From owner-freebsd-questions Wed Dec 19 3:11:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 1446337B419 for ; Wed, 19 Dec 2001 03:11:22 -0800 (PST) Received: from chk.phattydomain.com ([12.225.230.182]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com> for ; Wed, 19 Dec 2001 11:09:56 +0000 To: freebsd-questions@freebsd.org Subject: ipfw+natd packet loop Message-Id: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com> Date: Wed, 19 Dec 2001 11:11:16 +0000 From: chkno@dork.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm trying to use ipfw pipes to impose bandwidth restrictions in a natd environment. I'm having an issue with packets getting caught up in some kind of loop between natd & the pipe. Note: I'm using natd to nat between two subnets on the same interface. This has worked beautifully so far, even though I gather that it is not the normal way of doing things. Hardware restrictions prevent me from adding a second NIC. Background info: # grep natd /etc/rc.conf natd_enable="YES" natd_flags="-use_sockets -same_ports -unregistered_only" natd_interface="ed1" # ifconfig ed1 ed1: flags=8843 mtu 1500 inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255 inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255 ether 00:80:c8:e2:b0:5a # sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 1 # ipfw pipe show 00010: 120.000 Kbit/s 0 ms 8 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 Demonstration: ( XXX.XXX.XXX.XXX is downloading a file via ftp. ) # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;s leep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out Accounting cleared. 00049 39 39604 count ip from any to any 00050 39 39604 divert 8668 ip from any to any via ed1 00051 39 39604 count ip from any to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 10000 14 21000 pipe 10 ip from any to XXX.XXX.XXX.XXX out 65000 25 18604 allow ip from any to any 65535 0 0 deny ip from any to any 00049 492 471097 count ip from any to any 00050 492 471097 divert 8668 ip from any to any via ed1 00051 556400 834347613 count ip from any to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 10000 556141 834210534 pipe 10 ip from any to XXX.XXX.XXX.XXX out 65000 259 137079 allow ip from any to any 65535 0 0 deny ip from any to any # CPU usage jumps to 100%. 233 packets become 556141. What am I doing wrong? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message