 218 parent interface: fxp2 > vlan1: flags=8943 mtu 1500 > inet 62.33.196.254 netmask 0xffffff80 broadcast 62.33.196.255 > ether 00:07:e9:14:01:99 > media: Ethernet autoselect (100baseTX ) > status: active > vlan: 155 parent interface: fxp1 > vlan2: flags=8943 mtu 1500 > ether 00:07:e9:14:01:99 > media: Ethernet autoselect (100baseTX ) > status: active > vlan: 156 parent interface: fxp1 > vlan3: flags=8943 mtu 1500 > ether 00:07:e9:14:01:99 > media: Ethernet autoselect (100baseTX ) > status: active > vlan: 90 parent interface: fxp1 > vlan4: flags=8943 mtu 1500 > ether 00:0e:0c:00:58:60 > media: Ethernet autoselect (100baseTX ) > status: active > vlan: 156 parent interface: fxp0 > vlan5: flags=8943 mtu 1500 > ether 00:04:79:68:02:e6 > media: Ethernet autoselect (none) > status: no carrier > vlan: 90 parent interface: xl0 > %vi /usr/local/etc/rc.d/bridge.sh > #!/bin/sh > # > # > > if [ -z "${source_rc_confs_defined}"]; then > if [ -r /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > source_rc_confs > elif [ -r /etc/rc.conf ]; then > . /etc/rc.conf > fi > fi > > case "$1" in > start) > case "${bridge_enable}" in > [Yy][Ee][Ss]) This looks to me like you need to add bridge_enable="YES" to /etc/rc.conf > echo -n 'Starting bridge' > sysctl -w net.link.ether.bridge.enable=1 > sysctl -w net.link.ether.bridge.ipfw=1 > sysctl -w net.link.ether.bridge.config=vlan0:218,vlan1:155,vlan2:156,vlan3:90,vlan4:156,vlan5:90,xl0:218,fxp0:155 > ;; > esac > ;; > stop) > sysctl -w net.link.ether.bridge.enable=0 > ;; > *) > echo "Usage: `basename $0` {start|stop}" >&2 > ;; > esac > > exit > %vi /etc/rc.conf > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall > firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) > firewall_quiet="YES" # Set to YES to suppress rule display > firewall_logging="YES" # Set to YES to enable events logging > firewall_flags="" # Flags passed to ipfw when type is a file > ip_portrange_first="49190" # Set first dynamically allocated port > ip_portrange_last="65535" # Set last dynamically allocated port > > Bridge do not work! > What do I do incorrectly? > > __________________________________________________________________ > Switch to Netscape Internet Service. > As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register > > Netscape. Just the Net You Need. > > New! Netscape Toolbar for Internet Explorer > Search from anywhere on the Web and block those annoying pop-ups. > Download now at http://channels.netscape.com/ns/search/install.jsp > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 00:36:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C28116A4CE for ; Wed, 3 Nov 2004 00:36:06 +0000 (GMT) Received: from morpheus.mind.net (morpheus.mind.net [69.9.130.12]) by mx1.FreeBSD.org (Postfix) with SMTP id BB3FE43D1D for ; Wed, 3 Nov 2004 00:36:05 +0000 (GMT) (envelope-from readbsd@mind.net) Received: (qmail 52155 invoked by uid 1001); 3 Nov 2004 00:36:30 -0000 Date: Tue, 2 Nov 2004 16:36:30 -0800 From: John Fox To: freebsd-net@freebsd.org Message-ID: <20041103003630.GA51913@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Vocabulary-Word: tuberclelike X-Quip: Fly the white flag of war! Subject: Simple port forwarding question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 00:36:06 -0000 Hi, folks. I'm experimenting, trying to setup a situation where connections to port 25 on machine A are forwarded to port 25 on machine B. I've read the ipfw manpage and it looks as though what I'm doing is correct. The IPFW rules on machine A are: 00100 fwd machineB tcp from any to any 25 65535 allow ip from any to any And there is a sendmail listening on B's port 25. But when I telnet to machine A's port 25, all I get is a perpetual "Trying" message that just sits there. Machine A's kernel has the following IPFW options built-in: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=30 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD Any clues as to what I'm doing incorrectly would be greatly appreciated! -- John ------------------------------------------------------------------------- | Beneath the noble bird, between the proudest words, | jfox @ mind.net | | Behind the beauty cracks appear | Sysadmin, | | Once with heads held high they sang out to the sky | InfoStructure | | Why do their shadows bow in fear? | Ashland, OR USA | ------------------------------------------------------------------------- From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 01:16:18 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2469F16A4CF for ; Wed, 3 Nov 2004 01:16:18 +0000 (GMT) Received: from av15-2-sn4.m-sp.skanova.net (av15-2-sn4.m-sp.skanova.net [81.228.10.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B9D343D3F for ; Wed, 3 Nov 2004 01:16:17 +0000 (GMT) (envelope-from ertr1013@student.uu.se) Received: by av15-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id 2798037E44; Wed, 3 Nov 2004 02:16:16 +0100 (CET) Received: from smtp4-2-sn4.m-sp.skanova.net (smtp4-2-sn4.m-sp.skanova.net [81.228.10.180]) by av15-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id 119F237E42 for ; Wed, 3 Nov 2004 02:16:16 +0100 (CET) Received: from falcon.midgard.homeip.net (h201n1fls24o1048.bredband.comhem.se [212.181.162.201]) by smtp4-2-sn4.m-sp.skanova.net (Postfix) with SMTP id DA56F37E44 for ; Wed, 3 Nov 2004 02:16:15 +0100 (CET) Received: (qmail 70971 invoked by uid 1001); 3 Nov 2004 01:16:15 -0000 Date: Wed, 3 Nov 2004 02:16:15 +0100 From: Erik Trulsson To: John Fox Message-ID: <20041103011615.GA68454@falcon.midgard.homeip.net> Mail-Followup-To: John Fox , freebsd-net@freebsd.org References: <20041103003630.GA51913@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041103003630.GA51913@mind.net> User-Agent: Mutt/1.5.6i cc: freebsd-net@freebsd.org Subject: Re: Simple port forwarding question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 01:16:18 -0000 On Tue, Nov 02, 2004 at 04:36:30PM -0800, John Fox wrote: > Hi, folks. > > I'm experimenting, trying to setup a situation where connections > to port 25 on machine A are forwarded to port 25 on machine B. > I've read the ipfw manpage and it looks as though what I'm doing > is correct. > > > The IPFW rules on machine A are: > 00100 fwd machineB tcp from any to any 25 > 65535 allow ip from any to any > > And there is a sendmail listening on B's port 25. > > But when I telnet to machine A's port 25, all I get is > a perpetual "Trying" message that just sits there. Don't use "fwd" for this - it doesn't work that way (for one thing B is unlikely to handle an IP-packet that is still adressed to A.) Use natd and the '-redirect_port' option to natd instead - that works. -- Erik Trulsson ertr1013@student.uu.se From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 01:57:16 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9216016A4CE for ; Wed, 3 Nov 2004 01:57:16 +0000 (GMT) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32A4143D46 for ; Wed, 3 Nov 2004 01:57:16 +0000 (GMT) (envelope-from AndygreenNet@netscape.net) Received: from AndygreenNet@netscape.net by imo-d02.mx.aol.com (mail_out_v37_r3.8.) id w.5.eec3e24 (22681); Tue, 2 Nov 2004 20:56:59 -0500 (EST) Received: from netscape.net (mow-d23.webmail.aol.com [205.188.139.164]) by air-in04.mx.aol.com (v103.7) with ESMTP id MAILININ42-589941883aea3e4; Tue, 02 Nov 2004 20:56:59 -0500 Date: Tue, 02 Nov 2004 20:56:58 -0500 From: AndygreenNet@netscape.net To: jhary@unsane.co.uk (Vince Hoffman) MIME-Version: 1.0 Message-ID: <59B15A3F.497370BD.0C457E44@netscape.net> X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 62.33.196.200 X-AOL-Language: english Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-net@freebsd.org Subject: Re: Bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 01:57:16 -0000 Vince Hoffman wrote: > > >On Mon, 1 Nov 2004 AndygreenNet@netscape.net wrote: > >> Hi everybody! >> >> I'm try configure bridge on FreeBSD box. >> >> Box configuration: >> %uname -srp >> FreeBSD 5.3-RC1 i386 >> %ifconfig >> xl0: flags=8943 mtu 1500 >> options=9 >> ether 00:04:79:68:02:e6 >> media: Ethernet autoselect (none) >> status: no carrier >> fxp0: flags=8943 mtu 1500 >> options=48 >> inet 213.59.235.126 netmask 0xfffffff8 broadcast 213.59.235.127 >> ether 00:0e:0c:00:58:60 >> media: Ethernet autoselect (100baseTX ) >> status: active >> fxp1: flags=8943 mtu 1500 >> options=48 >> ether 00:07:e9:14:01:99 >> media: Ethernet autoselect (100baseTX ) >> status: active >> fxp2: flags=8943 mtu 1500 >> options=48 >> inet 213.59.128.190 netmask 0xfffffffc broadcast 213.59.128.191 >> ether 00:07:e9:14:05:be >> media: Ethernet autoselect (none) >> status: no carrier >> plip0: flags=108810 mtu 1500 >> pflog0: flags=0<> mtu 33208 >> pfsync0: flags=0<> mtu 2020 >> lo0: flags=8049 mtu 16384 >> inet 127.0.0.1 netmask 0xff000000 >> vlan0: flags=8943 mtu 1500 >> ether 00:07:e9:14:05:be >> media: Ethernet autoselect (none) >> status: no carrier >> vlan: 218 parent interface: fxp2 >> vlan1: flags=8943 mtu 1500 >> inet 62.33.196.254 netmask 0xffffff80 broadcast 62.33.196.255 >> ether 00:07:e9:14:01:99 >> media: Ethernet autoselect (100baseTX ) >> status: active >> vlan: 155 parent interface: fxp1 >> vlan2: flags=8943 mtu 1500 >> ether 00:07:e9:14:01:99 >> media: Ethernet autoselect (100baseTX ) >> status: active >> vlan: 156 parent interface: fxp1 >> vlan3: flags=8943 mtu 1500 >> ether 00:07:e9:14:01:99 >> media: Ethernet autoselect (100baseTX ) >> status: active >> vlan: 90 parent interface: fxp1 >> vlan4: flags=8943 mtu 1500 >> ether 00:0e:0c:00:58:60 >> media: Ethernet autoselect (100baseTX ) >> status: active >> vlan: 156 parent interface: fxp0 >> vlan5: flags=8943 mtu 1500 >> ether 00:04:79:68:02:e6 >> media: Ethernet autoselect (none) >> status: no carrier >> vlan: 90 parent interface: xl0 >> %vi /usr/local/etc/rc.d/bridge.sh >> #!/bin/sh >> # >> # >> >> if [ -z "${source_rc_confs_defined}"]; then >> if [ -r /etc/defaults/rc.conf ]; then >> . /etc/defaults/rc.conf >> source_rc_confs >> elif [ -r /etc/rc.conf ]; then >> . /etc/rc.conf >> fi >> fi >> >> case "$1" in >> start) >> case "${bridge_enable}" in >> [Yy][Ee][Ss]) > >This looks to me like you need to add >bridge_enable="YES" >to /etc/rc.conf Certainly this line is in /etc/rc.conf. > >> echo -n 'Starting bridge' >> sysctl -w net.link.ether.bridge.enable=1 >> sysctl -w net.link.ether.bridge.ipfw=1 >> sysctl -w net.link.ether.bridge.config=vlan0:218,vlan1:155,vlan2:156,vlan3:90,vlan4:156,vlan5:90,xl0:218,fxp0:155 >> ;; >> esac >> ;; >> stop) >> sysctl -w net.link.ether.bridge.enable=0 >> ;; >> *) >> echo "Usage: `basename $0` {start|stop}" >&2 >> ;; >> esac >> >> exit >> %vi /etc/rc.conf >> firewall_enable="YES" # Set to YES to enable firewall functionality >> firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall >> firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) >> firewall_quiet="YES" # Set to YES to suppress rule display >> firewall_logging="YES" # Set to YES to enable events logging >> firewall_flags="" # Flags passed to ipfw when type is a file >> ip_portrange_first="49190" # Set first dynamically allocated port >> ip_portrange_last="65535" # Set last dynamically allocated port >> >> Bridge do not work! >> What do I do incorrectly? >> >> I solved this problem with the help of new versions of bridge.c (v. 1.85) bridge.h (v. 1.13) and if_ethersubr.c (v. 1.179). Sorry for my poor English. __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 18:20:09 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C64B816A4CF for ; Wed, 3 Nov 2004 18:20:09 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 579C343D48 for ; Wed, 3 Nov 2004 18:20:09 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so149659wri for ; Wed, 03 Nov 2004 10:20:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=YEPqnmLU61iesaPl53RM0UujGH8DHdY701g+0DVRdNKi2xmZE2cr8FPRnAD87/oW6IZWMPw7mLNZeD/C9CpA32uwXrO3sVKQ4N5kXX1kySBcMm+kMjpGhvVjALWpdBpEV1OAZ4F0gq88uUEiMaHbjupJFOgrkLlF1sAMFYmF3g0= Received: by 10.54.50.22 with SMTP id x22mr175133wrx; Wed, 03 Nov 2004 10:20:00 -0800 (PST) Received: by 10.54.35.52 with HTTP; Wed, 3 Nov 2004 10:20:00 -0800 (PST) Message-ID: Date: Wed, 3 Nov 2004 10:20:00 -0800 From: Aaron Nichols To: freebsd-net@freebsd.org In-Reply-To: <20041102124027.GH10641@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <62721446609.20041028214724@star-sw.com> <20041029141411.GE10641@sitadelle.com> <20041102124027.GH10641@sitadelle.com> Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 18:20:10 -0000 All, Thank you for your help. I managed to get this working. First, I had to compile the kernel to use the FAST_IPSEC option, which apparently changes processing so that traffic goes via gif0 (packet captures only see incoming traffic to gif0 however) - the IPSEC_FILTERGIF option was not sufficient to allow for divert processing apparently. I also had to configure the kernel to use ipfw2 instead of ipfw so that I could use the 'ipsec' option in the filter sets. It seems that the man page for ipfw is a bit inaccurate in this regard: Under "IPFW2 ENHANCEMENTS" of ipfw (8) it states the following: The following options are not implemented by ipfw1: dst-ip, dst-port, layer2, mac, mac-type, src-ip, src-port. Additionally, the RELENG_4 version of ipfw1 does not implement the following options: ipid, iplen, ipprecedence, iptos, ipttl, ipversion, tcpack, tcpseq, tcpwin. However, the 'ipsec' option is never mentioned - and it does not seem to work if using ipfw1. At this point, I have the following ipfw ruleset: 00001 0 0 allow ip from any to any layer2 not mac-type 0x0800 00100 13235 9607548 divert 8669 ip from any to any via gif0 00200 14890 10960619 divert 8668 ip from any to any via xl0 not ipsec 00300 8017 9434062 allow ip from any to any ipsec 00400 8017 9273722 allow ip from any to any via gif0 00500 0 0 check-state 00510 14033 10435476 allow ip from any to any via xl0 out keep-state 00600 0 0 allow esp from any to me 00610 0 0 allow udp from any to me dst-port 500 00700 0 0 allow ip from any to any via lo0 00710 17115 10937956 allow ip from any to any via vr0 keep-state 01000 0 0 allow tcp from any to any dst-port 22 in keep-state 01010 9 498 allow tcp from any to any dst-port 25 in keep-state 01020 0 0 allow tcp from any to any dst-port 80 in keep-state 02000 0 0 allow icmp from any to any 05000 82 22098 deny log ip from any to any 65535 42 7902 deny ip from any to any I suspect rules 300 & 400 are redundant but I'll work on tuning the filter set next. If anyone is interested in the full details of this setup please let me know and I can provide them. The majority of tweaking had to do with getting the right kernel setup though - after which things worked mostly as expected. Thanks again for everyones help. Aaron From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 19:11:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3F1416A4CE for ; Wed, 3 Nov 2004 19:11:48 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C937A43D1F for ; Wed, 3 Nov 2004 19:11:47 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id F08727A403; Wed, 3 Nov 2004 11:11:46 -0800 (PST) Message-ID: <41892D72.10203@elischer.org> Date: Wed, 03 Nov 2004 11:11:46 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Erik Trulsson References: <20041103003630.GA51913@mind.net> <20041103011615.GA68454@falcon.midgard.homeip.net> In-Reply-To: <20041103011615.GA68454@falcon.midgard.homeip.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: John Fox Subject: Re: Simple port forwarding question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 19:11:48 -0000 Erik Trulsson wrote: >On Tue, Nov 02, 2004 at 04:36:30PM -0800, John Fox wrote: > > >>Hi, folks. >> >>I'm experimenting, trying to setup a situation where connections >>to port 25 on machine A are forwarded to port 25 on machine B. >>I've read the ipfw manpage and it looks as though what I'm doing >>is correct. >> >> >>The IPFW rules on machine A are: >> 00100 fwd machineB tcp from any to any 25 >> 65535 allow ip from any to any >> >>And there is a sendmail listening on B's port 25. >> >>But when I telnet to machine A's port 25, all I get is >>a perpetual "Trying" message that just sits there. >> >> > >Don't use "fwd" for this - it doesn't work that way (for one thing B is >unlikely to handle an IP-packet that is still adressed to A.) > >Use natd and the '-redirect_port' option to natd instead - that works. > you can use ipfw fwd IF you also run it on the target machine to "capture/accept" the foreign packet. Otherwise teh packet will be forwarded back to it's stated destination (or dropped). > > > > > > From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 22:18:29 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ADA316A4CF; Wed, 3 Nov 2004 22:18:29 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7637243D53; Wed, 3 Nov 2004 22:18:29 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) iA3MIT3O060466; Wed, 3 Nov 2004 22:18:29 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA3MIT0Q060465; Wed, 3 Nov 2004 22:18:29 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Wed, 3 Nov 2004 22:18:29 +0000 From: "Christian S.J. Peron" To: ipfw@freebsd.org Message-ID: <20041103221829.GA60132@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: current@freebsd.org cc: net@freebsd.org Subject: [PATCH] testers wanted X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 22:18:29 -0000 I have generated a patch which appears to solve the lock ordering issues associated with ucred based filtering which results in hard locks (while mpsafenet=1). This patch basically implements a shared locking mechanism. http://people.freebsd.org/~csjp/ip_fw2.c.1099500281.diff It would be appriciated if interested parties could download it, load a large number of rules and try to manipulate (delete/add) rules under high loads. Thanks! -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 11:53:55 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3355D16A4CE; Thu, 4 Nov 2004 11:53:55 +0000 (GMT) Received: from mx3.mra.co.id (mx3.mra.co.id [202.138.254.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56E1B43D45; Thu, 4 Nov 2004 11:53:47 +0000 (GMT) (envelope-from reza@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id D720D2E078; Thu, 4 Nov 2004 19:08:15 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14316-04; Thu, 4 Nov 2004 19:08:15 +0700 (WIT) Received: from mailbox.mra.co.id (unknown [172.16.0.225]) by mx3.mra.co.id (Postfix) with ESMTP id B1FB22E072; Thu, 4 Nov 2004 19:08:15 +0700 (WIT) Received: from mra.co.id (unknown [172.16.0.228]) by mailbox.mra.co.id (Postfix) with ESMTP id 497991E0; Thu, 4 Nov 2004 19:05:34 +0700 (WIT) Message-ID: <4188C65D.4020005@mra.co.id> Date: Wed, 03 Nov 2004 18:51:57 +0700 From: Muhammad Reza User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031208 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Questions , freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mra.co.id Subject: Multiple default gateway X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 11:53:55 -0000 Dear All, Is there any (future) release of FreeBSD concern about multiple default gateway ? Supposed i want to have load balancing and round robin connection in my FreeBSD firewall without routing daemon. regards reza From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 12:14:36 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B28816A4CE; Thu, 4 Nov 2004 12:14:36 +0000 (GMT) Received: from onion.ish.org (onion.ish.org [219.118.161.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E423F43D31; Thu, 4 Nov 2004 12:14:35 +0000 (GMT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [IPv6:::1]) iA4CEY3s047360; Thu, 4 Nov 2004 21:14:34 +0900 (JST) (envelope-from ishizuka@ish.org) Date: Thu, 04 Nov 2004 21:14:34 +0900 (JST) Message-Id: <20041104.211434.74715204.ishizuka@ish.org> To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org From: Masachika ISHIZUKA In-Reply-To: <4188C65D.4020005@mra.co.id> References: <4188C65D.4020005@mra.co.id> X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ X-Mailer: Mew version 4.1 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Multiple default gateway X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 12:14:36 -0000 > Is there any (future) release of FreeBSD concern about multiple default > gateway ? > Supposed i want to have load balancing and round robin connection in my > FreeBSD firewall without routing daemon. It can be done using ipfw, if you want to use only IPv4. An example is shown below. (Although it is not round robin connections.) # route add default GW1 # ipfw add prob 0.5 fwd GW2 ip from any to any out # ipfw add allow ip from any to any -- ishizuka@ish.org From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 12:16:03 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A33F16A4CE for ; Thu, 4 Nov 2004 12:16:03 +0000 (GMT) Received: from gvr.gvr.org (gvr-gw.gvr.org [80.126.103.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AE3243D66 for ; Thu, 4 Nov 2004 12:16:03 +0000 (GMT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 8E9275F; Thu, 4 Nov 2004 13:16:02 +0100 (CET) Date: Thu, 4 Nov 2004 13:16:02 +0100 From: Guido van Rooij To: freebsd-net@freebsd.org Message-ID: <20041104121602.GA89896@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 12:16:03 -0000 I am having problems combining ipf's ipnat rules with dummynet. The reason is that if I use dummmynet queues configured to be used outbound (queue .... out xmit if), then ipnat starts applying rewriting of RDR rules on the wrong interface. e.g.: firewall has 2 interfaces: if0 and if1 if i say: rdr from any to 1.2.3.4 port 22 -> 2.2.3.4 port 2222 then ipfilter should rewrite incoming packets on if0 (and outgoing packets as well). With a dummynet rule like queue 2 tcp from any 22 to any out xmit if0 ipf starts rewriting on if1, which leads to blocked packets as the rewritten packet does not match the state entry for the connection. When looking in the dummynet source I see (rev 1.75, line 1190): pkt->ifp = fwa->oif; So it seems the queued packets interface is set to the outgoing interface. But according to me, that is wrong. Can a dummynet expert verify if my analysis is correct or come up with a real explanation if not? -Guido From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 14:01:59 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E06D16A4CE for ; Thu, 4 Nov 2004 14:01:59 +0000 (GMT) Received: from smtp.cegetel.net (mf00.sitadelle.com [212.94.174.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C07C43D53 for ; Thu, 4 Nov 2004 14:01:58 +0000 (GMT) (envelope-from tataz@sitadelle.com) Received: from droopy.tech.sitadelle.com (213-223-184-193.dti.cegetel.net [213.223.184.193]) by smtp.cegetel.net (Postfix) with ESMTP id DAD8F6710B; Thu, 4 Nov 2004 15:01:56 +0100 (CET) Received: by droopy.tech.sitadelle.com (Postfix, from userid 1000) id 72002FC00E; Thu, 4 Nov 2004 15:02:17 +0100 (CET) Date: Thu, 4 Nov 2004 15:02:17 +0100 From: Jeremie Le Hen To: Guido van Rooij Message-ID: <20041104140217.GS10641@sitadelle.com> References: <20041104121602.GA89896@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041104121602.GA89896@gvr.gvr.org> User-Agent: Mutt/1.5.6+20040907i cc: freebsd-net@freebsd.org Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 14:01:59 -0000 Hi Guido, this is a known problem on RELENG_4, there is an existing patch [1] for this in the PR database. Which version of FreeBSD are you using ? I don't know if this problem has been corrected in RELENG_5. [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685 Regards, Jeremie On Thu, Nov 04, 2004 at 01:16:02PM +0100, Guido van Rooij wrote: > > I am having problems combining ipf's ipnat rules with dummynet. The > reason is that if I use dummmynet queues configured to > be used outbound (queue .... out xmit if), then ipnat starts > applying rewriting of RDR rules on the wrong interface. > > e.g.: > firewall has 2 interfaces: if0 and if1 > if i say: > rdr from any to 1.2.3.4 port 22 -> 2.2.3.4 port 2222 > then ipfilter should rewrite incoming packets on if0 (and > outgoing packets as well). > With a dummynet rule like > queue 2 tcp from any 22 to any out xmit if0 > ipf starts rewriting on if1, which leads to blocked packets as > the rewritten packet does not match the state entry for the connection. > > When looking in the dummynet source I see (rev 1.75, line 1190): > pkt->ifp = fwa->oif; > So it seems the queued packets interface is set to the outgoing interface. > But according to me, that is wrong. > > Can a dummynet expert verify if my analysis is correct or come up > with a real explanation if not? > > -Guido -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 14:08:24 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75DD416A4CE for ; Thu, 4 Nov 2004 14:08:24 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92C1243D46 for ; Thu, 4 Nov 2004 14:08:23 +0000 (GMT) (envelope-from oppermann@networx.ch) Received: (qmail 97545 invoked from network); 4 Nov 2004 14:04:29 -0000 Received: from unknown (HELO networx.ch) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2004 14:04:29 -0000 Message-ID: <418A37DE.694C18AA@networx.ch> Date: Thu, 04 Nov 2004 15:08:30 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Guido van Rooij References: <20041104121602.GA89896@gvr.gvr.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 14:08:24 -0000 Guido van Rooij wrote: > > I am having problems combining ipf's ipnat rules with dummynet. The > reason is that if I use dummmynet queues configured to > be used outbound (queue .... out xmit if), then ipnat starts > applying rewriting of RDR rules on the wrong interface. > > e.g.: > firewall has 2 interfaces: if0 and if1 > if i say: > rdr from any to 1.2.3.4 port 22 -> 2.2.3.4 port 2222 > then ipfilter should rewrite incoming packets on if0 (and > outgoing packets as well). > With a dummynet rule like > queue 2 tcp from any 22 to any out xmit if0 > ipf starts rewriting on if1, which leads to blocked packets as > the rewritten packet does not match the state entry for the connection. > > When looking in the dummynet source I see (rev 1.75, line 1190): > pkt->ifp = fwa->oif; > So it seems the queued packets interface is set to the outgoing interface. > But according to me, that is wrong. > > Can a dummynet expert verify if my analysis is correct or come up > with a real explanation if not? Which version of FreeBSD do you run? Rev 1.75 of ip_dummynet.c is relatively old. The problem you are having is not that dummynet is saving the ifp (it needs that for bridged packets) but that it is using it for IP packets. I've fixed it in 1.83 of ip_dummynet.c together with pfil_hooks move of ipfw2. -- Andre From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 14:12:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DF5916A4CE for ; Thu, 4 Nov 2004 14:12:48 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B48A43D48 for ; Thu, 4 Nov 2004 14:12:47 +0000 (GMT) (envelope-from oppermann@networx.ch) Received: (qmail 97600 invoked from network); 4 Nov 2004 14:08:53 -0000 Received: from unknown (HELO networx.ch) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2004 14:08:53 -0000 Message-ID: <418A38E6.9D3DCD7E@networx.ch> Date: Thu, 04 Nov 2004 15:12:54 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jeremie Le Hen References: <20041104121602.GA89896@gvr.gvr.org> <20041104140217.GS10641@sitadelle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 14:12:48 -0000 Jeremie Le Hen wrote: > > Hi Guido, > > this is a known problem on RELENG_4, there is an existing patch [1] for > this in the PR database. > > Which version of FreeBSD are you using ? I don't know if this problem > has been corrected in RELENG_5. Yes, I have fixed it together with the ipfw to pfil changes in -current and RELENG_5. > [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685 Took it over. However I'm not sure if it is the right fix and whether we are going to fix it in RELENG_4. You'll get an update through GNATS once I've made up my mind. -- Andre > Regards, > Jeremie > > On Thu, Nov 04, 2004 at 01:16:02PM +0100, Guido van Rooij wrote: > > > > I am having problems combining ipf's ipnat rules with dummynet. The > > reason is that if I use dummmynet queues configured to > > be used outbound (queue .... out xmit if), then ipnat starts > > applying rewriting of RDR rules on the wrong interface. > > > > e.g.: > > firewall has 2 interfaces: if0 and if1 > > if i say: > > rdr from any to 1.2.3.4 port 22 -> 2.2.3.4 port 2222 > > then ipfilter should rewrite incoming packets on if0 (and > > outgoing packets as well). > > With a dummynet rule like > > queue 2 tcp from any 22 to any out xmit if0 > > ipf starts rewriting on if1, which leads to blocked packets as > > the rewritten packet does not match the state entry for the connection. > > > > When looking in the dummynet source I see (rev 1.75, line 1190): > > pkt->ifp = fwa->oif; > > So it seems the queued packets interface is set to the outgoing interface. > > But according to me, that is wrong. > > > > Can a dummynet expert verify if my analysis is correct or come up > > with a real explanation if not? > > > > -Guido > -- > Jeremie Le Hen > jeremie@le-hen.org > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 15:07:41 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70C5616A4CE for ; Thu, 4 Nov 2004 15:07:41 +0000 (GMT) Received: from gvr.gvr.org (gvr-gw.gvr.org [80.126.103.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3572C43D1D for ; Thu, 4 Nov 2004 15:07:41 +0000 (GMT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 878BF2B; Thu, 4 Nov 2004 16:07:40 +0100 (CET) Date: Thu, 4 Nov 2004 16:07:40 +0100 From: Guido van Rooij To: Jeremie Le Hen Message-ID: <20041104150740.GA92017@gvr.gvr.org> References: <20041104121602.GA89896@gvr.gvr.org> <20041104140217.GS10641@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041104140217.GS10641@sitadelle.com> cc: freebsd-net@freebsd.org Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 15:07:41 -0000 On Thu, Nov 04, 2004 at 03:02:17PM +0100, Jeremie Le Hen wrote: > Hi Guido, > > this is a known problem on RELENG_4, there is an existing patch [1] for > this in the PR database. > > Which version of FreeBSD are you using ? I don't know if this problem > has been corrected in RELENG_5. It;s 5.2.1-RELEASE-p8 -Guido From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 15:09:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B503616A4DA for ; Thu, 4 Nov 2004 15:09:30 +0000 (GMT) Received: from gvr.gvr.org (gvr-gw.gvr.org [80.126.103.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76A3943D41 for ; Thu, 4 Nov 2004 15:09:30 +0000 (GMT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id C1EC94F; Thu, 4 Nov 2004 16:09:29 +0100 (CET) Date: Thu, 4 Nov 2004 16:09:29 +0100 From: Guido van Rooij To: Andre Oppermann Message-ID: <20041104150929.GB92017@gvr.gvr.org> References: <20041104121602.GA89896@gvr.gvr.org> <418A37DE.694C18AA@networx.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <418A37DE.694C18AA@networx.ch> cc: freebsd-net@freebsd.org Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 15:09:30 -0000 On Thu, Nov 04, 2004 at 03:08:30PM +0100, Andre Oppermann wrote: > Which version of FreeBSD do you run? Rev 1.75 of ip_dummynet.c is > relatively old. 5.2.1-RELEASE-p8 > > The problem you are having is not that dummynet is saving the ifp (it > needs that for bridged packets) but that it is using it for IP packets. > I've fixed it in 1.83 of ip_dummynet.c together with pfil_hooks move > of ipfw2. Thanks. We'll try it! -Guido From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 15:10:14 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4650F16A4CE for ; Thu, 4 Nov 2004 15:10:14 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A85043D31 for ; Thu, 4 Nov 2004 15:10:13 +0000 (GMT) (envelope-from oppermann@networx.ch) Received: (qmail 98097 invoked from network); 4 Nov 2004 15:06:19 -0000 Received: from unknown (HELO networx.ch) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2004 15:06:19 -0000 Message-ID: <418A465C.F65F543B@networx.ch> Date: Thu, 04 Nov 2004 16:10:20 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Guido van Rooij References: <20041104121602.GA89896@gvr.gvr.org> <20041104150740.GA92017@gvr.gvr.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Jeremie Le Hen Subject: Re: dummynet setting ifp pointer in mbuf? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 15:10:14 -0000 Guido van Rooij wrote: > > On Thu, Nov 04, 2004 at 03:02:17PM +0100, Jeremie Le Hen wrote: > > Hi Guido, > > > > this is a known problem on RELENG_4, there is an existing patch [1] for > > this in the PR database. > > > > Which version of FreeBSD are you using ? I don't know if this problem > > has been corrected in RELENG_5. > > It;s 5.2.1-RELEASE-p8 You'll have to upgrade to 5.3RC2 or 5.3R once it is out. -- Andre From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 16:15:23 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E5E316A4CE for ; Thu, 4 Nov 2004 16:15:23 +0000 (GMT) Received: from smtp.cegetel.net (mf01.sitadelle.com [212.94.174.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id C621043D58 for ; Thu, 4 Nov 2004 16:15:22 +0000 (GMT) (envelope-from tataz@sitadelle.com) Received: from droopy.tech.sitadelle.com (213-223-184-201.dti.cegetel.net [213.223.184.201]) by smtp.cegetel.net (Postfix) with ESMTP id C184F379A7; Thu, 4 Nov 2004 17:15:21 +0100 (CET) Received: by droopy.tech.sitadelle.com (Postfix, from userid 1000) id 8C9FBFC00E; Thu, 4 Nov 2004 17:15:21 +0100 (CET) Date: Thu, 4 Nov 2004 17:15:21 +0100 From: Jeremie Le Hen To: Aaron Nichols Message-ID: <20041104161521.GB1485@sitadelle.com> References: <62721446609.20041028214724@star-sw.com> <20041029141411.GE10641@sitadelle.com> <20041102124027.GH10641@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6+20040907i cc: freebsd-net@freebsd.org Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 16:15:23 -0000 > If anyone is interested in the full details of this setup please let > me know and I can provide them. The majority of tweaking had to do > with getting the right kernel setup though - after which things worked > mostly as expected. > > Thanks again for everyones help. Yes, it would be very interesting for the archives. Would you please post the configuration steps ? Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 17:53:16 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6ED716A4CE; Thu, 4 Nov 2004 17:53:16 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12E6643D45; Thu, 4 Nov 2004 17:53:14 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO [192.168.1.7]) by mail.net (CommuniGate Pro SMTP 4.2.5) with ESMTP id 26293856; Thu, 04 Nov 2004 12:53:13 -0500 Message-ID: <418A6FDC.5010204@xiphos.ca> Date: Thu, 04 Nov 2004 13:07:24 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: mallman@icir.org References: <20041022182430.31A2B1EF3BF@lawyers.icir.org> In-Reply-To: <20041022182430.31A2B1EF3BF@lawyers.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Andre Oppermann cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 17:53:16 -0000 Hi, I am jumping in here, was too busy to read the list for the last 2 weeks, so please excuse my intrusion. We are using T/TCP in our product line and are very happy with the performance gain. Could you tell me what is the rational for removing T/TCP (security/performances/code complexity, etc ..) from FreeBSD? Again, sorry for being a bit off topic here. Mark Allman wrote: >>A T/TCP alternative as you are describing sounds very >>similar to PR-SCTP (Partial Reliability SCTP). (Don't let the >>name fool you, please read the internet draft). >> >> > >Can you sketch this in a bit more detail? I do not follow. PR-SCTP is >about being allowed to "abandon" data --- i.e., send it and then decide >that you don't really care if it gets across the network (say, because >it got lost and has taken too long to retransmit and so the data is out >of date). Without a Big Hack, I cannot envision TCP doing something >like this. What am I missing? > >Thanks, >allman > > >-- >Mark Allman -- ICIR -- http://www.icir.org/mallman/ > > > > > -- Karim Fodil-Lemelin Lead Programmer Xiphos Technologies Inc. www.xiplink.com From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 18:50:25 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88E0716A4CE for ; Thu, 4 Nov 2004 18:50:25 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE07743D64 for ; Thu, 4 Nov 2004 18:50:24 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 99617 invoked from network); 4 Nov 2004 18:46:28 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2004 18:46:28 -0000 Message-ID: <418A79F7.15B7CDB9@freebsd.org> Date: Thu, 04 Nov 2004 19:50:31 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Karim Fodil-Lemelin References: <20041022182430.31A2B1EF3BF@lawyers.icir.org> <418A6FDC.5010204@xiphos.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-arch@freebsd.org cc: mallman@icir.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 18:50:25 -0000 Karim Fodil-Lemelin wrote: > > Hi, > > I am jumping in here, was too busy to read the list for the last 2 > weeks, so please excuse my intrusion. We are using T/TCP in our product > line and are very happy with the performance gain. Could you tell me > what is the rational for removing T/TCP (security/performances/code > complexity, etc ..) from FreeBSD? Have a look at the rationale here (and the followup discussion): http://docs.freebsd.org/cgi/mid.cgi?4177C8AD.6060706 And also note that T/TCP was removed only from FreeBSD 6-current. It is still in 4.x and 5.x releases and will not be removed from them. A more secure and much less (code-) intrusive replacement for T/TCP is in the works by me. I'll have code ready soon and it'll be in FreeBSD 6-current probably before christmas along with a proper RFC draft submitted to the IETF TCPM WG. -- Andre From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 20:43:44 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E8FA16A4CE for ; Thu, 4 Nov 2004 20:43:44 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36E4543D3F for ; Thu, 4 Nov 2004 20:43:44 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iA4KiJid013972; Thu, 4 Nov 2004 12:44:19 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iA4KiI48013969; Thu, 4 Nov 2004 12:44:18 -0800 Date: Thu, 4 Nov 2004 12:44:18 -0800 From: Brooks Davis To: Jeremie Le Hen Message-ID: <20041104204418.GB28789@odin.ac.hmc.edu> References: <62721446609.20041028214724@star-sw.com> <20041029141411.GE10641@sitadelle.com> <20041102124027.GH10641@sitadelle.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aM3YZ0Iwxop3KEKx" Content-Disposition: inline In-Reply-To: <20041102124027.GH10641@sitadelle.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-net@freebsd.org cc: Aaron Nichols Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 20:43:44 -0000 --aM3YZ0Iwxop3KEKx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 02, 2004 at 01:40:27PM +0100, Jeremie Le Hen wrote: > > Yep, that seems to be exactly what I need. I don't suppose there are > > any plans to implement something similar in FreeBSD anytime soon? > > Considering I'm so close to getting this to work it's frustrating to > > think that I would need to migrate to OpenBSD to have this > > functionality and uproot everything else this server already does > > (mail, dns, web, etc). >=20 > Considering if_enc.c from OpenBSD's HEAD (see URLs at the bottom), it > does not seem to be difficult to port to FreeBSD, but since I'm not a > kernel guru at all, there may be some issues I don't even suspect.o >=20 > I'm concious that making it FreeBSD's SMP compliant should require a > little amount of work, but it could be maked with the IFF_NEEDSGIANT > flag for a first step. Are there any reason why we would not need nor > want this in FreeBSD ? I think the KAME people had some sort of objection to one of it's features, but as long as it's not running by default I can't see how it matters. I don't think we should allow new drivers with IFF_NEEDSGIANT into the tree. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --aM3YZ0Iwxop3KEKx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBipShXY6L6fI4GtQRAkVFAKClOBg33fLjQdWyejn4Xo6zEnYgRACeLxjJ zYkVVoymsAs97g5RUX9E74A= =riBV -----END PGP SIGNATURE----- --aM3YZ0Iwxop3KEKx-- From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 20:52:41 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC3DD16A4CE; Thu, 4 Nov 2004 20:52:41 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5EFE43D5D; Thu, 4 Nov 2004 20:52:41 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id AF1637A43E; Thu, 4 Nov 2004 12:52:41 -0800 (PST) Message-ID: <418A9699.6050603@elischer.org> Date: Thu, 04 Nov 2004 12:52:41 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Karim Fodil-Lemelin References: <20041022182430.31A2B1EF3BF@lawyers.icir.org> <418A6FDC.5010204@xiphos.ca> In-Reply-To: <418A6FDC.5010204@xiphos.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-arch@freebsd.org cc: Andre Oppermann cc: mallman@icir.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 20:52:42 -0000 Karim Fodil-Lemelin wrote: > Hi, > > I am jumping in here, was too busy to read the list for the last 2 > weeks, so please excuse my intrusion. We are using T/TCP in our > product line and are very happy with the performance gain. Could you > tell me what is the rational for removing T/TCP > (security/performances/code complexity, etc ..) from FreeBSD? > > Again, sorry for being a bit off topic here. what a pitty you didn't notice while it was under discussion: :-( We couldn't find anyone using it... what is your product? From owner-freebsd-net@FreeBSD.ORG Thu Nov 4 20:58:40 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CA7516A4CE; Thu, 4 Nov 2004 20:58:40 +0000 (GMT) Received: from risky.niblet.co.uk (risky.niblet.co.uk [80.177.236.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF3CB43D41; Thu, 4 Nov 2004 20:58:39 +0000 (GMT) (envelope-from matt@genesi.co.uk) Received: from sakura.niblet.co.uk ([80.177.236.68] helo=sakura) by risky.niblet.co.uk with smtp (Exim 4.42 (FreeBSD)) id 1CPogp-0002Vp-Ur; Thu, 04 Nov 2004 20:58:39 +0000 From: "Matt Sealey" To: "Julian Elischer" , "Karim Fodil-Lemelin" Date: Thu, 4 Nov 2004 20:58:19 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <418A9699.6050603@elischer.org> Importance: Normal cc: freebsd-net@freebsd.org cc: mallman@icir.org cc: Andre Oppermann cc: freebsd-arch@freebsd.org Subject: RE: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 20:58:40 -0000 His product looks like it's the the product mentioned in the original post by the original poster; http://docs.freebsd.org/cgi/getmsg.cgi?fetch=284774+0+/usr/local/www/db/text/2004/freebsd-net/20041024.freebsd-net QUOTE: However something like T/TCP is certainly useful and I know of one special purpose application using it (Web Proxy Server/Client for high-delay Satellite connections). As long as they can live with FreeBSD 5.3 I don't think it causes a problem whatsoever does it? -- Matt Sealey Genesi, Manager, Developer Relations > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of Julian Elischer > Sent: 04 November 2004 20:53 > To: Karim Fodil-Lemelin > Cc: freebsd-net@freebsd.org; freebsd-arch@freebsd.org; Andre Oppermann; > mallman@icir.org > Subject: Re: Removing T/TCP and replacing it with something simpler > > > > > Karim Fodil-Lemelin wrote: > > > Hi, > > > > I am jumping in here, was too busy to read the list for the last 2 > > weeks, so please excuse my intrusion. We are using T/TCP in our > > product line and are very happy with the performance gain. Could you > > tell me what is the rational for removing T/TCP > > (security/performances/code complexity, etc ..) from FreeBSD? > > > > Again, sorry for being a bit off topic here. > > > what a pitty you didn't notice while it was under discussion: :-( > > > We couldn't find anyone using it... > > what is your product? > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 01:08:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 734D516A4CE for ; Fri, 5 Nov 2004 01:08:47 +0000 (GMT) Received: from mail0.jaist.ac.jp (mail0.jaist.ac.jp [150.65.5.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C6B743D2D for ; Fri, 5 Nov 2004 01:08:41 +0000 (GMT) (envelope-from zrelli@jaist.ac.jp) Received: from mail-vc.jaist.ac.jp (mail-vc.jaist.ac.jp [150.65.5.31]) by mail0.jaist.ac.jp (3.7W-jaist_mail) with ESMTP id iA518e216396 for ; Fri, 5 Nov 2004 10:08:40 +0900 (JST) Received: from mail-vc.jaist.ac.jp (localhost [127.0.0.1]) by localhost.jaist.ac.jp (Postfix) with ESMTP id 1A98F848E for ; Fri, 5 Nov 2004 10:08:40 +0900 (JST) Received: from smtp.jaist.ac.jp (smtp.jaist.ac.jp [150.65.38.97]) by mail-vc.jaist.ac.jp (Postfix) with ESMTP id F2F5E848C for ; Fri, 5 Nov 2004 10:08:39 +0900 (JST) Received: from [150.65.26.93] (wl-26093.jaist.ac.jp [150.65.26.93]) by smtp.jaist.ac.jp (3.7W-smtp) with ESMTP id iA516gK03391 for ; Fri, 5 Nov 2004 10:06:42 +0900 (JST) Message-ID: <418AD298.4090401@jaist.ac.jp> Date: Fri, 05 Nov 2004 10:08:40 +0900 From: Saber Zrelli User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-net@freebsd.org References: <20041103003630.GA51913@mind.net><20041103011615.GA68454@falcon. midgard.homeip.net> <41892D72.10203@elischer.org> In-Reply-To: <41892D72.10203@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Simple port forwarding question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 01:08:47 -0000 Julian Elischer wrote: > > > Erik Trulsson wrote: > >> On Tue, Nov 02, 2004 at 04:36:30PM -0800, John Fox wrote: >> >> >>> Hi, folks. >>> >>> I'm experimenting, trying to setup a situation where connections to >>> port 25 on machine A are forwarded to port 25 on machine B. >>> I've read the ipfw manpage and it looks as though what I'm doing >>> is correct. >>> >>> The IPFW rules on machine A are: >>> 00100 fwd machineB tcp from any to any 25 >>> 65535 allow ip from any to any >>> >>> And there is a sendmail listening on B's port 25. >>> >>> But when I telnet to machine A's port 25, all I get is >>> a perpetual "Trying" message that just sits there. >>> >> >> >> Don't use "fwd" for this - it doesn't work that way (for one thing B is >> unlikely to handle an IP-packet that is still adressed to A.) >> >> Use natd and the '-redirect_port' option to natd instead - that works. >> > > you can use ipfw fwd IF you also run it on the target machine to > "capture/accept" the foreign packet. > Otherwise teh packet will be forwarded back to it's stated > destination (or dropped). > > >> >> You may also try using ssh port forwarding ; Smple command : ssh2 -L 1234:localhost:23 username@host all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (|host|). Note that |localhost| will be resolved by the sshdserver after the connection is established. In this case |localhost| therefore refers to the server (|host|) itself. >> >> >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 13:51:20 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFE7116A4CE for ; Fri, 5 Nov 2004 13:51:20 +0000 (GMT) Received: from risky.niblet.co.uk (risky.niblet.co.uk [80.177.236.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76E3443D2D for ; Fri, 5 Nov 2004 13:51:20 +0000 (GMT) (envelope-from matt@genesi.co.uk) Received: from sakura.niblet.co.uk ([80.177.236.68] helo=sakura) by risky.niblet.co.uk with smtp (Exim 4.42 (FreeBSD)) id 1CQ4V0-0003u7-65 for freebsd-net@freebsd.org; Fri, 05 Nov 2004 13:51:30 +0000 From: "Matt Sealey" To: Date: Fri, 5 Nov 2004 13:51:23 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal Subject: Resetting thresholds etc. on network interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 13:51:21 -0000 xl0: transmission error: 90 xl0: tx underrun, increasing tx start threshold to 120 bytes xl0: watchdog timeout xl0: transmission error: 90 xl0: tx underrun, increasing tx start threshold to 120 bytes How do I reset things like this (and the anti-flood protection too)? -- Matt Sealey Genesi, Manager, Developer Relations From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 16:08:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9FE316A4CE; Fri, 5 Nov 2004 16:08:43 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 288B543D49; Fri, 5 Nov 2004 16:08:43 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO [192.168.1.7]) by mail.net (CommuniGate Pro SMTP 4.2.5) with ESMTP id 26420170; Fri, 05 Nov 2004 11:08:42 -0500 Message-ID: <418BA8DC.4040101@xiphos.ca> Date: Fri, 05 Nov 2004 11:22:52 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Julian Elischer References: <20041022182430.31A2B1EF3BF@lawyers.icir.org> <418A6FDC.5010204@xiphos.ca> <418A9699.6050603@elischer.org> In-Reply-To: <418A9699.6050603@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-arch@freebsd.org cc: Andre Oppermann cc: mallman@icir.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 16:08:44 -0000 Our product is a TCP/IP accelerator for satellite communications please see http://www.xiplink.com/technology/xiplink_technology-datasheet.html. Also, please see http://www.scps.org/scps/ for an explanation of our Transport layer implementation. BTW, The marketing dep has renamed T/TCP to fast start and we actually made some modifications to FreeBSD's T/TCP but the rfc1644 principles are the same. Julian Elischer wrote: > > > Karim Fodil-Lemelin wrote: > >> Hi, >> >> I am jumping in here, was too busy to read the list for the last 2 >> weeks, so please excuse my intrusion. We are using T/TCP in our >> product line and are very happy with the performance gain. Could you >> tell me what is the rational for removing T/TCP >> (security/performances/code complexity, etc ..) from FreeBSD? >> >> Again, sorry for being a bit off topic here. > > > > what a pitty you didn't notice while it was under discussion: :-( Yes It is although we are very flexible and so a replacement might be as good if not better then what we have now. Especially from a code and security perspective. We have always appreciated BSD Engineering process and I believe that until we get to see FreeBSD 6.x STABLE we will be more then ready. > > > We couldn't find anyone using it... > > what is your product? > > > -- Karim Fodil-Lemelin Lead Programmer Xiphos Technologies Inc. (514) 848-9640 x223 (514) 848-9644 fax www.xiplink.com -------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 16:39:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74F0A16A4CE; Fri, 5 Nov 2004 16:39:22 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id B818543D39; Fri, 5 Nov 2004 16:39:21 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO [192.168.1.7]) by mail.net (CommuniGate Pro SMTP 4.2.5) with ESMTP id 26425345; Fri, 05 Nov 2004 11:39:20 -0500 Message-ID: <418BB008.6040907@xiphos.ca> Date: Fri, 05 Nov 2004 11:53:28 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matt Sealey References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: mallman@icir.org cc: Andre Oppermann cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 16:39:22 -0000 Now, I have a question. In our application which can be described as: Client ----> (Client Gateway) -------> SATLINK ------> (Server Gateway) -----> Internet We act as the Internet servers (transparent proxies) and therefore T/TCP traffic is only sent over the SATLINK. In the current T/TCP implementation the sender has to send a ccnew option to discover that the server side supports T/TCP. Now we had to modify this so the gateways uses the knowledge that they work together and they don't need to send a ccnew option everytime a client makes a connection to a new server. My question is: In the new implementation does the cookie will be generated per machine or like the tao mecanism will it be based on a src / dst tuple? Regards. Matt Sealey wrote: >His product looks like it's the the product mentioned in the original post by >the original poster; > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=284774+0+/usr/local/www/db/text/2004/freebsd-net/20041024.freebsd-net > >QUOTE: > >However something like T/TCP is certainly useful and I know of one special >purpose application using it (Web Proxy Server/Client for high-delay Satellite >connections). > >As long as they can live with FreeBSD 5.3 I don't think it causes a problem >whatsoever does it? > > > Right, Actually we are based on FBSD 4.9 and we are planning to port to 5.3 as soon as it gets stable, which could be anytime soon ;). -- Karim Fodil-Lemelin Lead Programmer Xiphos Technologies Inc. (514) 848-9640 x223 (514) 848-9644 fax www.xiplink.com -------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 16:46:07 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 249FC16A4D6 for ; Fri, 5 Nov 2004 16:46:07 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4569E43D5F for ; Fri, 5 Nov 2004 16:46:06 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 7695 invoked from network); 5 Nov 2004 16:42:00 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 5 Nov 2004 16:42:00 -0000 Message-ID: <418BAE54.72E4208F@freebsd.org> Date: Fri, 05 Nov 2004 17:46:12 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Karim Fodil-Lemelin References: <418BB008.6040907@xiphos.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Matt Sealey cc: mallman@icir.org cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 16:46:07 -0000 Karim Fodil-Lemelin wrote: > > Now, > > I have a question. In our application which can be described as: > > Client ----> (Client Gateway) -------> SATLINK ------> (Server Gateway) > -----> Internet > > We act as the Internet servers (transparent proxies) and therefore T/TCP > traffic is only sent over the SATLINK. In the current T/TCP > implementation the sender has to send a ccnew option to discover that > the server side supports T/TCP. Now we had to modify this so the > gateways uses the knowledge that they work together and they don't need > to send a ccnew option everytime a client makes a connection to a new > server. > > My question is: In the new implementation does the cookie will be > generated per machine or like the tao mecanism will it be based on a src > / dst tuple? The new cookie system will use the src-host/dst-host tuple. The first tcp connection between two hosts (port numbers are irrelevant) is a normal three-way handshake and the cookie is exchanged. From then on it skips over 3WHS on the server if the cookie matches. -- Andre > Regards. > > Matt Sealey wrote: > > >His product looks like it's the the product mentioned in the original post by > >the original poster; > > > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=284774+0+/usr/local/www/db/text/2004/freebsd-net/20041024.freebsd-net > > > >QUOTE: > > > >However something like T/TCP is certainly useful and I know of one special > >purpose application using it (Web Proxy Server/Client for high-delay Satellite > >connections). > > > >As long as they can live with FreeBSD 5.3 I don't think it causes a problem > >whatsoever does it? > > > > > > > Right, Actually we are based on FBSD 4.9 and we are planning to port to > 5.3 as soon as it gets stable, which could be anytime soon ;). > > -- > Karim Fodil-Lemelin > Lead Programmer > > Xiphos Technologies Inc. > (514) 848-9640 x223 > (514) 848-9644 fax > www.xiplink.com > > -------------------------------------------------------------- > The information transmitted is intended only for the > person or entity to which it is addressed and may contain > confidential and/or privileged material. If you have > received this in error, please contact the sender and delete > this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 17:12:17 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69E6B16A4CE; Fri, 5 Nov 2004 17:12:17 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A75B43D5C; Fri, 5 Nov 2004 17:12:16 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO [192.168.1.7]) by mail.net (CommuniGate Pro SMTP 4.2.5) with ESMTP id 26430096; Fri, 05 Nov 2004 12:12:12 -0500 Message-ID: <418BB7BC.3010305@xiphos.ca> Date: Fri, 05 Nov 2004 12:26:20 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andre Oppermann References: <418BB008.6040907@xiphos.ca> <418BAE54.72E4208F@freebsd.org> In-Reply-To: <418BAE54.72E4208F@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Matt Sealey cc: mallman@icir.org cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 17:12:17 -0000 In the case where all connections go through the SATLINK and are splitted by proxies, it make sense to use this knowledge and not renegotiate cookies for every connections since we know there is only one path to the internet and that all SATLINK connections will support (T/TCP or whatever name it will have). Do you have any plan to include that knowledge in your design or is it too much of a special case to really care? Andre Oppermann wrote: >Karim Fodil-Lemelin wrote: > > >>Now, >> >> I have a question. In our application which can be described as: >> >>Client ----> (Client Gateway) -------> SATLINK ------> (Server Gateway) >>-----> Internet >> >>We act as the Internet servers (transparent proxies) and therefore T/TCP >>traffic is only sent over the SATLINK. In the current T/TCP >>implementation the sender has to send a ccnew option to discover that >>the server side supports T/TCP. Now we had to modify this so the >>gateways uses the knowledge that they work together and they don't need >>to send a ccnew option everytime a client makes a connection to a new >>server. >> >>My question is: In the new implementation does the cookie will be >>generated per machine or like the tao mecanism will it be based on a src >>/ dst tuple? >> >> > >The new cookie system will use the src-host/dst-host tuple. The first >tcp connection between two hosts (port numbers are irrelevant) is a >normal three-way handshake and the cookie is exchanged. From then on >it skips over 3WHS on the server if the cookie matches. > > > -- Karim Fodil-Lemelin Lead Programmer Xiphos Technologies Inc. (514) 848-9640 x223 (514) 848-9644 fax www.xiplink.com -------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 17:31:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D59BF16A4CF for ; Fri, 5 Nov 2004 17:31:47 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08C4143D58 for ; Fri, 5 Nov 2004 17:31:47 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 8018 invoked from network); 5 Nov 2004 17:27:40 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 5 Nov 2004 17:27:40 -0000 Message-ID: <418BB909.501CC9FD@freebsd.org> Date: Fri, 05 Nov 2004 18:31:53 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Karim Fodil-Lemelin References: <418BB008.6040907@xiphos.ca> <418BAE54.72E4208F@freebsd.org> <418BB7BC.3010305@xiphos.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Matt Sealey cc: mallman@icir.org cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 17:31:48 -0000 Karim Fodil-Lemelin wrote: > > In the case where all connections go through the SATLINK and are > splitted by proxies, it make sense to use this knowledge and not > renegotiate cookies for every connections since we know there is only > one path to the internet and that all SATLINK connections will support > (T/TCP or whatever name it will have). Do you have any plan to include > that knowledge in your design or is it too much of a special case to > really care? It does not renegotiate cookies for every connection. Only the first connection will do that. Re-seeding of the cookies will happen trans- parently. You pay the 3WSH tax only once for the first connection, or the first connection after a longer idle time when the cookie expired. -- Andre > Andre Oppermann wrote: > > >Karim Fodil-Lemelin wrote: > > > > > >>Now, > >> > >> I have a question. In our application which can be described as: > >> > >>Client ----> (Client Gateway) -------> SATLINK ------> (Server Gateway) > >>-----> Internet > >> > >>We act as the Internet servers (transparent proxies) and therefore T/TCP > >>traffic is only sent over the SATLINK. In the current T/TCP > >>implementation the sender has to send a ccnew option to discover that > >>the server side supports T/TCP. Now we had to modify this so the > >>gateways uses the knowledge that they work together and they don't need > >>to send a ccnew option everytime a client makes a connection to a new > >>server. > >> > >>My question is: In the new implementation does the cookie will be > >>generated per machine or like the tao mecanism will it be based on a src > >>/ dst tuple? > >> > >> > > > >The new cookie system will use the src-host/dst-host tuple. The first > >tcp connection between two hosts (port numbers are irrelevant) is a > >normal three-way handshake and the cookie is exchanged. From then on > >it skips over 3WHS on the server if the cookie matches. > > > > > > > > -- > Karim Fodil-Lemelin > Lead Programmer > > Xiphos Technologies Inc. > (514) 848-9640 x223 > (514) 848-9644 fax > www.xiplink.com > > -------------------------------------------------------------- > The information transmitted is intended only for the > person or entity to which it is addressed and may contain > confidential and/or privileged material. If you have > received this in error, please contact the sender and delete > this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 21:46:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F87916A4CE; Fri, 5 Nov 2004 21:46:06 +0000 (GMT) Received: from mail.net (custpop.ca.mci.com [142.77.1.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0FCE43D58; Fri, 5 Nov 2004 21:46:05 +0000 (GMT) (envelope-from kfl@xiphos.ca) Received: from [216.95.199.148] (account kfl@xiphos.ca HELO [192.168.1.7]) by mail.net (CommuniGate Pro SMTP 4.2.5) with ESMTP id 26469084; Fri, 05 Nov 2004 16:46:04 -0500 Message-ID: <418BF7EA.2020404@xiphos.ca> Date: Fri, 05 Nov 2004 17:00:10 -0500 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andre Oppermann References: <418BB008.6040907@xiphos.ca> <418BAE54.72E4208F@freebsd.org> <418BB7BC.3010305@xiphos.ca> <418BB909.501CC9FD@freebsd.org> In-Reply-To: <418BB909.501CC9FD@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Matt Sealey cc: mallman@icir.org cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 21:46:06 -0000 Ok here is an example, just to make sure I understand: CLI1 : SERVER1 (first connection, option negociated, tuple hash created) CLI1 : SERVER1 (second connection, sending payload in first packet, using previously negotiated cookie) ... CLI1 : SERVER1 ( nth connection, sending payload in first packet, using previously negotiated cookie ) CLI1 : SERVER2 (first connection, option negociated, tuple created) CLI1 : SERVER2 (second connection, sending payload in first packet, using previously negotiated cookie) ... CLI1 : SERVER2 ( nth connection, sending payload in first packet, using previously negotiated cookie ) ... CLIX : SERVERY ( if first connection create cookie, store tuple. if tuple exists send payload in first packet) So, each time CL1 goes to a different server it pay the 3WSH tax only once. This is very alike how T/TCP works right now (beside the cookie thing). What I am wondering is how can we avoid as much as possible the "learning" of the different servers since I know that CLIs will have to go through two gateways running transparent proxies that support the option (T/TCP). But since they are transparent (using forward rules) the gateway don't talk to each other but to the SERVERs (from an IP standpoint). For example, if the cookie was per machine and not tuples, you could have something like this: step 1: CLI1 : SERVER1 (first connection, option negociated, cookie negotiated) CLI1 : SERVER1 (second connection, sending payload in first packet, using previously negotiated cookie) ... step2: CLI1 : SERVER2 (first connection, option negociated, get the same machine cookie from "SERVER1" (found a transparent proxy)) (From now on CL1 assumes its going through a transparent proxy that can do T/TCP) CLI1 : SERVER3 (first connection, sending payload in first packet, using previously negotiated machine cookie, validating transparent proxy) (If the cookie returned by SERVER3 does not match the"machine cookie it found in SERVER1" then go back to step 1) This way the protocol would use knowledge that there is a transparent proxy (found at step2) that is doing T/TCP on behalf of the SERVERs. What do you think? Regards, Andre Oppermann wrote: >Karim Fodil-Lemelin wrote: > > >> In the case where all connections go through the SATLINK and are >>splitted by proxies, it make sense to use this knowledge and not >>renegotiate cookies for every connections since we know there is only >>one path to the internet and that all SATLINK connections will support >>(T/TCP or whatever name it will have). Do you have any plan to include >>that knowledge in your design or is it too much of a special case to >>really care? >> >> > >It does not renegotiate cookies for every connection. Only the first >connection will do that. Re-seeding of the cookies will happen trans- >parently. You pay the 3WSH tax only once for the first connection, or >the first connection after a longer idle time when the cookie expired. > > > -- Karim Fodil-Lemelin Lead Programmer Xiphos Technologies Inc. (514) 848-9640 x223 (514) 848-9644 fax www.xiplink.com -------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Nov 5 22:17:01 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C30216A4CE for ; Fri, 5 Nov 2004 22:17:01 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ABE643D39 for ; Fri, 5 Nov 2004 22:17:00 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 9843 invoked from network); 5 Nov 2004 22:12:51 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 5 Nov 2004 22:12:51 -0000 Message-ID: <418BFBDB.827E347B@freebsd.org> Date: Fri, 05 Nov 2004 23:16:59 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Karim Fodil-Lemelin References: <418BB008.6040907@xiphos.ca> <418BAE54.72E4208F@freebsd.org> <418BB7BC.3010305@xiphos.ca> <418BB909.501CC9FD@freebsd.org> <418BF7EA.2020404@xiphos.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Matt Sealey cc: mallman@icir.org cc: Julian Elischer cc: freebsd-arch@freebsd.org Subject: Re: Removing T/TCP and replacing it with something simpler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2004 22:17:01 -0000 Karim Fodil-Lemelin wrote: > > Ok here is an example, just to make sure I understand: > > CLI1 : SERVER1 (first connection, option negociated, tuple hash > created) > CLI1 : SERVER1 (second connection, sending payload in first packet, > using previously negotiated cookie) > ... > CLI1 : SERVER1 ( nth connection, sending payload in first packet, > using previously negotiated cookie ) > > CLI1 : SERVER2 (first connection, option negociated, tuple created) > CLI1 : SERVER2 (second connection, sending payload in first packet, > using previously negotiated cookie) > ... > CLI1 : SERVER2 ( nth connection, sending payload in first packet, > using previously negotiated cookie ) > ... > CLIX : SERVERY ( if first connection create cookie, store tuple. if > tuple exists send payload in first packet) > > So, each time CL1 goes to a different server it pay the 3WSH tax only > once. This is very alike how T/TCP works right now (beside the cookie > thing). Yes, exactly. Actually the new T/TCP thing works the same as the old one from a functional point of view. What changes is the implementation. The original one was quite intrusive to the TCP code and generated many special cases which made it hard to maintain and to put new code in. In addition it CC* stuff is a rather weak and fragile mechanism. That's why we go with cookies this time and there are only a few places where the code has to be aware of it. Much less intrusive and more easy to maintain properly. > What I am wondering is how can we avoid as much as possible the > "learning" of the different servers since I know that CLIs will have to > go through two gateways running transparent proxies that support the > option (T/TCP). But since they are transparent (using forward rules) the > gateway don't talk to each other but to the SERVERs (from an IP standpoint). > > For example, if the cookie was per machine and not tuples, you could > have something like this: > > step 1: > CLI1 : SERVER1 (first connection, option negociated, cookie negotiated) > CLI1 : SERVER1 (second connection, sending payload in first packet, > using previously negotiated cookie) > ... > step2: > CLI1 : SERVER2 (first connection, option negociated, get the same > machine cookie from "SERVER1" (found a transparent proxy)) > > (From now on CL1 assumes its going through a transparent proxy that can > do T/TCP) > > CLI1 : SERVER3 (first connection, sending payload in first packet, > using previously negotiated machine cookie, validating transparent proxy) > > (If the cookie returned by SERVER3 does not match the"machine cookie it > found in SERVER1" then go back to step 1) > > This way the protocol would use knowledge that there is a transparent > proxy (found at step2) that is doing T/TCP on behalf of the SERVERs. > > What do you think? I think that is nice. Sounds like homework for you. ;-) -- Andre > Regards, > > Andre Oppermann wrote: > > >Karim Fodil-Lemelin wrote: > > > > > >> In the case where all connections go through the SATLINK and are > >>splitted by proxies, it make sense to use this knowledge and not > >>renegotiate cookies for every connections since we know there is only > >>one path to the internet and that all SATLINK connections will support > >>(T/TCP or whatever name it will have). Do you have any plan to include > >>that knowledge in your design or is it too much of a special case to > >>really care? > >> > >> > > > >It does not renegotiate cookies for every connection. Only the first > >connection will do that. Re-seeding of the cookies will happen trans- > >parently. You pay the 3WSH tax only once for the first connection, or > >the first connection after a longer idle time when the cookie expired. > > > > > > > > -- > Karim Fodil-Lemelin > Lead Programmer > > Xiphos Technologies Inc. > (514) 848-9640 x223 > (514) 848-9644 fax > www.xiplink.com > > -------------------------------------------------------------- > The information transmitted is intended only for the > person or entity to which it is addressed and may contain > confidential and/or privileged material. If you have > received this in error, please contact the sender and delete > this communication and any copy immediately. Thank you. From owner-freebsd-net@FreeBSD.ORG Sat Nov 6 04:31:19 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CA5F16A4CE for ; Sat, 6 Nov 2004 04:31:19 +0000 (GMT) Received: from hub.org (hub.org [200.46.204.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D17843D3F for ; Sat, 6 Nov 2004 04:31:19 +0000 (GMT) (envelope-from scrappy@hub.org) Received: from localhost (unknown [200.46.204.144]) by hub.org (Postfix) with ESMTP id 21D5912AB2B for ; Sat, 6 Nov 2004 00:31:18 -0400 (AST) Received: from hub.org ([200.46.204.220]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 65720-03 for ; Sat, 6 Nov 2004 04:31:17 +0000 (GMT) Received: from ganymede.hub.org (blk-222-46-91.eastlink.ca [24.222.46.91]) by hub.org (Postfix) with ESMTP id 9149812A845 for ; Sat, 6 Nov 2004 00:31:17 -0400 (AST) Received: by ganymede.hub.org (Postfix, from userid 1000) id B732D35D98; Sat, 6 Nov 2004 00:31:15 -0400 (AST) Received: from localhost (localhost [127.0.0.1]) by ganymede.hub.org (Postfix) with ESMTP id B638935152 for ; Sat, 6 Nov 2004 00:31:15 -0400 (AST) Date: Sat, 6 Nov 2004 00:31:15 -0400 (AST) From: "Marc G. Fournier" To: freebsd-net@freebsd.org Message-ID: <20041106003028.F46679@ganymede.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at hub.org Subject: "bug" with ifconfig ... ? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 04:31:19 -0000 I just made one of my 4.x remote servers inaccessible and just tested it on my 5.x laptop, and it does the same thing ... not sure if this is considered a 'desirable' effect, or a but ... but ... 'ifconfig -alias' will wipe out all IPs on the device: mobile# ifconfig -a lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 rl0: flags=8843 mtu 1500 options=8 inet 192.168.0.5 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:0d:88:22:78:e4 media: Ethernet 10baseT/UTP status: active mobile# ifconfig rl0 -alias mobile# ifconfig -a lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 rl0: flags=8843 mtu 1500 options=8 ether 00:0d:88:22:78:e4 media: Ethernet 10baseT/UTP status: active I was running a script that happened to pick up a 'zero length' IP (and I hadn't properly tested for it), so erased all the IPs configured on that device, instead of generating an error ... Checking the man page, if this *is* desired effect, a bit of a warning might be in order: " -alias Remove the network address specified. This would be used if you incorrectly specified an alias, or it was no longer needed. If you have incorrectly set an NS address having the side effect of specifying the host portion, removing all NS addresses will allow you to respecify the host portion." "Remove the network address specified.", to me, means that if one isn't specified, nothing should/would happen :( ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664 From owner-freebsd-net@FreeBSD.ORG Sat Nov 6 10:25:42 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0861216A4CE for ; Sat, 6 Nov 2004 10:25:41 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id C83B643D5F for ; Sat, 6 Nov 2004 10:25:41 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 6BE0B2FA1B; Sat, 6 Nov 2004 05:25:39 -0500 (EST) Date: Sat, 6 Nov 2004 05:25:39 -0500 From: James To: freebsd-net@freebsd.org Message-ID: <20041106102539.GA30766@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ip_fastforward() sanity check.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 10:25:42 -0000 I seem to have a little concern in one specific early-sanity check in the ip_fastforward() function of the latest 5.3 code base: /* * Is first mbuf large enough for ip header and is header present? */ if (m->m_len < sizeof (struct ip) && (m = m_pullup(m, sizeof (struct ip))) == 0) { ipstat.ips_toosmall++; goto drop; } Okay, if m_pullup() returns 0 due to failure, it already called m_freem(m) by itself. But we have "goto drop;" after that, which is redundant, no? I don't think this is a bit of issue in IPv4 implementation, but as obviously, in IPv6 implementation, if calling 'goto drop' or redundant m_freem(m) in case where m_pullup returns NULL/0, it may crash the kernel rock hard at m_tag_delete_chain in uipc_mbuf.c (even if you are checking 'if (m) m_freem(m)' as remains are left over) If any one has any comments, please let me know. If this is not a concern please disregard my rant and excuse me for waste of time :) Thanks, -J -- James Jun TowardEX Technologies, Inc. Technical Lead IPv4 and Native IPv6 Colocation, Bandwidth, james@towardex.com and Web Hosting Services in the Metro Boston area cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-net@FreeBSD.ORG Sat Nov 6 10:49:19 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E69F16A4CE for ; Sat, 6 Nov 2004 10:49:19 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1E6A43D1F for ; Sat, 6 Nov 2004 10:49:18 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 13698 invoked from network); 6 Nov 2004 10:45:04 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.54]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 6 Nov 2004 10:45:04 -0000 Message-ID: <418CAC2D.41A7B5DD@freebsd.org> Date: Sat, 06 Nov 2004 11:49:17 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: James References: <20041106102539.GA30766@scylla.towardex.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: ip_fastforward() sanity check.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 10:49:19 -0000 James wrote: > > I seem to have a little concern in one specific early-sanity check in the > ip_fastforward() function of the latest 5.3 code base: > > /* > * Is first mbuf large enough for ip header and is header present? > */ > if (m->m_len < sizeof (struct ip) && > (m = m_pullup(m, sizeof (struct ip))) == 0) { > ipstat.ips_toosmall++; > goto drop; > } > > Okay, if m_pullup() returns 0 due to failure, it already called m_freem(m) by > itself. But we have "goto drop;" after that, which is redundant, no? > > I don't think this is a bit of issue in IPv4 implementation, but as obviously, > in IPv6 implementation, if calling 'goto drop' or redundant m_freem(m) in case > where m_pullup returns NULL/0, it may crash the kernel rock hard at > m_tag_delete_chain in uipc_mbuf.c (even if you are checking 'if (m) m_freem(m)' > as remains are left over) > > If any one has any comments, please let me know. If this is not a concern > please disregard my rant and excuse me for waste of time :) This is indeed a bug. Fixed in ip_fastfwd.c rev 1.24 a couple of minutes ago. Thanks for reporting. -- Andre From owner-freebsd-net@FreeBSD.ORG Sat Nov 6 16:13:57 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63EAB16A4CE for ; Sat, 6 Nov 2004 16:13:57 +0000 (GMT) Received: from mail.netroad.ru (mail.netroad.ru [213.24.172.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD9BE43D49 for ; Sat, 6 Nov 2004 16:13:56 +0000 (GMT) (envelope-from devel@proxy.netroad.ru) Received: from mail.netroad.ru (localhost [127.0.0.1]) by mail.netroad.ru (Postfix) with ESMTP id 7A3701487C8 for ; Sat, 6 Nov 2004 19:12:21 +0300 (MSK) Received: from proxy.netroad.ru (proxy.netroad.ru [213.24.172.2]) by mail.netroad.ru (Postfix) with ESMTP id 5AD131486BF for ; Sat, 6 Nov 2004 19:12:21 +0300 (MSK) Received: by proxy.netroad.ru (Postfix, from userid 999) id AB67C256245; Sat, 6 Nov 2004 19:13:51 +0300 (MSK) Date: Sat, 6 Nov 2004 19:13:51 +0300 From: "Lenar D. Tukhvatullin" To: freebsd-net@freebsd.org Message-ID: <20041106161351.GA90407@proxy.netroad.ru> Mail-Followup-To: freebsd-net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.5.1i X-AntiVirus: ClamAV at mail.netroad.ru Subject: bridging & vlan X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Nov 2004 16:13:57 -0000 System: FreeBSD 5.3-STABLE, cvsup'ed today. I have bge0 interface and vlan0 configured on it: ----- bge0: flags=8943 mtu 1500 options=1a vlan0: flags=28943 mtu 1500 vlan: 100 parent interface: bge0 ---- I configure bridge between vlan0 and another physical interface (bge1), but bridge does not work properly. I can see incoming packets (packets from LAN with corresponding vlan tag) with tcpdump on bge0, but can't see these packets on vlan0. I think, it's a bug in sys/net/if_ethersubr.c in function ether_demux: ---- if (!(BDG_ACTIVE(ifp)) && !(ether_type == ETHERTYPE_VLAN && ifp->if_nvlans > 0)) { ---- This checks only 802.1Q incapsulated ethernet frames, but incoming packets on bge0 contains normal, decapsulated packets (VLAN_HWTAGGING) It is necessary to make additional check on incoming packet: ---- if (!(BDG_ACTIVE(ifp)) && !((ether_type == ETHERTYPE_VLAN || m_tag_locate(m, MTAG_VLAN, MTAG_VLAN_TAG, NULL) != NULL) && ifp->if_nvlans > 0)) { ---- I also submitted this problem as PR: kern/72933 -- Lenar D. Tukhvatullin