Date: Wed, 19 Dec 2001 15:13:21 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: chkno@dork.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd packet loop Message-ID: <20011219151321.A37899@sunbay.com> In-Reply-To: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com> References: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 11:11:16AM +0000, chkno@dork.com wrote:
> I'm trying to use ipfw pipes to impose bandwidth restrictions in a
> natd environment. I'm having an issue with packets getting caught
> up in some kind of loop between natd & the pipe.
>
> Note: I'm using natd to nat between two subnets on the same interface.
> This has worked beautifully so far, even though I gather that it
> is not the normal way of doing things. Hardware restrictions prevent
> me from adding a second NIC.
>
>
> Background info:
>
> # grep natd /etc/rc.conf
> natd_enable="YES"
> natd_flags="-use_sockets -same_ports -unregistered_only"
> natd_interface="ed1"
> # ifconfig ed1
> ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255
> inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255
> ether 00:80:c8:e2:b0:5a
> # sysctl net.inet.ip.fw.one_pass
> net.inet.ip.fw.one_pass: 1
> # ipfw pipe show
> 00010: 120.000 Kbit/s 0 ms 8 sl. 1 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
>
> Demonstration:
>
> ( XXX.XXX.XXX.XXX is downloading a file via ftp. )
>
> # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;s
> leep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000
>
> 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
> Accounting cleared.
> 00049 39 39604 count ip from any to any
> 00050 39 39604 divert 8668 ip from any to any via ed1
> 00051 39 39604 count ip from any to any
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 10000 14 21000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
> 65000 25 18604 allow ip from any to any
> 65535 0 0 deny ip from any to any
>
> 00049 492 471097 count ip from any to any
> 00050 492 471097 divert 8668 ip from any to any via ed1
> 00051 556400 834347613 count ip from any to any
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 10000 556141 834210534 pipe 10 ip from any to XXX.XXX.XXX.XXX out
> 65000 259 137079 allow ip from any to any
> 65535 0 0 deny ip from any to any
> #
>
> CPU usage jumps to 100%. 233 packets become 556141. What am I
> doing wrong?
>
Hmm, I can't reproduce this on a 4.4-STABLE box with the following
ruleset:
# ipfw show; ipfw pipe show
00050 1961 472013 divert 8668 ip from any to any via rl0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
10000 661 382995 pipe 10 ip from any to XXX.XXX.XXX.XXX
65000 1300 89018 allow ip from any to any
65535 0 0 deny ip from any to any
00010: 120.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.4.115/49202 XXX.XXX.XXX.XXX/22 234 208380 12 16540 0
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219151321.A37899>