From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 08:29:53 2005 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0130A16A41C; Sun, 19 Jun 2005 08:29:53 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65AEB43D49; Sun, 19 Jun 2005 08:29:52 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j5J8TjuH082056 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 19 Jun 2005 12:29:46 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j5J8Tjj8012133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 19 Jun 2005 12:29:45 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j5J8TinT012132; Sun, 19 Jun 2005 12:29:44 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 19 Jun 2005 12:29:44 +0400 From: Gleb Smirnoff To: Jose M Rodriguez Message-ID: <20050619082944.GA11972@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , Jose M Rodriguez , freebsd-stable@freebsd.org, Michal Vanco , freebsd-net@FreeBSD.org References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <42B46C9B.7000206@mac.com> <200506190004.48066.vanco@satro.sk> <200506182214.33279.josemi@redesjm.local> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200506182214.33279.josemi@redesjm.local> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean Cc: freebsd-net@FreeBSD.org, freebsd-stable@FreeBSD.org, Michal Vanco Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 08:29:53 -0000 On Sat, Jun 18, 2005 at 10:14:32PM +0200, Jose M Rodriguez wrote: J> Second, you may need a route daemon for this. ospf is a well known J> canditate where convergence in case of lost link is a must. While an OSPF daemon may stop advertising the affected route to its neighbors, the kernel will still have the route installed and thus the box won't be able to contact other hosts on the connected net, while they are reachable via alternate pass. I've checked that Cisco routers remove route from FIB when interface link goes down. I haven't checked Junipers yet. >From my viewpoint, removing route (or marking it unusable) is a correct behavior for router. Not sure it is correct for desktop. My vote is that we should implement this functionality and make it switchable via sysctl. I'd leave the default as is. What is opinion of other networkers? -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 08:48:57 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9742116A41C; Sun, 19 Jun 2005 08:48:57 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from mail.satronet.sk (mail.satronet.sk [217.144.16.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B77B43D49; Sun, 19 Jun 2005 08:48:56 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.satronet.sk (Postfix) with ESMTP id 8F3D21605A185; Sun, 19 Jun 2005 10:48:55 +0200 (CEST) Received: from mail.satronet.sk ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 18564-03-2; Sun, 19 Jun 2005 10:48:54 +0200 (CEST) Received: from [10.1.14.183] (strojar.garda.sk [147.175.8.5]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.satronet.sk (Postfix) with ESMTP id 9002116051D5D; Sun, 19 Jun 2005 10:48:54 +0200 (CEST) From: Michal Vanco Organization: Satro s.r.o. To: Gleb Smirnoff Date: Sun, 19 Jun 2005 10:48:46 +0200 User-Agent: KMail/1.8.1 References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <200506182214.33279.josemi@redesjm.local> <20050619082944.GA11972@cell.sick.ru> In-Reply-To: <20050619082944.GA11972@cell.sick.ru> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart93270823.9id32FKxkg"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506191048.49883.vanco@satro.sk> X-Virus-Scanned: by ANTIvirus at satronet.sk Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org, Jose M Rodriguez Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 08:48:57 -0000 --nextPart93270823.9id32FKxkg Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 June 2005 10:29, Gleb Smirnoff wrote: > On Sat, Jun 18, 2005 at 10:14:32PM +0200, Jose M Rodriguez wrote: > J> Second, you may need a route daemon for this. ospf is a well known > J> canditate where convergence in case of lost link is a must. > > While an OSPF daemon may stop advertising the affected route to its > neighbors, the kernel will still have the route installed and thus > the box won't be able to contact other hosts on the connected net, > while they are reachable via alternate pass. Routing protocol should be responsible for removing affected routes from FI= B.=20 =46or example quagga should remove all routes learned via particular ospf=20 neighbour when that neighbour is not reachable anymore due to link goes dow= n.=20 But in case when no daemons are used (`static' and `connected' are also=20 `routing protocols'), kernel should be responsible for doing that. > > I've checked that Cisco routers remove route from FIB when interface > link goes down. I haven't checked Junipers yet. Junipers do the same. It is the only feasible behaviour for router. > > From my viewpoint, removing route (or marking it unusable) is a correct > behavior for router. Not sure it is correct for desktop. > Sure. > My vote is that we should implement this functionality and make it > switchable via sysctl. I'd leave the default as is. > Agree. --nextPart93270823.9id32FKxkg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCtTFx2/VqJwUsLAMRAuBlAKChluaPjo3qwcqw9oNQ2Z4m2v4cQgCgjUQH 1Jmp7EE0WxJBY9RJjsyqk8M= =Vm+C -----END PGP SIGNATURE----- --nextPart93270823.9id32FKxkg-- From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 11:22:13 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56D8A16A41C; Sun, 19 Jun 2005 11:22:13 +0000 (GMT) (envelope-from josemi@freebsd.jazztel.es) Received: from 62-15-207-214.inversas.jazztel.es (62-15-207-214.inversas.jazztel.es [62.15.207.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E3B543D1F; Sun, 19 Jun 2005 11:22:11 +0000 (GMT) (envelope-from josemi@freebsd.jazztel.es) Received: from redesjm.local (orion.redesjm.local [192.168.254.16]) by 62-15-207-214.inversas.jazztel.es (8.13.3/8.13.3) with ESMTP id j5JBM8JC041447; Sun, 19 Jun 2005 13:22:08 +0200 (CEST) (envelope-from josemi@redesjm.local) Received: from localhost (localhost [[UNIX: localhost]]) by redesjm.local (8.13.3/8.13.3/Submit) id j5JBM8Zi000862; Sun, 19 Jun 2005 13:22:08 +0200 (CEST) (envelope-from josemi@redesjm.local) From: Jose M Rodriguez To: Michal Vanco Date: Sun, 19 Jun 2005 13:22:07 +0200 User-Agent: KMail/1.8 References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <20050619082944.GA11972@cell.sick.ru> <200506191048.49883.vanco@satro.sk> In-Reply-To: <200506191048.49883.vanco@satro.sk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-13" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200506191322.08287.josemi@redesjm.local> X-AntiVirus: checked by AntiVir Milter (version: 1.1.0-3; AVE: 6.30.0.15; VDF: 6.30.0.207; host: antares.redesjm.local) Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org, Jose M Rodriguez Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 11:22:13 -0000 El Domingo, 19 de Junio de 2005 10:48, Michal Vanco escribi=F3: > On Sunday 19 June 2005 10:29, Gleb Smirnoff wrote: > > On Sat, Jun 18, 2005 at 10:14:32PM +0200, Jose M Rodriguez wrote: > > J> Second, you may need a route daemon for this. ospf is a well > > known J> canditate where convergence in case of lost link is a > > must. > > > > While an OSPF daemon may stop advertising the affected route to its > > neighbors, the kernel will still have the route installed and thus > > the box won't be able to contact other hosts on the connected net, > > while they are reachable via alternate pass. > > Routing protocol should be responsible for removing affected routes > from FIB. For example quagga should remove all routes learned via > particular ospf neighbour when that neighbour is not reachable > anymore due to link goes down. But in case when no daemons are used > (`static' and `connected' are also `routing protocols'), kernel > should be responsible for doing that. > > > I've checked that Cisco routers remove route from FIB when > > interface link goes down. I haven't checked Junipers yet. > > Junipers do the same. It is the only feasible behaviour for router. > > > From my viewpoint, removing route (or marking it unusable) is a > > correct behavior for router. Not sure it is correct for desktop. > > Sure. > > > My vote is that we should implement this functionality and make it > > switchable via sysctl. I'd leave the default as is. > I'm not sure of this. I also think that a devd or monitor daemon will=20 be enough and easy to implement. I think NetBSD have allready some kinda of net monitor daemon for pppoe=20 support (via sppp). Not sure if route support is included. But seems easy and clean that a kernel based solution. =2D- josemi > Agree. From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 12:16:06 2005 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E84316A41C for ; Sun, 19 Jun 2005 12:16:06 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98EAB43D58 for ; Sun, 19 Jun 2005 12:16:05 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j5JCG2ub084072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sun, 19 Jun 2005 16:16:03 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j5JCG23V013445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 19 Jun 2005 16:16:02 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j5JCG2AB013444 for net@FreeBSD.org; Sun, 19 Jun 2005 16:16:02 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 19 Jun 2005 16:16:01 +0400 From: Gleb Smirnoff To: net@FreeBSD.org Message-ID: <20050619121601.GA13370@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean Cc: Subject: bug in libalias? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 12:16:06 -0000 While working on ng_nat + libalias in kernel, I've found that sometimes in very rare conditions libalias produces completely broken packets. Fortunately they also have incorrect TCP checksum, and thus are discarded and being restransmitted. Fortunately retransmits are not broken. This is not related to any protocol aliasing, it is a bug in alias.c. I have two cases which are 100% reproducible. The first case is an ssh session to my mailbox, I can't give reproduce recipe, sorry :) The second case is the following: you must be behind a box running natd(8) and have MTU of 1500, router running natd should have 1500 MTU on both interfaces. Now, you should run # tcpdump -w qqq -s 1600 -vvnpi fxp0 host www.rambler.ru & # fetch -vvv http:/www.rambler.ru # fg # ^C # tcpdump -s 1600 -vXXnpr qqq | less Look into incoming TCP segment with offset 2921:4381(1460). The first packet is broken one. Search again for 2921:4381(1460). Now I've found the retransmitted packet. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 19:55:02 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FEF016A41C; Sun, 19 Jun 2005 19:55:02 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E021243D1F; Sun, 19 Jun 2005 19:55:01 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.4.8] (host-81-191-4-179.bluecom.no [81.191.4.179]) (authenticated bits=0) by lakepoint.domeneshop.no (8.12.11/8.12.11) with ESMTP id j5JJsxTP027768; Sun, 19 Jun 2005 21:55:00 +0200 Message-ID: <42B5CD89.6070509@wm-access.no> Date: Sun, 19 Jun 2005 21:54:49 +0200 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gleb Smirnoff References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <42B46C9B.7000206@mac.com> <200506190004.48066.vanco@satro.sk> <200506182214.33279.josemi@redesjm.local> <20050619082944.GA11972@cell.sick.ru> In-Reply-To: <20050619082944.GA11972@cell.sick.ru> X-Enigmail-Version: 0.92.0.0 OpenPGP: id=AE7F1636 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org, Michal Vanco Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 19:55:02 -0000 Gleb Smirnoff wrote: > > My vote is that we should implement this functionality and make it > switchable via sysctl. I'd leave the default as is. > > What is opinion of other networkers? > How about also adding a sysctl for setting a delay time between event and disabling of the route? Then even people with roaming wlan cards can benefit. Also it is in my opinion that the route be disabled (moved to a passive route table maybe?) and not deleted. At my old job i came across situations where the lack of this feature caused headaches and once or twice the loss of a customer. -- Sten Daniel Sørsdal From owner-freebsd-net@FreeBSD.ORG Sun Jun 19 20:33:53 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 770F016A41C; Sun, 19 Jun 2005 20:33:53 +0000 (GMT) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32EF943D1F; Sun, 19 Jun 2005 20:33:53 +0000 (GMT) (envelope-from mike@sentex.net) Received: from pumice3.sentex.ca (pumice3.sentex.ca [64.7.153.26]) by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j5JKXRKQ011291; Sun, 19 Jun 2005 16:33:27 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by pumice3.sentex.ca (8.13.3/8.13.3) with ESMTP id j5JKXqcm057171; Sun, 19 Jun 2005 16:33:52 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j5JKXjBf093838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 19 Jun 2005 16:33:45 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.1.2.0.20050619161035.03720998@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Sun, 19 Jun 2005 16:34:23 -0400 To: Gleb Smirnoff From: Mike Tancsa In-Reply-To: <20050619082944.GA11972@cell.sick.ru> References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <42B46C9B.7000206@mac.com> <200506190004.48066.vanco@satro.sk> <200506182214.33279.josemi@redesjm.local> <20050619082944.GA11972@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18 X-Scanned-By: MIMEDefang 2.51 on 64.7.153.26 Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 20:33:53 -0000 At 04:29 AM 19/06/2005, Gleb Smirnoff wrote: >On Sat, Jun 18, 2005 at 10:14:32PM +0200, Jose M Rodriguez wrote: >J> Second, you may need a route daemon for this. ospf is a well known >J> canditate where convergence in case of lost link is a must. > >I've checked that Cisco routers remove route from FIB when interface >link goes down. I haven't checked Junipers yet. > > >From my viewpoint, removing route (or marking it unusable) is a correct >behavior for router. Not sure it is correct for desktop. > >My vote is that we should implement this functionality and make it >switchable via sysctl. I'd leave the default as is. I like this idea as well, but you need to control how the routes would come back after the interface comes back up ? This seems more of the province of a routing daemon like quagga as opposed to a kernel feature no ? ---Mike From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 05:59:00 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4102E16A41F; Mon, 20 Jun 2005 05:59:00 +0000 (GMT) (envelope-from pete@he.iki.fi) Received: from silver.he.iki.fi (helenius.fi [193.64.42.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCCB043D4C; Mon, 20 Jun 2005 05:58:58 +0000 (GMT) (envelope-from pete@he.iki.fi) Received: from [193.64.42.172] (hac.vuokselantie10.fi [193.64.42.172]) by silver.he.iki.fi (Postfix) with ESMTP id 765F4BB42; Mon, 20 Jun 2005 08:58:55 +0300 (EEST) Message-ID: <42B65B5A.40005@he.iki.fi> Date: Mon, 20 Jun 2005 08:59:54 +0300 From: Petri Helenius User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <42B46C9B.7000206@mac.com> <200506190004.48066.vanco@satro.sk> <200506182214.33279.josemi@redesjm.local> <20050619082944.GA11972@cell.sick.ru> <6.2.1.2.0.20050619161035.03720998@64.7.153.2> In-Reply-To: <6.2.1.2.0.20050619161035.03720998@64.7.153.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 05:59:00 -0000 Mike Tancsa wrote: > > I like this idea as well, but you need to control how the routes would > come back after the interface comes back up ? This seems more of the > province of a routing daemon like quagga as opposed to a kernel > feature no ? The connected interface should try to transmit packets according to it's netmask when the interface is operational. So it should come back up "immediately". (at least when the mentioned sysctl is enabled) Pete From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 07:13:41 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ED1D16A41C; Mon, 20 Jun 2005 07:13:41 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from mail.satronet.sk (mail.satronet.sk [217.144.16.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4175B43D58; Mon, 20 Jun 2005 07:13:40 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.satronet.sk (Postfix) with ESMTP id 80ADA1605A151; Mon, 20 Jun 2005 09:13:38 +0200 (CEST) Received: from mail.satronet.sk ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31436-02-21; Mon, 20 Jun 2005 09:13:37 +0200 (CEST) Received: from [147.175.51.163] (unknown [147.175.51.163]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.satronet.sk (Postfix) with ESMTP id 7CF091605665F; Mon, 20 Jun 2005 09:13:37 +0200 (CEST) From: Michal Vanco Organization: Satro s.r.o. To: freebsd-net@freebsd.org Date: Mon, 20 Jun 2005 11:13:31 +0200 User-Agent: KMail/1.8.1 References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <20050619082944.GA11972@cell.sick.ru> <42B5CD89.6070509@wm-access.no> In-Reply-To: <42B5CD89.6070509@wm-access.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3864263.Jzx53G1yHf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506201113.34307.vanco@satro.sk> X-Virus-Scanned: by ANTIvirus at satronet.sk Cc: freebsd-stable@freebsd.org, Sten Daniel =?iso-8859-1?q?S=F8rsdal?= Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 07:13:41 -0000 --nextPart3864263.Jzx53G1yHf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 June 2005 21:54, Sten Daniel S=F8rsdal wrote: > Gleb Smirnoff wrote: > > My vote is that we should implement this functionality and make it > > switchable via sysctl. I'd leave the default as is. > > > > What is opinion of other networkers? > > How about also adding a sysctl for setting a delay time between event > and disabling of the route? Then even people with roaming wlan cards can > benefit. > Also it is in my opinion that the route be disabled (moved to a passive > route table maybe?) and not deleted. This is what I meant initially. Marking route passive is better than just=20 deleting it and it'll be also faster to recall the route back in case of li= nk=20 up. --nextPart3864263.Jzx53G1yHf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCtoi+2/VqJwUsLAMRAkV7AJ9k4+qUBriivsLdaNcjSo3RHtA3LQCgmgEG hm+IhTO2UeeDrVeR6401neE= =s+kG -----END PGP SIGNATURE----- --nextPart3864263.Jzx53G1yHf-- From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 07:17:10 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D129216A41C for ; Mon, 20 Jun 2005 07:17:10 +0000 (GMT) (envelope-from regnauld@catpipe.net) Received: from moof.catpipe.net (moof.catpipe.net [195.249.214.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 842C943D5C for ; Mon, 20 Jun 2005 07:17:10 +0000 (GMT) (envelope-from regnauld@catpipe.net) Received: from localhost (localhost [127.0.0.1]) by localhost.catpipe.net (Postfix) with ESMTP id A426C1B357; Mon, 20 Jun 2005 09:17:08 +0200 (CEST) Received: from moof.catpipe.net ([127.0.0.1]) by localhost (moof.catpipe.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75265-07; Mon, 20 Jun 2005 09:17:06 +0200 (CEST) Received: from vinyl.catpipe.net (vinyl.catpipe.net [195.249.214.189]) by moof.catpipe.net (Postfix) with ESMTP id EC9131B370; Mon, 20 Jun 2005 09:17:00 +0200 (CEST) Received: by vinyl.catpipe.net (Postfix, from userid 1006) id C99963981C; Mon, 20 Jun 2005 09:17:01 +0200 (CEST) Date: Mon, 20 Jun 2005 09:17:01 +0200 From: Phil Regnauld To: Michal Vanco Message-ID: <20050620071701.GE1695@catpipe.net> References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <20050619082944.GA11972@cell.sick.ru> <42B5CD89.6070509@wm-access.no> <200506201113.34307.vanco@satro.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200506201113.34307.vanco@satro.sk> X-Operating-System: FreeBSD 5.3-STABLE i386 Organization: catpipe Systems ApS User-Agent: Mutt/1.5.9i X-Virus-Scanned: amavisd-new at catpipe.net Cc: freebsd-net@freebsd.org, Sten Daniel =?iso-8859-1?Q?S=F8rsdal?= Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 07:17:10 -0000 Michal Vanco (vanco) writes: > On Sunday 19 June 2005 21:54, Sten Daniel Sørsdal wrote: > > Gleb Smirnoff wrote: > > > My vote is that we should implement this functionality and make it > > > switchable via sysctl. I'd leave the default as is. > > > > > > What is opinion of other networkers? > > > > How about also adding a sysctl for setting a delay time between event > > and disabling of the route? Then even people with roaming wlan cards can > > benefit. > > Also it is in my opinion that the route be disabled (moved to a passive > > route table maybe?) and not deleted. > > This is what I meant initially. Marking route passive is better than just > deleting it and it'll be also faster to recall the route back in case of link > up. Deleting the route is definintely the most annoying thing you can do -- Linux does that, and that's no network reference (try and find RTF_STATIC in the Linux routing code). Returning "Network unreachable" is the proper thing to do, but keep the route in the table... Effectively removing the route from the forwarding table is a job for a routing demon. From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 11:01:54 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8647D16A41C for ; Mon, 20 Jun 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E92543D4C for ; Mon, 20 Jun 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5KB1suZ011468 for ; Mon, 20 Jun 2005 11:01:54 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5KB1rQM011462 for freebsd-net@freebsd.org; Mon, 20 Jun 2005 11:01:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Jun 2005 11:01:53 GMT Message-Id: <200506201101.j5KB1rQM011462@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 11:01:54 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/07/11] kern/54383 net [nfs] [patch] NFS root configurations wit 1 problem total. From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 15:40:54 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACD4C16A41C for ; Mon, 20 Jun 2005 15:40:54 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailhub-5.iastate.edu (mailhub-5.iastate.edu [129.186.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 774A443D1F for ; Mon, 20 Jun 2005 15:40:52 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailout-1.iastate.edu (mailout-1.iastate.edu [129.186.140.1]) by mailhub-5.iastate.edu (8.12.10/8.12.10) with SMTP id j5KFepeQ018365 for ; Mon, 20 Jun 2005 10:40:51 -0500 Received: from webmail-11.iastate.edu(129.186.140.31) by mailout-1.iastate.edu via csmap id a0a78f32_e1a2_11d9_9624_00304811d932_5298; Mon, 20 Jun 2005 10:47:38 -0500 (CDT) To: freebsd-net@freebsd.org From: "Ryan Rathje " Date: Mon, 20 Jun 2005 10:40:50 -0500 (CDT) X-Mailer: Endymion MailMan Professional Edition v3.0.14 ISU Version mp8.13 Message-Id: <50401020510511701@webmail.iastate.edu> Subject: transparent Squid 2.5Stable10 + FreeBSD 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 15:40:54 -0000 Here's my FreeBSD setup Nic1 -> outside (123.456.789.10) Nic2 -> internal (192.168.1.2) Here's my client Win2k setup IP: 192.168.1.5 MASK: 255.255.255.0 GW: 192.168.1.2 ------------------------------------- I have FreeBSD 5.3 installed with the modified kernel options options IPFILTER options IPFILTER_LOG options NMBCLUSTERS=32768 options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT in a machine with 2 NICS ( NIC1 -> outside work; NIC2 -> interal network (192.168.1.2). I configured Squid with the ARG --enable-ipf-transparent, and ths is what my options (/var/db/ports/squid/) file looks like for configuring Squid: # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for squid-2.5.10_1 _OPTIONS_READ=squid-2.5.10_1 WITHOUT_SQUID_LDAP_AUTH=true WITHOUT_SQUID_DELAY_POOLS=true WITHOUT_SQUID_SNMP=true WITHOUT_SQUID_CARP=true WITHOUT_SQUID_SSL=true WITH_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITHOUT_SQUID_HTCP=true WITHOUT_SQUID_VIA_DB=true WITHOUT_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITH_SQUID_UNDERSCORES=true WITH_SQUID_CHECK_HOSTNAME=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITHOUT_SQUID_USERAGENT_LOG=true WITHOUT_SQUID_ARP_ACL=true WITHOUT_SQUID_PF=true WITH_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITHOUT_SQUID_AUFS=true WITHOUT_SQUID_COSS=true WITHOUT_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITH_SQUID_RCNG=true In the squid.conf file I've made (what I think) are the appropriate changes: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on and lastly, this is what my rc.conf looks like: hostname="Gohan" squid_enable="YES" firewall_enable="YES" firewall_type="open" firewall_quiet="NO" firewall_logging="YES" # IPFILTER enabled ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipfw add allow all from any to 192.168.1.2 80 ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128 ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv 192.168.1.2 xmit 129.186.215.57 --------------------------------------------------------- I ran ethereal on the client machine (192.168.1.5) that is behind Squid, and it appears that the client hits the 192.168.1.2 but doesn't forward it onto the Squird proxy, therefor never reaching the outside world. I get the normal "Page can not be displayed" message on the client. I would have thought that if it was hitting the Squid it would give a Squid error message. My gut feeling is it has something to do with my ipfw rules, any and ALL help would get GREATLY appreciated. thanks From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 15:58:07 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CCC916A41C for ; Mon, 20 Jun 2005 15:58:07 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: from mail3out.barnet.com.au (mail3out.barnet.com.au [202.83.176.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09E2743D48 for ; Mon, 20 Jun 2005 15:58:06 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: by mail3out.barnet.com.au (Postfix, from userid 27) id 22EE3877CA1; Tue, 21 Jun 2005 01:58:05 +1000 (EST) X-Viruscan-Id: <42B6E78D00006A42C948DA@BarNet> Received: from mail3-auth.barnet.com.au (mail3.barnet.com.au [202.83.176.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.barnet.com.au", Issuer "BarNet Root Certificate Authority" (verified OK)) by mail3.barnet.com.au (Postfix) with ESMTP id F1DD6877C9A; Tue, 21 Jun 2005 01:58:04 +1000 (EST) Received: from k7.mavetju (edwin-3.int.barnet.com.au [10.10.12.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "edwin.adsl.barnet.com.au", Issuer "BarNet Root Certificate Authority" (not verified)) by mail3-auth.barnet.com.au (Postfix) with ESMTP id A84C9877C94; Tue, 21 Jun 2005 01:58:04 +1000 (EST) Received: by k7.mavetju (Postfix, from userid 1001) id 855FF6149; Tue, 21 Jun 2005 01:58:03 +1000 (EST) Date: Tue, 21 Jun 2005 01:58:03 +1000 From: Edwin Groothuis To: Ryan Rathje Message-ID: <20050620155803.GA79461@k7.mavetju> References: <50401020510511701@webmail.iastate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50401020510511701@webmail.iastate.edu> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: transparent Squid 2.5Stable10 + FreeBSD 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 15:58:07 -0000 See http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/71910 Don't know why it still plays up after 5.2.1.... Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://weblog.barnet.com.au/edwin/ From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 17:32:49 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B4B616A41F for ; Mon, 20 Jun 2005 17:32:49 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DF2443D53 for ; Mon, 20 Jun 2005 17:32:48 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by 72-12-2-214.wan.networktel.net with local; Mon, 20 Jun 2005 12:32:48 -0500 id 00095B71.42B6FDC0.0000BD1C Received: from dsl-201-138-84-201.prod-infinitum.com.mx (dsl-201-138-84-201.prod-infinitum.com.mx [201.138.84.201]) by mail.bafirst.com (Horde MIME library) with HTTP; Mon, 20 Jun 2005 12:32:48 -0500 Message-ID: <20050620123248.8ae79mn1vwo4sw4w@mail.bafirst.com> Date: Mon, 20 Jun 2005 12:32:48 -0500 From: eculp@bafirst.com To: freebsd-net@freebsd.org References: <50401020510511701@webmail.iastate.edu> In-Reply-To: <50401020510511701@webmail.iastate.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: transparent Squid 2.5Stable10 + FreeBSD 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 17:32:49 -0000 Quoting Ryan Rathje : > Here's my FreeBSD setup > > Nic1 -> outside (123.456.789.10) > Nic2 -> internal (192.168.1.2) > > Here's my client Win2k setup > > IP: 192.168.1.5 > MASK: 255.255.255.0 > GW: 192.168.1.2 > > ------------------------------------- > > I have FreeBSD 5.3 installed with the modified kernel options > > options IPFILTER > options IPFILTER_LOG > options NMBCLUSTERS=32768 > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > > in a machine with 2 NICS ( NIC1 -> outside work; NIC2 -> interal network > (192.168.1.2). I configured Squid with the ARG --enable-ipf-transparent, and > ths is what my options (/var/db/ports/squid/) file looks like for > configuring Squid: > > # This file is auto-generated by 'make config'. > # No user-servicable parts inside! > # Options for squid-2.5.10_1 > _OPTIONS_READ=squid-2.5.10_1 > WITHOUT_SQUID_LDAP_AUTH=true > WITHOUT_SQUID_DELAY_POOLS=true > WITHOUT_SQUID_SNMP=true > WITHOUT_SQUID_CARP=true > WITHOUT_SQUID_SSL=true > WITH_SQUID_PINGER=true > WITHOUT_SQUID_DNS_HELPER=true > WITHOUT_SQUID_HTCP=true > WITHOUT_SQUID_VIA_DB=true > WITHOUT_SQUID_CACHE_DIGESTS=true > WITH_SQUID_WCCP=true > WITH_SQUID_UNDERSCORES=true > WITH_SQUID_CHECK_HOSTNAME=true > WITHOUT_SQUID_STRICT_HTTP=true > WITH_SQUID_IDENT=true > WITHOUT_SQUID_USERAGENT_LOG=true > WITHOUT_SQUID_ARP_ACL=true > WITHOUT_SQUID_PF=true > WITH_SQUID_IPFILTER=true > WITH_SQUID_FOLLOW_XFF=true > WITHOUT_SQUID_AUFS=true > WITHOUT_SQUID_COSS=true > WITHOUT_SQUID_LARGEFILE=true > WITHOUT_SQUID_STACKTRACES=true > WITH_SQUID_RCNG=true > > In the squid.conf file I've made (what I think) are the appropriate changes: > > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and lastly, this is what my rc.conf looks like: > > hostname="Gohan" > > squid_enable="YES" > > firewall_enable="YES" > firewall_type="open" > firewall_quiet="NO" > firewall_logging="YES" > > # IPFILTER enabled > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf" > ipfilter_rules="/etc/ipf.rules" > ipfilter_flags="" > > ipfw add allow all from any to 192.168.1.2 80 > ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128 > ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv > 192.168.1.2 xmit 129.186.215.57 > At one time I did that with IPFW, I have found pf much easier to set up. Take a look at http://www.benzedrine.cx/transquid.html if you are interested. ed From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 20:11:30 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BD1916A41C for ; Mon, 20 Jun 2005 20:11:30 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (129pc197.sshunet.nl [145.97.197.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F29043D49 for ; Mon, 20 Jun 2005 20:11:29 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.90] (serkoon@jura.thelostparadise.com [195.16.84.90] (may be forged)) by mail.thelostparadise.com (8.12.11/8.12.8) with ESMTP id j5KKBRpL080546; Mon, 20 Jun 2005 22:11:27 +0200 (CEST) (envelope-from pieter@thedarkside.nl) Message-ID: <42B722EF.2090203@thedarkside.nl> Date: Mon, 20 Jun 2005 22:11:27 +0200 From: Pieter de Boer User-Agent: Debian Thunderbird 1.0.2 (X11/20050602) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 20:11:30 -0000 Hello there, For a project about TCP (performance) enhancements, we have been trying to simulate a network with a high bandwidth*delay product. Although we haven't started our real tests just yet, we already stumbled upon some issues :). For one (advertising an invalid window scale in some situations), we'll file a PR soon. We have three systems: 'client', 'network' and 'server'. All three systems have two intel gigabit NICs (em) in them. They run 5.4-RELEASE using the SMP-kernel. 'network' has HZ bumped to 2000 and nmbclusters to 128*1024. The setup is as follows: 'client' <-----> 'network' <-----> 'server' 100.2 100.1 200.1 200.2 'network' routes traffic between 192.168.100.0/24 and 192.168.200.0/24 and is equipped with ipfw/dummynet for simulation purposes. We had the following ipfw pipes on 'network': pipe 1 ip from client to server via em0 pipe 2 ip from server to client via em1 We're testing using iperf ('client' actually runs the iperf server) client# iperf -s -l64K -N server# iperf -c client -i 5 -N -t 900 -l 64k When testing without any extra delay on 'network' and send/recvspaces of 65535 bytes, we can sustain around 800mbit/s. The interrupts on 'network' may be the limiting factor here. However, when we set the send/recv space to 65535*2, we can only sustain around 200-300mbit/s. It seems the speed isn't as 'stable' either (peaks of more than 300mbit/s, sometimes up to 500mbit/s). We also used read/write sizes of 128KB using the -l option on iperf, but this didn't seem to have any noticeable effect. When adding extra latency on 'network' and adjusting the send/recv-spaces to correct for the greater bandwidth*delay product, we weren't able to sustain rates much higher than 200mbit/s either. Can anyone shed some light on what we're seeing here? -- With regards, Pieter de Boer From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 20:48:18 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE20016A41C for ; Mon, 20 Jun 2005 20:48:18 +0000 (GMT) (envelope-from patrickdk@patrickdk.com) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 66DC943D49 for ; Mon, 20 Jun 2005 20:48:18 +0000 (GMT) (envelope-from patrickdk@patrickdk.com) Received: (qmail 20378 invoked from network); 20 Jun 2005 20:48:17 -0000 Received: from dyn-19-218.myactv.net (24.89.19.218) by new.mss1.myactv.net with SMTP; 20 Jun 2005 20:48:17 -0000 Date: Mon, 20 Jun 2005 20:48:17 +0000 (UTC) From: Patrick Domack X-X-Sender: dswett@server.dswett.patrickdk.com To: freebsd-net@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: EM Driver problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: patrickdk@patrickdk.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 20:48:19 -0000 I have been using fxp network based cards, without issues. I have recently changed over to em cards, and get kernel panics about once every few days with them (mainly sbdrop panics). I already have nsfclusters set to 32k, and freebsd vm memory set to 850megs, with 4g memory installed. After playing adjusting things and not making any noticable improvements, I upgraded the default freebsd em driver from 1.7 to the 2.0 version on intels website. This seemed to fix things for awhile, lastest two weeks before any problems happened, at witch time the card/driver stopped recieving/sending packets. I am still looking into exactly what happened here. From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 20:50:47 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09D8316A41F for ; Mon, 20 Jun 2005 20:50:47 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD34343D55 for ; Mon, 20 Jun 2005 20:50:46 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5KKoiwt035939; Mon, 20 Jun 2005 13:50:44 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5KKoiha035938; Mon, 20 Jun 2005 13:50:44 -0700 (PDT) (envelope-from rizzo) Date: Mon, 20 Jun 2005 13:50:44 -0700 From: Luigi Rizzo To: Pieter de Boer Message-ID: <20050620135044.B35720@xorpc.icir.org> References: <42B722EF.2090203@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B722EF.2090203@thedarkside.nl>; from pieter@thedarkside.nl on Mon, Jun 20, 2005 at 10:11:27PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 20:50:47 -0000 On Mon, Jun 20, 2005 at 10:11:27PM +0200, Pieter de Boer wrote: > Hello there, ... > When testing without any extra delay on 'network' and send/recvspaces of > 65535 bytes, we can sustain around 800mbit/s. The interrupts on > 'network' may be the limiting factor here. However, when we set the > send/recv space to 65535*2, we can only sustain around 200-300mbit/s. It have you checked that these two kern.ipc.maxsockbuf: 262144 kern.ipc.sockbuf_waste_factor: 8 aren't responsible for the trouble ? I won't enter into details because i am not sure but try upping maxsockbuf might help. Or not. in any case it would be nice to try and let us know cheers luigi > seems the speed isn't as 'stable' either (peaks of more than 300mbit/s, > sometimes up to 500mbit/s). We also used read/write sizes of 128KB using > the -l option on iperf, but this didn't seem to have any noticeable > effect. > > When adding extra latency on 'network' and adjusting the > send/recv-spaces to correct for the greater bandwidth*delay product, we > weren't able to sustain rates much higher than 200mbit/s either. > > > Can anyone shed some light on what we're seeing here? > > -- > With regards, > Pieter de Boer > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 21:14:55 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA3916A41C for ; Mon, 20 Jun 2005 21:14:55 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (129pc197.sshunet.nl [145.97.197.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C88F43D58 for ; Mon, 20 Jun 2005 21:14:55 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.92] (92-unused.virt-ix.net [195.16.84.92]) by mail.thelostparadise.com (8.12.11/8.12.8) with ESMTP id j5KLEr9J092467; Mon, 20 Jun 2005 23:14:54 +0200 (CEST) (envelope-from pieter@thedarkside.nl) Message-ID: <42B731CD.1040104@thedarkside.nl> Date: Mon, 20 Jun 2005 23:14:53 +0200 From: Pieter de Boer User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050527) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> In-Reply-To: <20050620135044.B35720@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 21:14:56 -0000 Luigi Rizzo wrote: >>When testing without any extra delay on 'network' and send/recvspaces of >>65535 bytes, we can sustain around 800mbit/s. The interrupts on >>'network' may be the limiting factor here. However, when we set the >>send/recv space to 65535*2, we can only sustain around 200-300mbit/s. It > > > have you checked that these two > kern.ipc.maxsockbuf: 262144 > kern.ipc.sockbuf_waste_factor: 8 > > aren't responsible for the trouble ? I've seen 200-300mbit when using a 1MB maxsockbuf. Raising it to 2, 4 or 8MB doesn't seem to have much (if any) effect. Altering sockbuf_waste_factor doesn't seem to do anything, either. However.. when I deleted the pipe rules on 'network', the speed suddenly went up to around 800mbit/s too! I remade them, and voila, 200mbit/s. So apparantly it's an issue in the dummynet configuration I have. So, to reiterate: On 'network': pipe 1 from client to server via em0 pipe 2 from server to client via em1 allow ip from any to any Will give me 200MBit/s when using 128KB window sizes, but 800MBit/s when using 64KB window sizes. On 'network': allow ip from any to any Will give me 800Mbit/s when using 64KB or 128KB window sizes. I haven't configured the pipes in any way, though. So it appears it's due to the 'network' box afterall.. -- Pieter From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 06:27:44 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E90C16A41C for ; Tue, 21 Jun 2005 06:27:44 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DAE943D49 for ; Tue, 21 Jun 2005 06:27:40 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5L6RcWb096221 for ; Tue, 21 Jun 2005 09:27:38 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5L6RWx5028588 for ; Tue, 21 Jun 2005 09:27:33 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42B7B352.8040806@suutari.iki.fi> Date: Tue, 21 Jun 2005 09:27:30 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 06:27:44 -0000 Hi, I sent this to ipfw mailing list some time ago, but got no response. I would like to adjust ipfw behaviour with fwd rules to make policy routing easier (ie. make it separete from filtering rules). I would just like some input if this makes any sense (or is possible at all with current design). >Currently the ipfw fwd rules work so that the packet >is accepted when fwd rule matches. > >Would it be possible just tag the packet with >information about next_hop and just continue processing the >rules ? This would make complex rulesets with policy-based >routing much simpler, since one could just have relevat >fwd statments at beginning of rule sets and then >filter the packets in usual way. Ari S. From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 06:32:39 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9947F16A41C for ; Tue, 21 Jun 2005 06:32:39 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from smtp1.skyinet.net (smtp1.skyinet.net [202.78.97.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58BA743D49 for ; Tue, 21 Jun 2005 06:32:39 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from fooler (fooler.ilo.skyinet.net [202.78.118.66]) by smtp1.skyinet.net (Postfix) with SMTP id 728D0583C8; Tue, 21 Jun 2005 14:32:14 +0800 (PHT) Message-ID: <048601c5762a$fe534060$42764eca@ilo.skyinet.net> From: "fooler" To: , "Ryan Rathje " References: <50401020510511701@webmail.iastate.edu> Date: Tue, 21 Jun 2005 14:32:17 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: Subject: Re: transparent Squid 2.5Stable10 + FreeBSD 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 06:32:39 -0000 ----- Original Message ----- From: "Ryan Rathje " To: Sent: Monday, June 20, 2005 11:40 PM Subject: transparent Squid 2.5Stable10 + FreeBSD 5.3 > ipfw add allow all from any to 192.168.1.2 80 > ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128 > ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv > 192.168.1.2 xmit 129.186.215.57 > > My gut feeling is it has something to do with my ipfw rules, any and ALL help > would get GREATLY appreciated. thanks yup your gut feeling is correct :-> you dont need to enable IPFILTER if you use IPFW... your simple ipfw rule for transparent proxy looks like this: ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in via fooler. From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 08:18:20 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E22F16A41C for ; Tue, 21 Jun 2005 08:18:20 +0000 (GMT) (envelope-from faasse@nlr.nl) Received: from mail-gateway.nlr.nl (mail-gateway.nlr.nl [137.17.162.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6EA243D1D for ; Tue, 21 Jun 2005 08:18:19 +0000 (GMT) (envelope-from faasse@nlr.nl) Received: from border.nlr.nl (border-qfe3 [137.17.162.1]) by mail-gateway.nlr.nl with SMTP id j5L8IHvZ5728086; (enveloppe sender address: faasse@nlr.nl); Tue, 21 Jun 2005 10:18:18 +0200 (CDT) Disclaimer: "The National Aerospace Laboratory NLR DOES NOT ACCEPT ANY FINANCIAL COMMITMENT derived from this message." Received: from pcea102a.nlr.nl (pcea102a.nlr.nl [137.17.4.108]) by spider.nlr.nl with ESMTP id j5L8IGPb22631234; Tue, 21 Jun 2005 10:18:16 +0200 (CDT) From: "p.r. faasse" Organization: nlr To: freebsd-net@freebsd.org Date: Tue, 21 Jun 2005 09:57:11 +0200 User-Agent: KMail/1.6.1 References: <344de287050617043219810b3@mail.gmail.com> <344de28705061706121fcf5040@mail.gmail.com> <344de2870506170641695a9385@mail.gmail.com> In-Reply-To: <344de2870506170641695a9385@mail.gmail.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200506210957.11858.faasse@nlr.nl> X-ESAFE-STATUS: Mail clean X-ESAFE-DETAILS: Clean Subject: Re: FreeBSD 5.4 802.1q and linux stalls X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 08:18:20 -0000 > > > On Fri, Jun 17, 2005 at 12:32:37PM +0100, Meno Abels wrote: > > > M> i have here a very strange problem which is in real a linux problem > > > M> but it is triggered by freebsd. I run a lan on which are linux 2.6.8(debian) and > > > M> freebsd 5.4 systems are connected to a unmanaged gigabit switch. All systems > > > M> uses this gigabit adapter: > > > M> Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet > > > M> Everything works fine until i do on one freebsd box the following: > > > M> ifconfig vlan0 172.20.21.1 netmask 255.255.255.0 vlan 2 vlandev re0 > > > M> i just do this, there is nowhere any configuration for 802.1q on any other > > > M> machine on this lan. > > > M> What is happen now the freebsd continues to run without any problem, but > > > M> all linuxs are stopping to understand any arp responses from a freebsd > > > M> nor an other linux. > > > M> So they stop to work over the time on this lan anymore. If I do > > > M> "ifconfig vlan0 unplumb" > > > M> it takes up to 10 minutes and the linux's are return to the working > > > M> status as before > > > M> the ifconfig vlan0... > > > M> I didn't not have any clue which network packet could cause these behavior in > > > M> a linux but there has to be one. Does anybody as any idea? I can only speak about a limilar problem i once saw on a completely different set-up (A load of WinXP machines..): We did UDP broadcast at a fixed rate (20 Hz), with > 1 MTU packet size data. One thing that can cause horrible disruption is a switch that 'cuts' these broadcast/multicast packets at a fragment boundary: each Lan card/the TCP stack will receive 'half' UDP packets, buffer them in the hope that the 'rest' of th UDP packet will arrive 'any moment now' and -in the long run- choke on them. We saw this with a 3Com Gigabit switch. After consulting 3Com we got the response that this was a 'feature' of their switch and 'dumped' the switch. The 'delayed' re-activation of the Lan's is something we also saw in this situation. From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 09:17:34 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E3DE16A41C for ; Tue, 21 Jun 2005 09:17:34 +0000 (GMT) (envelope-from jura@netams.com) Received: from networks.ru (orange.networks.ru [80.249.138.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C21EF43D1D for ; Tue, 21 Jun 2005 09:17:33 +0000 (GMT) (envelope-from jura@netams.com) X-Spam-Status: No, hits=0.0 required=2.0 Received: from [81.195.67.217] (account jura@netams.com HELO Jura) by networks.ru (CommuniGate Pro SMTP 4.2.8) with ESMTP-TLS id 1618090 for freebsd-net@freebsd.org; Tue, 21 Jun 2005 13:17:25 +0400 Message-ID: <07c501c57642$1d7d7ed0$6504010a@Jura> From: "Yuriy N. Shkandybin" To: Date: Tue, 21 Jun 2005 13:17:57 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Subject: vlan problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 09:17:34 -0000 Hello I've met next problem. There is router under freebsd with nge card as parent for several vlans. vlan102: flags=8843 mtu 1500 inet 10.0.4.1 netmask 0xfffffe00 broadcast 10.0.5.255 ether 00:40:f4:47:be:10 media: Ethernet autoselect (1000baseSX ) status: active vlan: 102 parent interface: nge0 Under 5.4 vlan + nge doesn't work - core dumps but with 3 diffs from HEAD 1.70-1.72 for if_nge.c - all is working. Under 6 - it doen's work - but i've tried after Brooks Davis commits. It looks next: 1) vlan sends packets, but do not receive netstat -i shows 0 for ipackets field 2) tcpdump for parent interface shows nothing , but other side sees this arp tcpdump -n -i nge0 vlan 102 - shows nothing except outgoing "arp who has" 3)i've met same problem for lnc card under vmware I've saw in freebsd-net notes about linux-freebsd connectivity problems for dot1q It possible same problem here. Also i've checked same configuration for rl and em cards - they works well. My question: How can i debug this situation ? I've looked through if_rl, if_lnc and if_nge diffs as befor so after brooks@ patches - nothig special. Jura From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 13:06:16 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAACC16A41C for ; Tue, 21 Jun 2005 13:06:15 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from hotmail.com (bay20-f20.bay20.hotmail.com [64.4.54.109]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD56243D4C for ; Tue, 21 Jun 2005 13:06:15 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 21 Jun 2005 06:06:15 -0700 Message-ID: Received: from 200.108.17.200 by by20fd.bay20.hotmail.msn.com with HTTP; Tue, 21 Jun 2005 13:06:15 GMT X-Originating-IP: [200.108.17.200] X-Originating-Email: [stephanweaver@hotmail.com] X-Sender: stephanweaver@hotmail.com From: "Stephan Weaver" To: freebsd-net@freebsd.org Date: Tue, 21 Jun 2005 09:06:15 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 21 Jun 2005 13:06:15.0581 (UTC) FILETIME=[019C24D0:01C57662] Subject: Connecting My ADSL MODEM To My FreeBSD Pc. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 13:06:16 -0000 Hello Friendly FreeBSD people. Let me get straight to the point. I am implimenting a FreeBSD Based Firewall. I have an ADSL Speedtouch 5200 Modem/Router, Currently Plugged into my Switch. I want to connect the ADSL modem to my FreeBSD Firewall; So that the FreeBSD Firewall will be creating a PPP connection directly to my ISP. E.g., my vr0 interface will have a PUBLIC Internet Address (IF Possible?). My Isp Uses PPPoA, i used the instructions from the handbook; Using 'mpd'. I set the ADSL router in 'bridge' mode and connect the Ethernet cable from the Dsl Router/Modem to my FreeBSD Firewall. ON the Interface vr0. But i have little success getting the results i want. [The Firewall doesn't connect to my ISP] Anyone willing to give me a clue? --------------------------------------- Config stuff. rc.conf -- #FireWall Stuff #--------------- inetd_enable="NO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" check_quotas="NO" gateway_enable="YES" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Dsn" #vr0 Connects to DSL MODEM ifconfig_vr0="inet 192.168.0.1 netmask 255.255.255.0" #------------------------- mpd.conf default: load adsl adsl: new -i ng0 adsl adsl set bundle authname USER****** set bundle password PASS***[changed] set bundle disable multilink set link no pap acfcomp protocomp set link disable chap set link accept chap set link keep-alive 30 10 set ipcp no vjcomp set ipcp ranges 0.0.0.0/0 0.0.0.0/0 set iface route default set iface disable on-demand set iface enable proxy-arp set iface idle 0 open ----------------- mpd.links -- adsl: set link type pptp set pptp mode active set pptp enable originate outcall set pptp self 192.168.0.1 set pptp peer 192.168.0.254 ---------------- 192.168.0.1 = vr0 interface [ firewall ] 192.168.0.254 = dsl modem/router. Empty /etc/ipnat.rules; empty /etc/ipf.rules ------------------ MPD.LOG --- Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 523, version 3.18 (root@pizzaboys.org 20:57 16-Jun-2005) [adsl] ppp node is "mpd523-adsl" set pptp mode: unknown command. Try "help". [adsl] using interface ng0 [adsl] IPCP: peer address cannot be zero [adsl] IFACE: Open event [adsl] IPCP: Open event [adsl] IPCP: state change Initial --> Starting [adsl] IPCP: LayerStart [adsl:adsl] [adsl] bundle: OPEN event in state CLOSED [adsl] opening link "adsl"... [adsl] link: OPEN event [adsl] LCP: Open event [adsl] LCP: state change Initial --> Starting [adsl] LCP: LayerStart [adsl] device: OPEN event in state DOWN pptp0: connecting to 192.168.0.254:1723 [adsl] device is now in state OPENING pptp0: connection to 192.168.0.254:1723 failed pptp0: killing connection with 192.168.0.254:1723 pptp0-0: killing channel [adsl] PPTP call failed [adsl] device: DOWN event in state OPENING [adsl] device is now in state DOWN [adsl] link: DOWN event [adsl] LCP: Down event [adsl] device: OPEN event in state DOWN [adsl] pausing 7 seconds before open [adsl] device is now in state DOWN ----------------------------- pptp.log -=------=-=-=-=-= pizzaboys# 192.168.0.254 adsl anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection refused anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 192.168.0.254 ----- pptp / ppp.conf file pizzaboys# less /etc/ppp/ppp.conf adsl: set log phase chat lcp ipcp ccp tun command set timeout 0 enable dns set authname USER(***** set authkey PASSWD**** set ifaddr 0 0 add default HISADDR Regards, Stephan Weaver. PLEASE REPLY to this address as i am not suscribed. stephanweaver@hotmail.com _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 13:57:31 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D15816A41C for ; Tue, 21 Jun 2005 13:57:31 +0000 (GMT) (envelope-from wagnerrp@email.uc.edu) Received: from mprelay.uc.edu (mprelay.uc.edu [129.137.3.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1070443D1D for ; Tue, 21 Jun 2005 13:57:30 +0000 (GMT) (envelope-from wagnerrp@email.uc.edu) Received: from mirapoint.uc.edu (mirapoint.uc.edu [10.23.4.254]) by mprelay.uc.edu (MOS 3.5.8-GR) with ESMTP id DGA48167; Tue, 21 Jun 2005 09:57:29 -0400 (EDT) Received: from raymond (raymond.erc-wireless.uc.edu [172.30.10.190]) by mirapoint.uc.edu (MOS 3.4.7-GR) with ESMTP id CMK21282; Tue, 21 Jun 2005 09:57:28 -0400 (EDT) Message-Id: <200506211357.CMK21282@mirapoint.uc.edu> From: "Raymond Wagner" To: Date: Tue, 21 Jun 2005 09:57:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcV2aSdY272oYpj+Tl23jp7MimUiZA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: FreeBSD based frewall on ADSL link with /29 subnet X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 13:57:31 -0000 For a number of years, I have had an ADSL connection using a Cisco 675 modem in NAT mode. My ISP gives me a /29 subnet, which results in 6 available external addresses. Since the modem was running NAT, I could only use the public address attached to the modem. A few weeks ago, I switched over to a FreeBSD based router and decided to make use of those extra addresses. I added another 4 aliases to my external interface and set natd to redirect two of my inside machines onto two of the available addresses. I restarted ipfw and everything works great. Now the problem. I use www.dyndns.org to keep track of my public IPs and I use ddclient on the firewall to automatically update them if needed. I can only locally see 10.xxx address space internal addresses that my ISP assigns, so I have to use checkip.dyndns.org to figure out what my public IP is. The addresses are randomly dynamically assigned from one of 5 class B subnets, so I can't just count up from the first address. I can run dyndns clients on the two internal machines, but I would rather keep all network related activities contained on the firewall. ddclient still works fine on the firewall, but it can only update the primary address. How do I get ddclient (or some perl script or other program capable of parsing a website) to access the internet through one of the aliased addresses, rather than through the main address? Thanks, Raymond Wagner From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 14:00:03 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AE0516A41C for ; Tue, 21 Jun 2005 14:00:03 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8ECC43D58 for ; Tue, 21 Jun 2005 14:00:02 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id CC7D846B8E; Tue, 21 Jun 2005 10:00:01 -0400 (EDT) Date: Tue, 21 Jun 2005 15:02:57 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Patrick Domack In-Reply-To: Message-ID: <20050621145127.L26664@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: EM Driver problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 14:00:03 -0000 On Mon, 20 Jun 2005, Patrick Domack wrote: > I have been using fxp network based cards, without issues. I have > recently changed over to em cards, and get kernel panics about once > every few days with them (mainly sbdrop panics). I already have > nsfclusters set to 32k, and freebsd vm memory set to 850megs, with 4g > memory installed. > > After playing adjusting things and not making any noticable > improvements, I upgraded the default freebsd em driver from 1.7 to the > 2.0 version on intels website. This seemed to fix things for awhile, > lastest two weeks before any problems happened, at witch time the > card/driver stopped recieving/sending packets. I am still looking into > exactly what happened here. I looked in some of the mailing list archives, but didn't see specific reports from you on the panics you are seeing. sbdrop() panics are almost always a sign of a device driver or network stack bug. In as much as possible, a detailed bug report with source code version, stack trace, etc, would be very helpful. Also, could you tell us a little more about the workload? If you've already submitted a PR or posted in detail somewhere, I pointer would be helpful, thanks! I'm not familiar with the if_em driver source from Intel, but one of the sets of changes that has been made to our driver that might not have been propagated into their driver is support for fine-grained locking, which is required if you're running on FreeBSD 5.3 or higher. Hangs are not unusual failure modes if locking is omitted. As such, I'd suggest we try to move debugging forward on vanilla FreeBSD source rather than the vendor's version of the driver. Thanks, Robert N M Watson From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 14:04:24 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79C5C16A41C for ; Tue, 21 Jun 2005 14:04:24 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from mail.satronet.sk (mail.satronet.sk [217.144.16.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E5F043D4C for ; Tue, 21 Jun 2005 14:04:23 +0000 (GMT) (envelope-from vanco@satro.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.satronet.sk (Postfix) with ESMTP id 01B61160674B6; Tue, 21 Jun 2005 16:04:21 +0200 (CEST) Received: from mail.satronet.sk ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 03615-02-18; Tue, 21 Jun 2005 16:04:20 +0200 (CEST) Received: from [217.144.18.2] (18-2.satronet.sk [217.144.18.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.satronet.sk (Postfix) with ESMTP id 7F2AF160674A1; Tue, 21 Jun 2005 16:04:20 +0200 (CEST) Message-ID: <42B81E61.3090809@satro.sk> Date: Tue, 21 Jun 2005 16:04:17 +0200 From: Michal Vanco User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050620) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Phil Regnauld References: <51688.147.175.8.5.1119105461.squirrel@webmail.satronet.sk> <20050619082944.GA11972@cell.sick.ru> <42B5CD89.6070509@wm-access.no> <200506201113.34307.vanco@satro.sk> <20050620071701.GE1695@catpipe.net> In-Reply-To: <20050620071701.GE1695@catpipe.net> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by ANTIvirus at satronet.sk Cc: freebsd-net@freebsd.org, =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= Subject: Re: Routes not deleted after link down X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 14:04:24 -0000 Phil Regnauld wrote: >Michal Vanco (vanco) writes: > > >>On Sunday 19 June 2005 21:54, Sten Daniel Sørsdal wrote: >> >> >>>Gleb Smirnoff wrote: >>> >>> >>>>My vote is that we should implement this functionality and make it >>>>switchable via sysctl. I'd leave the default as is. >>>> >>>>What is opinion of other networkers? >>>> >>>> >>>How about also adding a sysctl for setting a delay time between event >>>and disabling of the route? Then even people with roaming wlan cards can >>>benefit. >>>Also it is in my opinion that the route be disabled (moved to a passive >>>route table maybe?) and not deleted. >>> >>> >>This is what I meant initially. Marking route passive is better than just >>deleting it and it'll be also faster to recall the route back in case of link >>up. >> >> > > Deleting the route is definintely the most annoying thing you can > do -- Linux does that, and that's no network reference (try and > find RTF_STATIC in the Linux routing code). Returning "Network > unreachable" is the proper thing to do, but keep the route in the > table... Effectively removing the route from the forwarding > table is a job for a routing demon. > > Yes. Marking route inactive this way is the best solution (and the cheapest one) i think. michal From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 14:52:52 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25BF216A41C for ; Tue, 21 Jun 2005 14:52:52 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DF9943D1D for ; Tue, 21 Jun 2005 14:52:52 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5LEqlQu063812; Tue, 21 Jun 2005 07:52:47 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5LEqlUF063811; Tue, 21 Jun 2005 07:52:47 -0700 (PDT) (envelope-from rizzo) Date: Tue, 21 Jun 2005 07:52:47 -0700 From: Luigi Rizzo To: Pieter de Boer Message-ID: <20050621075247.D63359@xorpc.icir.org> References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> <42B731CD.1040104@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B731CD.1040104@thedarkside.nl>; from pieter@thedarkside.nl on Mon, Jun 20, 2005 at 11:14:53PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 14:52:52 -0000 On Mon, Jun 20, 2005 at 11:14:53PM +0200, Pieter de Boer wrote: > Luigi Rizzo wrote: ... > However.. when I deleted the pipe rules on 'network', the speed suddenly > went up to around 800mbit/s too! I remade them, and voila, 200mbit/s. network emulation is a tricky job :) in any case i believe what happens is the following. The pipe has a default size of 50 slots, which at 1500 bytes is little above 64k. If the sender is bursting a large number of packets, it may well overflow the pipe's queue causing a backoff (which may simply be immediate, or delayed, depending on how you configure various things). I believe setting the queue size in the pipe to a value larger than the window should fix things. can you confirm that ? cheers luigi > So apparantly it's an issue in the dummynet configuration I have. So, to > reiterate: > > On 'network': > pipe 1 from client to server via em0 > pipe 2 from server to client via em1 > allow ip from any to any i am > Will give me 200MBit/s when using 128KB window sizes, but 800MBit/s when > using 64KB window sizes. > > On 'network': > allow ip from any to any > > Will give me 800Mbit/s when using 64KB or 128KB window sizes. I haven't > configured the pipes in any way, though. > > > So it appears it's due to the 'network' box afterall.. > > -- > Pieter From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 17:13:46 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B24CF16A41F for ; Tue, 21 Jun 2005 17:13:46 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (129pc197.sshunet.nl [145.97.197.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53F0E43D55 for ; Tue, 21 Jun 2005 17:13:45 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.90] (serkoon@jura.thelostparadise.com [195.16.84.90] (may be forged)) by mail.thelostparadise.com (8.12.11/8.12.8) with ESMTP id j5LHDidF023178; Tue, 21 Jun 2005 19:13:44 +0200 (CEST) (envelope-from pieter@thedarkside.nl) Message-ID: <42B84AC8.7050802@thedarkside.nl> Date: Tue, 21 Jun 2005 19:13:44 +0200 From: Pieter de Boer User-Agent: Debian Thunderbird 1.0.2 (X11/20050602) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> <42B731CD.1040104@thedarkside.nl> <20050621075247.D63359@xorpc.icir.org> In-Reply-To: <20050621075247.D63359@xorpc.icir.org> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 17:13:46 -0000 Luigi Rizzo wrote: >>However.. when I deleted the pipe rules on 'network', the speed suddenly >>went up to around 800mbit/s too! I remade them, and voila, 200mbit/s. > network emulation is a tricky job :) It sure is, so I'm happy you're trying to help out :) > in any case i believe what happens is the following. > > The pipe has a default size of 50 slots, which at 1500 bytes is > little above 64k. If the sender is bursting a large number of packets, > it may well overflow the pipe's queue causing a backoff (which > may simply be immediate, or delayed, depending on how you configure > various things). > > I believe setting the queue size in the pipe to a value larger than > the window should fix things. I had the same thought, so I already fiddled with it a bit. Because you brought it up I tested the following this evening: send/recv spaces at 128KB 00001: unlimited 0 ms 50 sl. 1 queues (1 buckets) droptail 00002: unlimited 0 ms 50 sl. 1 queues (1 buckets) droptail I'm getting 300-400mbit/s (which is higher than yesterday; it seems the speed creeps up a bit after a while). 00001: unlimited 0 ms 100 sl. 1 queues (1 buckets) droptail 00002: unlimited 0 ms 100 sl. 1 queues (1 buckets) droptail I'm getting 300-400mbit/s. There doesn't seem to be a direct relation between the pipe's queuing slots and the throughput. Setting the send/recvspaces to 65535 again does give me an immediate throughput of >800mbit/s, though. Hope you still have some other ideas, since I'm a bit puzzled here.. -- Pieter From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 17:29:57 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E70E516A41C for ; Tue, 21 Jun 2005 17:29:57 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3CC843D1D for ; Tue, 21 Jun 2005 17:29:57 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5LHTtPj066969; Tue, 21 Jun 2005 10:29:55 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5LHTsKO066968; Tue, 21 Jun 2005 10:29:54 -0700 (PDT) (envelope-from rizzo) Date: Tue, 21 Jun 2005 10:29:54 -0700 From: Luigi Rizzo To: Pieter de Boer Message-ID: <20050621102954.A66904@xorpc.icir.org> References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> <42B731CD.1040104@thedarkside.nl> <20050621075247.D63359@xorpc.icir.org> <42B84AC8.7050802@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B84AC8.7050802@thedarkside.nl>; from pieter@thedarkside.nl on Tue, Jun 21, 2005 at 07:13:44PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 17:29:58 -0000 oh yes one thing... you are using 'via foo0' in your rule, which means the packet is intercepted both in the input and output path, which causes further contention on the queues. try 'pipe 1 in recv foo0 ...' which should only intercept traffic in the input path. also you can set the queue size in kbytes, and can probably go as high as 1000kb. maybe this helps too. I am pretty sure there is some issue there, also related to some timing issues and tcp window opening mode (slow start vs. linear) cheers luigi On Tue, Jun 21, 2005 at 07:13:44PM +0200, Pieter de Boer wrote: > Luigi Rizzo wrote: > > >>However.. when I deleted the pipe rules on 'network', the speed suddenly > >>went up to around 800mbit/s too! I remade them, and voila, 200mbit/s. > > network emulation is a tricky job :) > It sure is, so I'm happy you're trying to help out :) > > > in any case i believe what happens is the following. > > > > The pipe has a default size of 50 slots, which at 1500 bytes is > > little above 64k. If the sender is bursting a large number of packets, > > it may well overflow the pipe's queue causing a backoff (which > > may simply be immediate, or delayed, depending on how you configure > > various things). > > > > I believe setting the queue size in the pipe to a value larger than > > the window should fix things. > I had the same thought, so I already fiddled with it a bit. Because you > brought it up I tested the following this evening: > send/recv spaces at 128KB > > 00001: unlimited 0 ms 50 sl. 1 queues (1 buckets) droptail > 00002: unlimited 0 ms 50 sl. 1 queues (1 buckets) droptail > > I'm getting 300-400mbit/s (which is higher than yesterday; it seems the > speed creeps up a bit after a while). > > > 00001: unlimited 0 ms 100 sl. 1 queues (1 buckets) droptail > 00002: unlimited 0 ms 100 sl. 1 queues (1 buckets) droptail > > I'm getting 300-400mbit/s. > > There doesn't seem to be a direct relation between the pipe's queuing > slots and the throughput. Setting the send/recvspaces to 65535 again > does give me an immediate throughput of >800mbit/s, though. > > > Hope you still have some other ideas, since I'm a bit puzzled here.. > > -- > Pieter > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 19:12:00 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C71616A41C for ; Tue, 21 Jun 2005 19:12:00 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (129pc197.sshunet.nl [145.97.197.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id F20F943D4C for ; Tue, 21 Jun 2005 19:11:59 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.92] (92-unused.virt-ix.net [195.16.84.92]) by mail.thelostparadise.com (8.12.11/8.12.8) with ESMTP id j5LJBvxi045714; Tue, 21 Jun 2005 21:11:58 +0200 (CEST) (envelope-from pieter@thedarkside.nl) Message-ID: <42B8667D.9020504@thedarkside.nl> Date: Tue, 21 Jun 2005 21:11:57 +0200 From: Pieter de Boer User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050527) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> <42B731CD.1040104@thedarkside.nl> <20050621075247.D63359@xorpc.icir.org> <42B84AC8.7050802@thedarkside.nl> <20050621102954.A66904@xorpc.icir.org> In-Reply-To: <20050621102954.A66904@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 19:12:00 -0000 Luigi Rizzo wrote: > oh yes one thing... you are using 'via foo0' in your rule, > which means the packet is intercepted both in the input and > output path, which causes further contention on the queues. Well, when using 'ip from client to server recv em0', packets get matched twice. When I set some latency on that pipe, the packets incur double the latency I set. With 'via em0' this isn't the case. I tried it out, but didn't seem to make much difference. > also you can set the queue size in kbytes, and can probably go as high > as 1000kb. maybe this helps too. Doesn't seem to do much either. > I am pretty sure there is some issue there, also related to some > timing issues and tcp window opening mode (slow start vs. linear) I went to see if there were any sysctl's I could tune a bit. I found these: net.inet.ip.intr_queue_maxlen: 50 net.inet.ip.intr_queue_drops: 382136 I don't like drops. So I set intr_queue_maxlen to 400, and -poof-, the speed went up to around 700mbit/s. Still not as fast as it was with 64KB send/recv spaces, but it's a huge improvement nonetheless. I guess we probably should tune a bit more until we're confident that the middle-box behaves correctly, before adding things like latency and packet-loss :) Thanks for the advice! If you know other settings to tune on the dummynetting host, I'd very much like to hear them. I'm pondering about polling (which means we can't do SMP on the dummynet system, but it's only pushing packets, so that shouldn't matter too much). At least we have somewhat more info to work with now :) -- Pieter From owner-freebsd-net@FreeBSD.ORG Tue Jun 21 19:36:21 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1033D16A41C for ; Tue, 21 Jun 2005 19:36:21 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA9BC43D4C for ; Tue, 21 Jun 2005 19:36:20 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5LJaI8n075530; Tue, 21 Jun 2005 12:36:18 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5LJaIJL075529; Tue, 21 Jun 2005 12:36:18 -0700 (PDT) (envelope-from rizzo) Date: Tue, 21 Jun 2005 12:36:18 -0700 From: Luigi Rizzo To: Pieter de Boer Message-ID: <20050621123618.A75484@xorpc.icir.org> References: <42B722EF.2090203@thedarkside.nl> <20050620135044.B35720@xorpc.icir.org> <42B731CD.1040104@thedarkside.nl> <20050621075247.D63359@xorpc.icir.org> <42B84AC8.7050802@thedarkside.nl> <20050621102954.A66904@xorpc.icir.org> <42B8667D.9020504@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B8667D.9020504@thedarkside.nl>; from pieter@thedarkside.nl on Tue, Jun 21, 2005 at 09:11:57PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Issues with a Large Fat pipe Network simulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 19:36:21 -0000 On Tue, Jun 21, 2005 at 09:11:57PM +0200, Pieter de Boer wrote: > Luigi Rizzo wrote: > > > oh yes one thing... you are using 'via foo0' in your rule, > > which means the packet is intercepted both in the input and > > output path, which causes further contention on the queues. > Well, when using 'ip from client to server recv em0', packets get i said 'in recv em0' - you missed the 'in' keyword. > > I am pretty sure there is some issue there, also related to some > > timing issues and tcp window opening mode (slow start vs. linear) > I went to see if there were any sysctl's I could tune a bit. I found these: > net.inet.ip.intr_queue_maxlen: 50 > net.inet.ip.intr_queue_drops: 382136 > > I don't like drops. So I set intr_queue_maxlen to 400, and -poof-, the whoops... of course, i forgot that one too... which is not much of an issue if you use polling or bridging, that's why i forgot :) > speed went up to around 700mbit/s. Still not as fast as it was with 64KB > send/recv spaces, but it's a huge improvement nonetheless. > > I guess we probably should tune a bit more until we're confident that > the middle-box behaves correctly, before adding things like latency and > packet-loss :) > > Thanks for the advice! If you know other settings to tune on the > dummynetting host, I'd very much like to hear them. I'm pondering about > polling (which means we can't do SMP on the dummynet system, but it's > only pushing packets, so that shouldn't matter too much). At least we > have somewhat more info to work with now :) yes you should definitely enable polling if you can, and forget about smp - it's a router anyways, and multiple processors won't help. cheers luigi From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 00:06:51 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14CD216A41C for ; Wed, 22 Jun 2005 00:06:51 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0AF443D53 for ; Wed, 22 Jun 2005 00:06:50 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5M06oUo083061; Tue, 21 Jun 2005 17:06:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5M06nH4083060; Tue, 21 Jun 2005 17:06:49 -0700 (PDT) (envelope-from rizzo) Date: Tue, 21 Jun 2005 17:06:49 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20050621170649.B82876@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B7B352.8040806@suutari.iki.fi>; from ari@suutari.iki.fi on Tue, Jun 21, 2005 at 09:27:30AM +0300 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 00:06:51 -0000 On Tue, Jun 21, 2005 at 09:27:30AM +0300, Ari Suutari wrote: > Hi, > > I sent this to ipfw mailing list some time ago, but > got no response. I would like to adjust ipfw behaviour > with fwd rules to make policy routing easier (ie. make > it separete from filtering rules). I would just like > some input if this makes any sense (or is possible at > all with current design). i suggest to implement a new action 'setnexthop' which stores the next hop as an MTAG with the packet (so it is preserved if the packet gets passed to dummynet). But perhaps, rather than a specific next hop, maybe you want to pass a reference to a different routing table instead ? cheers luigi > >Currently the ipfw fwd rules work so that the packet > >is accepted when fwd rule matches. > > > >Would it be possible just tag the packet with > >information about next_hop and just continue processing the > >rules ? This would make complex rulesets with policy-based > >routing much simpler, since one could just have relevat > >fwd statments at beginning of rule sets and then > >filter the packets in usual way. > > Ari S. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 10:40:53 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7747F16A41F for ; Wed, 22 Jun 2005 10:40:53 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBF8D43D55 for ; Wed, 22 Jun 2005 10:40:49 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5MAelJs002645; Wed, 22 Jun 2005 13:40:48 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5MAefNO027967; Wed, 22 Jun 2005 13:40:42 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42B94023.3090202@suutari.iki.fi> Date: Wed, 22 Jun 2005 13:40:35 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> In-Reply-To: <20050621170649.B82876@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 10:40:53 -0000 Hi, Luigi Rizzo wrote: > i suggest to implement a new action 'setnexthop' which stores the > next hop as an MTAG with the packet (so it is preserved if the > packet gets passed to dummynet). I took a quick look at how ipfw forward has been implemented. It seems to use PACKET_TAG_IPFORWARD to store routing info. If I would implement "ipfw setnexthop" with a new MTAG it would duplicate very much code already present for PACKET_TAG_IPFORWARD. If I could reuse the same MTAG this would be easier to add, all that would be needed is a new opcode for ipfw (or am I missing something important ?) Ari S. From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 10:53:22 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D97C16A41C for ; Wed, 22 Jun 2005 10:53:22 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF4FB43D4C for ; Wed, 22 Jun 2005 10:53:21 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 5903B317D7F; Wed, 22 Jun 2005 12:53:20 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id CBA37405B; Wed, 22 Jun 2005 12:53:34 +0200 (CEST) Date: Wed, 22 Jun 2005 12:53:34 +0200 From: Jeremie Le Hen To: Luigi Rizzo Message-ID: <20050622105334.GP738@obiwan.tataz.chchile.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050621170649.B82876@xorpc.icir.org> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 10:53:22 -0000 Hi Luigi, > But perhaps, rather than a specific next hop, maybe you want to > pass a reference to a different routing table instead ? How to you achieve this ? I've never heard of multiple routing tables in FreeBSD, except with the vimage patch [1] from Marco Zec. Regards, [1] http://www.tel.fer.hr/zec/vimage/ -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 12:33:08 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95E1316A41C for ; Wed, 22 Jun 2005 12:33:08 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D3B143D48 for ; Wed, 22 Jun 2005 12:33:08 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5MCX8kP091049; Wed, 22 Jun 2005 05:33:08 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5MCX711091048; Wed, 22 Jun 2005 05:33:07 -0700 (PDT) (envelope-from rizzo) Date: Wed, 22 Jun 2005 05:33:07 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20050622053307.B90964@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B94023.3090202@suutari.iki.fi>; from ari@suutari.iki.fi on Wed, Jun 22, 2005 at 01:40:35PM +0300 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 12:33:08 -0000 On Wed, Jun 22, 2005 at 01:40:35PM +0300, Ari Suutari wrote: > Hi, > > Luigi Rizzo wrote: > > i suggest to implement a new action 'setnexthop' which stores the > > next hop as an MTAG with the packet (so it is preserved if the > > packet gets passed to dummynet). > > I took a quick look at how ipfw forward has been implemented. > It seems to use PACKET_TAG_IPFORWARD to store routing info. > If I would implement "ipfw setnexthop" with a new MTAG it > would duplicate very much code already present for PACKET_TAG_IPFORWARD. yes i think you should reuse the tag, just add a new opcode so that the action is attach the mtag to the mbuf if not there yet (maybe override its content if you believe you could match multiple rules of this type) and then continue processing as in a 'count' action. cheers luigi > If I could reuse the same MTAG this would be easier to add, all > that would be needed is a new opcode for ipfw (or am I missing > something important ?) > > Ari S. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 12:53:46 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4271B16A41C for ; Wed, 22 Jun 2005 12:53:46 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1A6143D1D for ; Wed, 22 Jun 2005 12:53:45 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 53615 invoked from network); 22 Jun 2005 12:44:19 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 22 Jun 2005 12:44:19 -0000 Message-ID: <42B95F5A.DFF7F3C5@freebsd.org> Date: Wed, 22 Jun 2005 14:53:46 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible tocontinue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 12:53:46 -0000 Luigi Rizzo wrote: > > On Tue, Jun 21, 2005 at 09:27:30AM +0300, Ari Suutari wrote: > > Hi, > > > > I sent this to ipfw mailing list some time ago, but > > got no response. I would like to adjust ipfw behaviour > > with fwd rules to make policy routing easier (ie. make > > it separete from filtering rules). I would just like > > some input if this makes any sense (or is possible at > > all with current design). > > i suggest to implement a new action 'setnexthop' which stores the > next hop as an MTAG with the packet (so it is preserved if the > packet gets passed to dummynet). Please don't store routing table pointers. All the locking due to pointers to route entries in random places makes SMP a pain a slows down routing table lookups. > But perhaps, rather than a specific next hop, maybe you want to > pass a reference to a different routing table instead ? We don't have any at the moment. -- Andre > cheers > luigi > > > >Currently the ipfw fwd rules work so that the packet > > >is accepted when fwd rule matches. > > > > > >Would it be possible just tag the packet with > > >information about next_hop and just continue processing the > > >rules ? This would make complex rulesets with policy-based > > >routing much simpler, since one could just have relevat > > >fwd statments at beginning of rule sets and then > > >filter the packets in usual way. > > > > Ari S. > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 13:33:40 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0BB316A41C for ; Wed, 22 Jun 2005 13:33:40 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailhub-3.iastate.edu (mailhub-3.iastate.edu [129.186.140.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B4F743D49 for ; Wed, 22 Jun 2005 13:33:40 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailout-2.iastate.edu (mailout-2.iastate.edu [129.186.140.2]) by mailhub-3.iastate.edu (8.12.10/8.12.10) with SMTP id j5MDXdtZ018678 for ; Wed, 22 Jun 2005 08:33:39 -0500 Received: from webmail-4.iastate.edu(129.186.140.24) by mailout-2.iastate.edu via csmap id b304cdfc_e323_11d9_9a93_003048290bef_12252; Wed, 22 Jun 2005 08:44:05 -0500 (CDT) To: freebsd-net@freebsd.org From: "Ryan Rathje " Date: Wed, 22 Jun 2005 08:33:39 -0500 (CDT) X-Mailer: Endymion MailMan Professional Edition v3.0.14 ISU Version mp8.13 Message-Id: <3933822510531721@webmail.iastate.edu> Subject: Transparent Squid 2.5Stable10 + FreeBSD 5.4 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 13:33:40 -0000 Fooler, Thanks for the suggestion thus far, it did clear some up. When I use your suggestion of: ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in via em0 1 FreeBSD configured as a gateway with 2 nics sis0 - outside world nic em0 - internal network nic it appears to have some communication, but not all. Here's what I mean: This is the output from ethereal when trying to visit the google website: 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [SYN] seq=0 ack=0 win=16384 Len=0 MSS=1460 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [SYN, ACK] seq=0 ack=1 win=16384 Len=0 MSS=1460 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [ACK] seq=1 ack=1 win=17520 Len=0 192.168.1.5 -> 216.239.39.99 HTTP GET / HTTP/1.1 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [FIN, ACK] seq=1 ack=300 win=65535 Len=0 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [ACK] seq=300 ack=2 win=17520 Len=0 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [FIN, ACK] seq=300 ack=2 win=17520 Len=0 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [ACK] seq=2 ack=301 win=65534 Len=0 As of right now, this is the only line in rc.conf, I know I need more (see below) but I'm starting to get a little confused about the order in which it's supposed to be listed. If its not clear by now that I'm kind of new to Squid and FreeBSD, I'm stating it for the record, I'm a newbie. Thanks all in advance. > -----Original Message----- > > ipfw add allow all from any to 192.168.1.2 80 > ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128 > ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv > 192.168.1.2 xmit 129.186.215.57 > > My gut feeling is it has something to do with my ipfw rules, any and ALL help > would get GREATLY appreciated. thanks yup your gut feeling is correct :-> you dont need to enable IPFILTER if you use IPFW... your simple ipfw rule for transparent proxy looks like this: ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in via fooler. From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 14:53:01 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 564C216A41C; Wed, 22 Jun 2005 14:53:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B72B43D1D; Wed, 22 Jun 2005 14:53:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5MEr0LU092980; Wed, 22 Jun 2005 07:53:00 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5MEr0YK092979; Wed, 22 Jun 2005 07:53:00 -0700 (PDT) (envelope-from rizzo) Date: Wed, 22 Jun 2005 07:53:00 -0700 From: Luigi Rizzo To: Andre Oppermann Message-ID: <20050622075300.F92493@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B95F5A.DFF7F3C5@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B95F5A.DFF7F3C5@freebsd.org>; from andre@freebsd.org on Wed, Jun 22, 2005 at 02:53:46PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible tocontinue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 14:53:01 -0000 On Wed, Jun 22, 2005 at 02:53:46PM +0200, Andre Oppermann wrote: ... > > i suggest to implement a new action 'setnexthop' which stores the > > next hop as an MTAG with the packet (so it is preserved if the > > packet gets passed to dummynet). > > Please don't store routing table pointers. All the locking due that would be just an IP address, not the table pointer. cheers luigi From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 15:01:18 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA52416A41C for ; Wed, 22 Jun 2005 15:01:18 +0000 (GMT) (envelope-from xtremejames183@msn.com) Received: from hotmail.com (bay11-f12.bay11.hotmail.com [64.4.39.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8EFA43D1D for ; Wed, 22 Jun 2005 15:01:18 +0000 (GMT) (envelope-from xtremejames183@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 22 Jun 2005 08:01:18 -0700 Message-ID: Received: from 196.203.51.242 by by11fd.bay11.hotmail.msn.com with HTTP; Wed, 22 Jun 2005 15:01:17 GMT X-Originating-IP: [196.203.51.242] X-Originating-Email: [xtremejames183@msn.com] X-Sender: xtremejames183@msn.com From: "Mrad James Deane" To: freebsd-net@freebsd.org Date: Wed, 22 Jun 2005 17:01:17 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed X-OriginalArrivalTime: 22 Jun 2005 15:01:18.0288 (UTC) FILETIME=[3E5B6500:01C5773B] Subject: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 15:01:18 -0000 hello i want to know how the www user with uid:80 can print on a priviliged port like 80 rather the root user im very in trouble i did not find a solution yet mac_portacl is one but it is very experimental please help. thanks _________________________________________________________________ MSN Hotmail : antivirus et antispam intégrés http://www.msn.fr/newhotmail/Default.asp?Ath=f From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 15:14:19 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 164A716A41C for ; Wed, 22 Jun 2005 15:14:19 +0000 (GMT) (envelope-from bms@spc.org) Received: from arginine.spc.org (arginine.spc.org [83.167.185.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD7C143D1F for ; Wed, 22 Jun 2005 15:14:18 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id E86316530A; Wed, 22 Jun 2005 16:14:17 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 75751-02-7; Wed, 22 Jun 2005 16:14:17 +0100 (BST) Received: from empiric.dek.spc.org (host81-136-156-39.in-addr.btopenworld.com [81.136.156.39]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 2773565218; Wed, 22 Jun 2005 16:14:17 +0100 (BST) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 6A05861F0; Wed, 22 Jun 2005 16:14:06 +0100 (BST) Date: Wed, 22 Jun 2005 16:14:06 +0100 From: Bruce M Simpson To: Mrad James Deane Message-ID: <20050622151406.GG791@empiric.icir.org> Mail-Followup-To: Mrad James Deane , freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Cc: freebsd-net@freebsd.org Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 15:14:19 -0000 On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote: > hello i want to know how the www user with uid:80 can print on a priviliged > port like 80 rather the root user im very in trouble i did not find a > solution yet mac_portacl is one but it is very experimental please help. > thanks I think you may have meant 'bind' rather than 'print' here? Anyway, the way they used to do this back in the day on Linux at least was to hack the socket code to allow binds to privileged ports by certain users/groups rather than relying solely on the super-user check. You could do something like this in FreeBSD 5-STABLE by hacking the in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just call suser_cred(), but to instead perform a group check, by calling groupmember(some_privileged_socket_group, cred). Regards, BMS From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 16:09:40 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEA816A41C for ; Wed, 22 Jun 2005 16:09:40 +0000 (GMT) (envelope-from molter@tin.it) Received: from vsmtp12.tin.it (vsmtp12.tin.it [212.216.176.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9783843D55 for ; Wed, 22 Jun 2005 16:09:40 +0000 (GMT) (envelope-from molter@tin.it) Received: from gattaccio.codalunga (82.122.224.189) by vsmtp12.tin.it (7.0.027) (authenticated as molter@tin.it) id 429D6B560084DBBD; Wed, 22 Jun 2005 18:09:38 +0200 Received: by gattaccio.codalunga (Postfix, from userid 1001) id 2E42CC4C9; Wed, 22 Jun 2005 18:08:41 +0200 (CEST) Date: Wed, 22 Jun 2005 18:08:41 +0200 From: Marco Molteni To: xtremejames183@msn.com, freebsd-net@freebsd.org Message-Id: <20050622180841.56be8f27.molter@tin.it> In-Reply-To: <20050622151406.GG791@empiric.icir.org> References: <20050622151406.GG791@empiric.icir.org> X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 16:09:41 -0000 On Wed, 22 Jun 2005 16:14:06 +0100 Bruce M Simpson wrote: > On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote: > > hello i want to know how the www user with uid:80 can print on a > > priviliged port like 80 rather the root user im very in trouble i > > did not find a solution yet mac_portacl is one but it is very > > experimental please help. thanks > > I think you may have meant 'bind' rather than 'print' here? > > Anyway, the way they used to do this back in the day on Linux at least > was to hack the socket code to allow binds to privileged ports by > certain users/groups rather than relying solely on the super-user > check. > > You could do something like this in FreeBSD 5-STABLE by hacking the > in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just > call suser_cred(), but to instead perform a group check, by calling > groupmember(some_privileged_socket_group, cred). I think that the following sysctls do the trick molter@gattaccio[~]$ sysctl net|grep reserv net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.reservedlow: 0 marco From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 16:19:56 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BF4E16A41C for ; Wed, 22 Jun 2005 16:19:56 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from fep18.inet.fi (fep18.inet.fi [194.251.242.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FE6843D1D for ; Wed, 22 Jun 2005 16:19:55 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi ([80.222.160.17]) by fep18.inet.fi with ESMTP id <20050622161954.FIZV1870.fep18.inet.fi@mato.suutari.iki.fi>; Wed, 22 Jun 2005 19:19:54 +0300 Received: from [192.168.53.140] (orava.suutari.iki.fi [192.168.53.140]) by mato.suutari.iki.fi (8.13.3/8.13.3) with ESMTP id j5MGJoRl061304; Wed, 22 Jun 2005 19:19:53 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from 127.0.0.1 (AVG SMTP 7.0.323 [267.7.10]); Wed, 22 Jun 2005 19:19:44 +0300 Message-ID: <42B98FA0.3030805@suutari.iki.fi> Date: Wed, 22 Jun 2005 19:19:44 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> In-Reply-To: <20050622053307.B90964@xorpc.icir.org> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (mato.suutari.iki.fi [192.168.53.129]); Wed, 22 Jun 2005 19:19:53 +0300 (EEST) Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 16:19:56 -0000 > yes i think you should reuse the tag, just add a new opcode so that > the action is attach the mtag to the mbuf if not there yet > (maybe override its content if you believe you could match multiple rules of > this type) and then continue processing as in a 'count' action. Differences to "ipfw fwd" seem to be minimal. Maybe a sysctl which changes fwd rule behaviour so that it can either work as before or similar to 'count' action would be better solution ? This would be similar to net.inet.ip.fw.one_pass. (I'm not very actively pushing to sysctl solution, I would just like to find out best approach before starting actual coding) Ari S. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.10/25 - Release Date: 21.6.2005 From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 16:24:53 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 455CA16A41C for ; Wed, 22 Jun 2005 16:24:53 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A5C343D55 for ; Wed, 22 Jun 2005 16:24:53 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5MGOqRw095491; Wed, 22 Jun 2005 09:24:53 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5MGOqwZ095490; Wed, 22 Jun 2005 09:24:52 -0700 (PDT) (envelope-from rizzo) Date: Wed, 22 Jun 2005 09:24:52 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20050622092452.A95367@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42B98FA0.3030805@suutari.iki.fi>; from ari@suutari.iki.fi on Wed, Jun 22, 2005 at 07:19:44PM +0300 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 16:24:53 -0000 On Wed, Jun 22, 2005 at 07:19:44PM +0300, Ari Suutari wrote: > > yes i think you should reuse the tag, just add a new opcode so that > > the action is attach the mtag to the mbuf if not there yet > > (maybe override its content if you believe you could match multiple rules of > > this type) and then continue processing as in a 'count' action. > > Differences to "ipfw fwd" seem to be minimal. Maybe a sysctl yes but it is a different action and you may want both types of rules in the same ruleset, so a sysctl is out of discussion. I really believe the "setnexthop" action is the best approach. > which changes fwd rule behaviour so that it can either work > as before or similar to 'count' action would be better solution ? > This would be similar to net.inet.ip.fw.one_pass. i admit that there is some similarity... but not 100%... :) cheers luigi > (I'm not very actively pushing to sysctl solution, I would > just like to find out best approach before starting actual > coding) > > Ari S. > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.7.10/25 - Release Date: 21.6.2005 > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 18:33:48 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B410716A41C for ; Wed, 22 Jun 2005 18:33:48 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7810343D1D for ; Wed, 22 Jun 2005 18:33:48 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 6C394317D11; Wed, 22 Jun 2005 20:33:46 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id DCFDF405B; Wed, 22 Jun 2005 20:34:00 +0200 (CEST) Date: Wed, 22 Jun 2005 20:34:00 +0200 From: Jeremie Le Hen To: Luigi Rizzo Message-ID: <20050622183400.GS738@obiwan.tataz.chchile.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050622092452.A95367@xorpc.icir.org> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 18:33:48 -0000 Hi Luigi, > yes but it is a different action and you may want both types > of rules in the same ruleset, so a sysctl is out of discussion. > I really believe the "setnexthop" action is the best approach. IMHO, making the "fwd" action non-terminal (as the "count" action) is the best way to achieve this. When net.inet.ip.fw.one_pass is set to 1, then it will behave like actually. When set to 0, the user will have to explicitely use an "accept" or a "skipto" rule to stop going through the rules, in the same way you would do it for a "pipe" action. However, the main problem with this approach is that it breaks POLA. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 18:45:15 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40CA616A41C for ; Wed, 22 Jun 2005 18:45:15 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24A0C43D48 for ; Wed, 22 Jun 2005 18:45:14 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5MIjEUf097571; Wed, 22 Jun 2005 11:45:14 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5MIjDH7097570; Wed, 22 Jun 2005 11:45:13 -0700 (PDT) (envelope-from rizzo) Date: Wed, 22 Jun 2005 11:45:13 -0700 From: Luigi Rizzo To: Jeremie Le Hen Message-ID: <20050622114513.A97519@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> <20050622183400.GS738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050622183400.GS738@obiwan.tataz.chchile.org>; from jeremie@le-hen.org on Wed, Jun 22, 2005 at 08:34:00PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 18:45:15 -0000 On Wed, Jun 22, 2005 at 08:34:00PM +0200, Jeremie Le Hen wrote: > Hi Luigi, > > > yes but it is a different action and you may want both types > > of rules in the same ruleset, so a sysctl is out of discussion. > > I really believe the "setnexthop" action is the best approach. > > IMHO, making the "fwd" action non-terminal (as the "count" action) i don;t understand what is the problem in defining a second action 'setnexthop' which behaves as a nonblocking 'forward'. Implementationwise you can share most of the code, it is just a matter of putting and perhaps a flag in the structure that stores the nexthop depending on the action specified on the command line. Same for printing. It does not break POLA and it lets you have both behaviours at almost no cost. maybe net.inet.ip.fw.one_pass should not exist, but now it is there and once again, we have to keep it for POLA. cheers luigi > is the best way to achieve this. When net.inet.ip.fw.one_pass is set > to 1, then it will behave like actually. When set to 0, the user > will have to explicitely use an "accept" or a "skipto" rule to stop > going through the rules, in the same way you would do it for a > "pipe" action. > > However, the main problem with this approach is that it breaks POLA. > > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 22:15:46 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FF3016A41C for ; Wed, 22 Jun 2005 22:15:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 317EE43D48 for ; Wed, 22 Jun 2005 22:15:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id C9592317D8F; Thu, 23 Jun 2005 00:15:44 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 75386405C; Thu, 23 Jun 2005 00:15:57 +0200 (CEST) Date: Thu, 23 Jun 2005 00:15:57 +0200 From: Jeremie Le Hen To: Luigi Rizzo Message-ID: <20050622221557.GU738@obiwan.tataz.chchile.org> References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> <20050622183400.GS738@obiwan.tataz.chchile.org> <20050622114513.A97519@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050622114513.A97519@xorpc.icir.org> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org, Jeremie Le Hen Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 22:15:46 -0000 > i don;t understand what is the problem in defining a second action > 'setnexthop' which behaves as a nonblocking 'forward'. Implementationwise > you can share most of the code, it is just a matter of putting and > perhaps a flag in the structure that stores the nexthop depending > on the action specified on the command line. Same for printing. > > It does not break POLA and it lets you have both behaviours at > almost no cost. > > maybe net.inet.ip.fw.one_pass should not exist, but now it is > there and once again, we have to keep it for POLA. You are complely right. My wish would be to make ipfw minimalist, in other word no need to have either "setnexthop" or "tee" actions (respectively using non-blocking "forward" and "divert"). But this is pointless anyway as it would break POLA. Just for information, does this principle requires FreeBSD to keep existing option forever, or are there some scarce situations where some superfluous options could be deleted ? Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 23:18:36 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3EC816A41C for ; Wed, 22 Jun 2005 23:18:36 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from viefep20-int.chello.at (viefep12-int.chello.at [213.46.255.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0500E43D4C for ; Wed, 22 Jun 2005 23:18:35 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from [80.98.156.20] by viefep20-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050622231833.POWS29474.viefep20-int.chello.at@[80.98.156.20]>; Thu, 23 Jun 2005 01:18:33 +0200 Message-ID: <42B9F1C8.7070702@t-hosting.hu> Date: Thu, 23 Jun 2005 01:18:32 +0200 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marco Molteni References: <20050622151406.GG791@empiric.icir.org> <20050622180841.56be8f27.molter@tin.it> In-Reply-To: <20050622180841.56be8f27.molter@tin.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, xtremejames183@msn.com Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 23:18:37 -0000 > > >I think that the following sysctls do the trick > >molter@gattaccio[~]$ sysctl net|grep reserv >net.inet.ip.portrange.reservedhigh: 1023 >net.inet.ip.portrange.reservedlow: 0 > >marco > > According to that, one could lower the reservedhigh value to 79, or increase the reservedlow to 81, but I don't think it would be secure enough. The hack that Bruce mentioned would be secure, but not too impressive. I've seen the RBAC (Role-based access control) in Solaris 10 and it did it nicely. It would be nice to have such feature in FreeBSD. Or even in TrustedBSD as an experimental project, and it might be merged later if it seems to be stable. Cheers, Gábor Kövesdán From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 02:57:26 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BB3716A41C for ; Thu, 23 Jun 2005 02:57:26 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from smtp1.skyinet.net (smtp1.skyinet.net [202.78.97.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B1BD43D1F for ; Thu, 23 Jun 2005 02:57:25 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from fooler (fooler.ilo.skyinet.net [202.78.118.66]) by smtp1.skyinet.net (Postfix) with SMTP id C568F58370; Thu, 23 Jun 2005 10:57:11 +0800 (PHT) Message-ID: <0a3701c5779f$4b023b30$42764eca@ilo.skyinet.net> From: "fooler" To: , "Ryan Rathje " References: <3933822510531721@webmail.iastate.edu> Date: Thu, 23 Jun 2005 10:57:23 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: Subject: Re: Transparent Squid 2.5Stable10 + FreeBSD 5.4 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 02:57:26 -0000 ----- Original Message ----- From: "Ryan Rathje " To: Sent: Wednesday, June 22, 2005 9:33 PM Subject: Transparent Squid 2.5Stable10 + FreeBSD 5.4 > Fooler, > Thanks for the suggestion thus far, it did clear some up. When I use your > suggestion of: > > ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in via em0 > > 1 FreeBSD configured as a gateway with 2 nics > sis0 - outside world nic > em0 - internal network nic > > it appears to have some communication, but not all. Here's what I mean: This > is the output from ethereal when trying to visit the google website: > > 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [SYN] seq=0 ack=0 win=16384 > Len=0 MSS=1460 > 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [SYN, ACK] seq=0 ack=1 > win=16384 Len=0 MSS=1460 > 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [ACK] seq=1 ack=1 win=17520 > Len=0 > 192.168.1.5 -> 216.239.39.99 HTTP GET / HTTP/1.1 > 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [FIN, ACK] seq=1 ack=300 > win=65535 Len=0 > 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [ACK] seq=300 ack=2 win=17520 > Len=0 > 192.168.1.5 -> 216.239.39.99 TCP 3694 > http [FIN, ACK] seq=300 ack=2 > win=17520 Len=0 > 216.239.39.99 -> 192.168.1.5 TCP http > 3694 [ACK] seq=2 ack=301 win=65534 > Len=0 first... there is no transparent proxy (or http hijacking) took place because your client (192.168.1.5) is the one who fetch the google website instead your proxy server... second... although client is successfully communicate with google web server.. it is clearly a violation of RFC 1918.. where it says that the private ip address is only routable within your controlled domain.. .once it gets out from your controlled domain.. it must be drop... (disregard this statement if you do NAT where ethereal interpret the packets above after the network address translation) show me what "ipfw show" and "netstat -an|grep LISTEN" say... fooler. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 03:22:16 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8921016A41C for ; Thu, 23 Jun 2005 03:22:16 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from mail.bitfreak.org (mail.bitfreak.org [65.75.198.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6432743D1D for ; Thu, 23 Jun 2005 03:22:16 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from SMILEY (mail.bitfreak.org [65.75.198.146]) by mail.bitfreak.org (Postfix) with ESMTP id C444119F3B; Wed, 22 Jun 2005 20:23:55 -0700 (PDT) From: "Darren Pilgrim" To: "'Mrad James Deane'" , Date: Wed, 22 Jun 2005 20:22:13 -0700 Message-ID: <000401c577a2$c095b090$0b2a15ac@SMILEY> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: Importance: Normal Cc: Subject: RE: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 03:22:16 -0000 From: Mrad James Deane > > hello i want to know how the www user with uid:80 can print > on a priviliged port like 80 rather the root user im very > in trouble i did not find a solution yet mac_portacl is one > but it is very experimental please help. thanks Most daemons that bind to "priveleged" ports and run as a non-root uid, start as root, then change the effective UID after binding to the port. Aside from writing the program to do these things, there are packages such as daemontools (it's in the ports tree) available that provide the functionality required as wrapper programs From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 05:28:58 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 628BD16A41C for ; Thu, 23 Jun 2005 05:28:58 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2FD643D48 for ; Thu, 23 Jun 2005 05:28:54 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N5SrQ3006108; Thu, 23 Jun 2005 08:28:53 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N5SlRm012746; Thu, 23 Jun 2005 08:28:47 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA488B.3040602@suutari.iki.fi> Date: Thu, 23 Jun 2005 08:28:43 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> In-Reply-To: <20050622092452.A95367@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 05:28:58 -0000 Luigi Rizzo wrote: > I really believe the "setnexthop" action is the best approach. I'll start implementing this approach today if other work permits. I think I'll also add new rule option "defaultroute" which matches if packet destination has no specific route in routing table. That would make it very easy to, for example, route general web-surfing to secondary adsl line, just say: ipfw setnexthop g2.g2.g2.g2 tcp from any to any defaultroute (well, in real life one would need probably nat here, but that could be done in similar manner) Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 06:46:50 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCFCF16A41C for ; Thu, 23 Jun 2005 06:46:50 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22E7043D48 for ; Thu, 23 Jun 2005 06:46:49 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N6kk31006421; Thu, 23 Jun 2005 09:46:47 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N6ka0D019320; Thu, 23 Jun 2005 09:46:36 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA5AC7.60301@suutari.iki.fi> Date: Thu, 23 Jun 2005 09:46:31 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ari Suutari References: <42B7B352.8040806@suutari.iki.fi> <20050621170649.B82876@xorpc.icir.org> <42B94023.3090202@suutari.iki.fi> <20050622053307.B90964@xorpc.icir.org> <42B98FA0.3030805@suutari.iki.fi> <20050622092452.A95367@xorpc.icir.org> <42BA488B.3040602@suutari.iki.fi> In-Reply-To: <42BA488B.3040602@suutari.iki.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Luigi Rizzo , freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 06:46:50 -0000 Ari Suutari wrote: > > ipfw setnexthop g2.g2.g2.g2 tcp from any to any defaultroute Looking at code, maybe "defaultroute" option should be named verdstreach ? Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 07:52:24 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F7D616A41C for ; Thu, 23 Jun 2005 07:52:24 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FFCE43D55 for ; Thu, 23 Jun 2005 07:52:20 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N7qC1j006663; Thu, 23 Jun 2005 10:52:12 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5N7q7qi025510; Thu, 23 Jun 2005 10:52:07 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA6A22.6030506@suutari.iki.fi> Date: Thu, 23 Jun 2005 10:52:02 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ari Suutari References: <42B7B352.8040806@suutari.iki.fi> In-Reply-To: <42B7B352.8040806@suutari.iki.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 07:52:24 -0000 Hi, The patches which implement both "ipfw setnexthop" and "ipfw .... defaultroute" are at: http://www.suutari.iki.fi/freebsd/ipfw-nexthop.patch http://www.suutari.iki.fi/freebsd/netinet-nexthop.patch These are against 5.4-RELEASE - if that causes too much trouble I can try to generate them against -current. I have tested these in lab environment, but not in production use. However, I woudn't expect much problems, since these features use much existing code. Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 08:06:19 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2313216A41C for ; Thu, 23 Jun 2005 08:06:19 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2B7043D58 for ; Thu, 23 Jun 2005 08:06:18 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5N86ID3009311; Thu, 23 Jun 2005 01:06:18 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5N86IjM009310; Thu, 23 Jun 2005 01:06:18 -0700 (PDT) (envelope-from rizzo) Date: Thu, 23 Jun 2005 01:06:18 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20050623010618.B7580@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <42BA6A22.6030506@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42BA6A22.6030506@suutari.iki.fi>; from ari@suutari.iki.fi on Thu, Jun 23, 2005 at 10:52:02AM +0300 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 08:06:19 -0000 On Thu, Jun 23, 2005 at 10:52:02AM +0300, Ari Suutari wrote: > Hi, > > The patches which implement both > "ipfw setnexthop" and "ipfw .... defaultroute" are at: look reasonable, but i would like to reuse the existing 'forward' code a lot more, to avoid duplication and inconsistencies should we apply fixes/changes to that in the future. E.g. > http://www.suutari.iki.fi/freebsd/ipfw-nexthop.patch for the chunk at --- 2951,2987 ---- i think it would be better to reuse the 'case TOK_FORWARD', by changing the opcode and messages according to the actual command. BTW for the 'setnexthop', the port number does not really make much sense... though it can be useful as a degenerate 'nexthop' case to forward to a local port. > http://www.suutari.iki.fi/freebsd/netinet-nexthop.patch here too i would reuse the existing code more, e.g. in ipfw_log() put 'case O_SETNEXTHOP' next to case 'O_FORWARD_IP' and replace the string "Forward" in the first snprintf() with "%s" and an additional argument cmd->opcode == O_FORWARD_IP ? "Forward" : "SetNextHop" Same in the action part at --- 2474,2490 ----, just reuse the O_FORWARD case and end the block with if (cmd->opcode == O_FORWARD_IP) goto done; else goto next_rule; and the check for instruction format --- 3055,3069 ---- can just reuse the O_FORWARD_IP code with no modifications. (btw do we still have it under #ifdef IPFIREWALL_FORWARD ?) thanks luigi > These are against 5.4-RELEASE - if that causes > too much trouble I can try to generate them against > -current. > > I have tested these in lab environment, but not in production > use. However, I woudn't expect much problems, since these > features use much existing code. > > Ari S. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 10:08:09 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7886E16A41C for ; Thu, 23 Jun 2005 10:08:09 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F66343D48 for ; Thu, 23 Jun 2005 10:08:04 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NA80Js007122; Thu, 23 Jun 2005 13:08:00 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NA7rRZ037724; Thu, 23 Jun 2005 13:07:53 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA89F3.3060406@suutari.iki.fi> Date: Thu, 23 Jun 2005 13:07:47 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <42BA6A22.6030506@suutari.iki.fi> <20050623010618.B7580@xorpc.icir.org> In-Reply-To: <20050623010618.B7580@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 10:08:09 -0000 Hi, Luigi Rizzo wrote: > for the chunk at --- 2951,2987 ---- > i think it would be better to reuse the 'case TOK_FORWARD', > by changing the opcode and messages according to the actual command. Changed. > here too i would reuse the existing code more, e.g. in ipfw_log() > put 'case O_SETNEXTHOP' next to case 'O_FORWARD_IP' and replace > the string "Forward" in the first snprintf() with "%s" and an > additional argument cmd->opcode == O_FORWARD_IP ? "Forward" : "SetNextHop" Done. > > Same in the action part at --- 2474,2490 ----, just reuse the > O_FORWARD case and end the block with > > if (cmd->opcode == O_FORWARD_IP) > goto done; > else > goto next_rule; Done. > > and the check for instruction format --- 3055,3069 ---- > can just reuse the O_FORWARD_IP code with no modifications. Done. Updated patch files are again at http://www.suutari.iki.fi/freebsd/ Also, some limited testing has been done. Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 10:19:24 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD06916A41C for ; Thu, 23 Jun 2005 10:19:24 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B43843D1D for ; Thu, 23 Jun 2005 10:19:23 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NAJMMT007163; Thu, 23 Jun 2005 13:19:22 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NAJHQO038760; Thu, 23 Jun 2005 13:19:17 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA8CA0.3070501@suutari.iki.fi> Date: Thu, 23 Jun 2005 13:19:12 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <42BA6A22.6030506@suutari.iki.fi> <20050623010618.B7580@xorpc.icir.org> In-Reply-To: <20050623010618.B7580@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 10:19:24 -0000 Hi, Luigi Rizzo wrote: > > BTW for the 'setnexthop', the port number does not really make > much sense... though it can be useful as a degenerate 'nexthop' case > to forward to a local port. Didn't remember to comment on this. I left the port number possibility there although it is really questionable if it is useful (I won't be needing it now). Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 10:29:55 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2496316A41C; Thu, 23 Jun 2005 10:29:55 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from mail.yazzy.org (mail.yazzy.org [217.8.140.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id D711743D48; Thu, 23 Jun 2005 10:29:54 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from 217-13-2-82.dd.nextgentel.com ([217.13.2.82] helo=h311r4z3r) by mail.yazzy.org with esmtps (TLSv1:AES256-SHA:256) (YazzY.org) id 1DlOxy-0004uO-VR; Thu, 23 Jun 2005 12:29:53 +0200 Date: Thu, 23 Jun 2005 12:29:46 +0200 From: Marcin Jessa To: jeffm@frob.org Message-Id: <20050623122946.72bb97a5.lists@yazzy.org> In-Reply-To: <27188.130.76.32.15.1118844489.squirrel@www.frob.org> References: <58397.148.122.180.9.1118829978.squirrel@mail.yazzy.org> <79722fad05061505141b3ddb4c@mail.gmail.com> <27188.130.76.32.15.1118844489.squirrel@www.frob.org> Organization: YazzY.org X-Mailer: Sylpheed version 1.9.12 (GTK+ 2.6.8; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Score: -2.5 (--) Cc: freebsd-net@freebsd.org, NetBSD-current , FreeBSD-Current Subject: Re: Looking for networking solution. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 10:29:55 -0000 Hi guys. Thanks for the help and good advices. I just received source code from guys at MITRE in McLean, VA for FreeBSD and will do some testing on it. "The code is an open implementation of ISO International Standards and it's yours for the asking; there is no licensing." I was thinking, maybe someone would be interested in implementing it into FreeBSD's and/or NetBSD's source tree since the code is avaliable for both the BSD's? On Wed, 15 Jun 2005 10:08:09 -0400 (EDT) jeffm@frob.org wrote: > > On 6/15/05, M.Jessa wrote: > > Hi guys. > > > > I am looking for solution I could implement on a link with a huge > > latency > > > I am only familiar with split connection gateways. They totally isolate > TCP from the effects of the satellite link by using some sort of > enhanced protocol over the middle hop. The end TCPs are terminated > locally and do not see large RTTs or latency. I did some work last > year with Mitre's reference implementation of SCPS-TP, which made a > huge difference. However, splitting the TCP connection does cause > some issues. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 10:30:29 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A40616A41C for ; Thu, 23 Jun 2005 10:30:29 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 638E143D53 for ; Thu, 23 Jun 2005 10:30:29 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j5NAUTLt019374; Thu, 23 Jun 2005 03:30:29 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j5NAUTQ2019373; Thu, 23 Jun 2005 03:30:29 -0700 (PDT) (envelope-from rizzo) Date: Thu, 23 Jun 2005 03:30:28 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20050623033028.A18762@xorpc.icir.org> References: <42B7B352.8040806@suutari.iki.fi> <42BA6A22.6030506@suutari.iki.fi> <20050623010618.B7580@xorpc.icir.org> <42BA8CA0.3070501@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42BA8CA0.3070501@suutari.iki.fi>; from ari@suutari.iki.fi on Thu, Jun 23, 2005 at 01:19:12PM +0300 Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 10:30:29 -0000 On Thu, Jun 23, 2005 at 01:19:12PM +0300, Ari Suutari wrote: > Hi, > > Luigi Rizzo wrote: > > > > BTW for the 'setnexthop', the port number does not really make > > much sense... though it can be useful as a degenerate 'nexthop' case > > to forward to a local port. > > Didn't remember to comment on this. I left the port number > possibility there although it is really questionable if it > is useful (I won't be needing it now). ok. Seen the patch, looks good. It's always nice to see how easy it is to add new options to ipfw2 :) cheers luigi From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 10:57:38 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D3D416A41C for ; Thu, 23 Jun 2005 10:57:38 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92BF343D1F for ; Thu, 23 Jun 2005 10:57:37 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NAvZhD007297; Thu, 23 Jun 2005 13:57:35 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5NAvTFQ042526; Thu, 23 Jun 2005 13:57:29 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42BA9594.6080202@suutari.iki.fi> Date: Thu, 23 Jun 2005 13:57:24 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <42B7B352.8040806@suutari.iki.fi> <42BA6A22.6030506@suutari.iki.fi> <20050623010618.B7580@xorpc.icir.org> <42BA8CA0.3070501@suutari.iki.fi> <20050623033028.A18762@xorpc.icir.org> In-Reply-To: <20050623033028.A18762@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Policy routing idea (Was: ipfw: Would it be possible to continue processing rest of rules after match ?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 10:57:38 -0000 Hi, Luigi Rizzo wrote: > Seen the patch, looks good. It's always nice to see how easy it is to > add new options to ipfw2 :) Yes. And what is really nice was the fact that this will solve my real-world problem also very easily (would be great if this patch could find it's way to RELENG_5 eventually). Ipfw2 has good internal design, indeed. Ari S. From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:14:44 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DC0616A41C for ; Thu, 23 Jun 2005 13:14:44 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 079D243D1D for ; Thu, 23 Jun 2005 13:14:43 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id 9EB501734C9; Thu, 23 Jun 2005 15:14:42 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id DE0FF405B; Thu, 23 Jun 2005 15:14:55 +0200 (CEST) Date: Thu, 23 Jun 2005 15:14:55 +0200 From: Jeremie Le Hen To: Darren Pilgrim Message-ID: <20050623131455.GZ738@obiwan.tataz.chchile.org> References: <000401c577a2$c095b090$0b2a15ac@SMILEY> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000401c577a2$c095b090$0b2a15ac@SMILEY> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org, 'Mrad James Deane' Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:14:44 -0000 > Most daemons that bind to "priveleged" ports and run as a non-root uid, > start as root, then change the effective UID after binding to the port. Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot (imap) use privilege separation. For instance if you need to open the TCP port 80 lately, you could use a separate process for this purpose only and communicate through it (through a UNIX socket). There is obviously some performance degradation if you need to use high speed communications, but this is a trade-off if you really need to open a privileged port lately and you want security. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:23:15 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BE6216A41F for ; Thu, 23 Jun 2005 13:23:15 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7C6243D5E for ; Thu, 23 Jun 2005 13:23:14 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so379055wra for ; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t0l0G6Q3xpjC2lOvveQMvWt/slKRCrDB0GrAtbJwszsdhFZGI0YICu9w1wqSB1e3u4ECj+n5OfKVJgcOa04/MGTayj0Ata+PZJKl4ox/RGdz1thWeNUlZtZLI3cPmJNnNlVzxkv+asJo3EMK273RvYGezd8Q0c0MH2lj8lqiW8c= Received: by 10.54.31.70 with SMTP id e70mr1149415wre; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) Message-ID: Date: Thu, 23 Jun 2005 16:23:13 +0300 From: Abu Khaled To: Jeremie Le Hen In-Reply-To: <20050623131455.GZ738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000401c577a2$c095b090$0b2a15ac@SMILEY> <20050623131455.GZ738@obiwan.tataz.chchile.org> Cc: freebsd-net@freebsd.org, Darren Pilgrim , Mrad James Deane Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:23:15 -0000 On 6/23/05, Jeremie Le Hen wrote: > > Most daemons that bind to "priveleged" ports and run as a non-root uid, > > start as root, then change the effective UID after binding to the port. >=20 > Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot > (imap) use privilege separation. For instance if you need to open the > TCP port 80 lately, you could use a separate process for this purpose > only and communicate through it (through a UNIX socket). There is > obviously some performance degradation if you need to use high speed > communications, but this is a trade-off if you really need to open a > privileged port lately and you want security. >=20 > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > Is it a good idea to run daemons on non privileged ports as a normal user (eg. www) then have natd or a firewall redirect the traffic targetting the privileged port. For example: A web server running as user www on port 8000. IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000. Is such a soloution a good idea? I read in man natd that one can redirect traffic comming on the gateway on port 80 to one or many servers running daemons on non privileged ports. --=20 Kind regards Abu Khaled From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:23:37 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F65F16A41C for ; Thu, 23 Jun 2005 13:23:37 +0000 (GMT) (envelope-from maxim@macomnet.ru) Received: from mp2.macomnet.net (mp2.macomnet.net [195.128.64.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id B130D43D1D for ; Thu, 23 Jun 2005 13:23:36 +0000 (GMT) (envelope-from maxim@macomnet.ru) Received-SPF: pass (mp2.macomnet.net: domain of maxim@macomnet.ru designates 127.0.0.1 as permitted sender) receiver=mp2.macomnet.net; client_ip=127.0.0.1; envelope-from=maxim@macomnet.ru; Received: from localhost (localhost [127.0.0.1]) by mp2.macomnet.net (8.12.11/8.12.11) with ESMTP id j5NDNN9F019748; Thu, 23 Jun 2005 17:23:34 +0400 (MSD) (envelope-from maxim@macomnet.ru) Date: Thu, 23 Jun 2005 17:23:23 +0400 (MSD) From: Maxim Konovalov To: Bruce M Simpson In-Reply-To: <20050622151406.GG791@empiric.icir.org> Message-ID: <20050623172219.K19717@mp2.macomnet.net> References: <20050622151406.GG791@empiric.icir.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org, Mrad James Deane Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:23:37 -0000 [...] > You could do something like this in FreeBSD 5-STABLE by hacking the > in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just > call suser_cred(), but to instead perform a group check, by calling > groupmember(some_privileged_socket_group, cred). mac_portacl(4) -- Maxim Konovalov From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:29:49 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3467916A41C for ; Thu, 23 Jun 2005 13:29:49 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEF0543D4C for ; Thu, 23 Jun 2005 13:29:48 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id 5A3F3173497; Thu, 23 Jun 2005 15:29:48 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 8E75F405B; Thu, 23 Jun 2005 15:30:02 +0200 (CEST) Date: Thu, 23 Jun 2005 15:30:02 +0200 From: Jeremie Le Hen To: Abu Khaled Message-ID: <20050623133002.GA738@obiwan.tataz.chchile.org> References: <000401c577a2$c095b090$0b2a15ac@SMILEY> <20050623131455.GZ738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org, Darren Pilgrim , Mrad James Deane Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:29:49 -0000 Hi Khaled, > Is it a good idea to run daemons on non privileged ports as a normal > user (eg. www) then have natd or a firewall redirect the traffic > targetting the privileged port. > > For example: > > A web server running as user www on port 8000. > IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000. > > Is such a soloution a good idea? > I read in man natd that one can redirect traffic comming on the > gateway on port 80 to one or many servers running daemons on non > privileged ports. Yes it might be a good idea, but again, it depends on your security requirements : any user is able to bind port 8000, so if you have other users on the system, this may not be something to avoid. But FWIW, this would totally remove the need to make a privileged part in your application. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:38:23 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50B2116A41C for ; Thu, 23 Jun 2005 13:38:23 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 196B843D1D for ; Thu, 23 Jun 2005 13:38:22 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 2940C3201C4; Thu, 23 Jun 2005 15:38:18 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 8D32B405B; Thu, 23 Jun 2005 15:38:32 +0200 (CEST) Date: Thu, 23 Jun 2005 15:38:32 +0200 From: Jeremie Le Hen To: Abu Khaled Message-ID: <20050623133832.GB738@obiwan.tataz.chchile.org> References: <000401c577a2$c095b090$0b2a15ac@SMILEY> <20050623131455.GZ738@obiwan.tataz.chchile.org> <20050623133002.GA738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050623133002.GA738@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:38:23 -0000 > Yes it might be a good idea, but again, it depends on your security > requirements : any user is able to bind port 8000, so if you have > other users on the system, this may not be something to avoid. s/not// -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 14:33:50 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86C7816A41C; Thu, 23 Jun 2005 14:33:50 +0000 (GMT) (envelope-from jeffm@frob.org) Received: from campbell.genwebhost.com (campbell.genwebhost.com [69.16.196.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E4EF43D55; Thu, 23 Jun 2005 14:33:50 +0000 (GMT) (envelope-from jeffm@frob.org) Received: from jmeegan by campbell.genwebhost.com with local (Exim 4.51) id 1DlSm7-0001vt-6G; Thu, 23 Jun 2005 10:33:51 -0400 From: "Jeff Meegan" To: Marcin Jessa , jeffm@frob.org, freebsd-net@freebsd.org, FreeBSD-Current , NetBSD-current X-Mailer: NeoMail 1.27 X-IPAddress: 130.76.32.16 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-Id: Date: Thu, 23 Jun 2005 10:33:51 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - campbell.genwebhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [32332 501] / [47 12] X-AntiAbuse: Sender Address Domain - frob.org X-Source: /bin/bash X-Source-Args: sh -c /usr/sbin/sendmail -oem -oi -F '"Jeff Meegan"' -f 'jeffm@frob.org' -t 1>&2 X-Source-Dir: :/base Cc: Subject: Re: Looking for networking solution. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 14:33:50 -0000 > Hi guys. > > Thanks for the help and good advices. > I just received source code from guys at MITRE in McLean, VA for FreeBSD and will do some testing on it. > "The code is an open implementation of ISO International Standards and it's yours for the asking; there is no licensing." > > I was thinking, maybe someone would be interested in implementing it into FreeBSD's and/or NetBSD's source tree since the code is avaliable for both the BSD's? > > Hello Marcin, The code from Mitre is a reference implementation that was written quite a while ago. It has not kept up with improvements in hardware and makes some poor assumptions about the underlying system. It could use some update, but I do not know the correct path to get these committed anywhere. In any case, if I recall correctly, it is entirely in user space, and may be best tracked in the ports collection. Jeff From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 05:08:11 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E51616A41C for ; Fri, 24 Jun 2005 05:08:11 +0000 (GMT) (envelope-from demizu@dd.iij4u.or.jp) Received: from r-dd.iij4u.or.jp (r-dd.iij4u.or.jp [210.130.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32D8543D49 for ; Fri, 24 Jun 2005 05:08:10 +0000 (GMT) (envelope-from demizu@dd.iij4u.or.jp) Received: from localhost (h219.p049.iij4u.or.jp [210.130.49.219]) by r-dd.iij4u.or.jp (4U-MR/r-dd) id j5O585uG001196; Fri, 24 Jun 2005 14:08:07 +0900 (JST) Date: Fri, 24 Jun 2005 14:07:26 +0900 (JST) Message-Id: <20050624.140726.43393126.Noritoshi@Demizu.ORG> From: Noritoshi Demizu To: freebsd-net@freebsd.org X-Mailer: Mew version 4.1 on Emacs 21 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: A burst from NewReno when a partial ACK is received X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 05:08:11 -0000 I'm using FreeBSD current for my experiences. I observed bursts sent by NewReno when a partial ACK is received. I have two packet traces of such bursts. One of such bursts is analyzed at http://www.demizu.org/~noritosi/memo/2005/0623/ . I think tcp_newreno_partial_ack() in tcp_input.c rev 1.275 has a bug in calculating a new value of snd_cwnd at the tail of the function. Currently, snd_cwnd is re-calculated as following: L.3113: tp->snd_cwnd -= (th->th_ack - tp->snd_una - tp->t_maxseg); Since snd_cwnd is u_long, if snd_cwnd < SEG.ACK - SND.UNA - MSS, snd_cwnd becomes awfully huge and a burst of data can be sent. To fix this problem, I'd like to suggest the patch below. Thanks. Regards, Noritoshi Demizu Index: tcp_input.c =================================================================== RCS file: /home/cvsup/FreeBSD/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.275 diff -u -r1.275 tcp_input.c --- tcp_input.c 1 Jun 2005 12:03:18 -0000 1.275 +++ tcp_input.c 23 Jun 2005 06:20:28 -0000 @@ -3110,7 +3112,11 @@ * Partial window deflation. Relies on fact that tp->snd_una * not updated yet. */ - tp->snd_cwnd -= (th->th_ack - tp->snd_una - tp->t_maxseg); + if (tp->snd_cwnd > th->th_ack - tp->snd_una) + tp->snd_cwnd -= th->th_ack - tp->snd_una; + else + tp->snd_cwnd = 0; + tp->snd_cwnd += tp->t_maxseg; } /* From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 12:23:03 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4026116A41C for ; Fri, 24 Jun 2005 12:23:03 +0000 (GMT) (envelope-from fming@borderware.com) Received: from mail.borderware.com (mail.borderware.com [207.236.65.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DB4A43D48 for ; Fri, 24 Jun 2005 12:23:03 +0000 (GMT) (envelope-from fming@borderware.com) Message-ID: <42BBFB25.2080701@borderware.com> Date: Fri, 24 Jun 2005 08:23:01 -0400 From: ming fu User-Agent: Mozilla Thunderbird 0.8 (X11/20040926) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfilter and ipfw order. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 12:23:03 -0000 Hi, In the 4.x kernel, ipfilter was hardcoded before ipfw in the ip_input(). However, in the 5.x kernel, they register themselve to the pfil hook. As there isn't a priority number during the hook up, looks like who ever register first get to filter the packet first. In case I want to preserve the 4.x behaviour of ipf before ipfw in the input path, how do I reliable achieve that. Regards, Ming From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 12:29:24 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F84416A41C for ; Fri, 24 Jun 2005 12:29:24 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF85F43D1F for ; Fri, 24 Jun 2005 12:29:23 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by zproxy.gmail.com with SMTP id 9so403955nzo for ; Fri, 24 Jun 2005 05:29:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lFXtzzibemPDD4zc+8bE/6/Or7ksww/h128My5JHNe+cRCRCsl5GGu8212uS1xzVhaqbCcb/kVogJiL8nGvYAA0yNQjVesUYI559xcKiOD/EfcfCNlhlEWU5q0Hs2Agcwk6lpVsQXUsciZuR0Z/NrVmpSEQNF0PvlOqYLDcRX94= Received: by 10.36.108.5 with SMTP id g5mr1997394nzc; Fri, 24 Jun 2005 05:29:23 -0700 (PDT) Received: by 10.36.86.4 with HTTP; Fri, 24 Jun 2005 05:29:23 -0700 (PDT) Message-ID: <79722fad0506240529209b4781@mail.gmail.com> Date: Fri, 24 Jun 2005 15:29:23 +0300 From: Vlad GALU To: freebsd-net@freebsd.org In-Reply-To: <42BBFB25.2080701@borderware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42BBFB25.2080701@borderware.com> Subject: Re: ipfilter and ipfw order. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vlad GALU List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 12:29:24 -0000 On 6/24/05, ming fu wrote: > Hi, >=20 > In the 4.x kernel, ipfilter was hardcoded before ipfw in the ip_input(). > However, in the 5.x kernel, they register themselve to the pfil hook. As > there isn't a priority number during the hook up, looks like who ever > register first get to filter the packet first. >=20 > In case I want to preserve the 4.x behaviour of ipf before ipfw in the > input path, how do I reliable achieve that. Link ipfilter statically inside the kernel. Load ipfw as a module. >=20 > Regards, > Ming > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20 --=20 If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 22:11:56 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18D0E16A41C for ; Fri, 24 Jun 2005 22:11:56 +0000 (GMT) (envelope-from greg@qwest.net) Received: from mail.oss.uswest.net (mail.oss.uswest.net [204.147.85.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC09B43D1F for ; Fri, 24 Jun 2005 22:11:55 +0000 (GMT) (envelope-from greg@qwest.net) Received: from psv.rowes.org (rrcs-24-173-162-118.se.biz.rr.com [24.173.162.118]) by mail.oss.uswest.net (8.13.1/8.13.1) with ESMTP id j5OMBqeN037147 for ; Fri, 24 Jun 2005 17:11:52 -0500 (CDT) (envelope-from greg@qwest.net) Received: from localhost.rowes.org (localhost.rowes.org [127.0.0.1]) by psv.rowes.org (8.13.1/8.12.9) with ESMTP id j5OMC7Cp029642 for ; Fri, 24 Jun 2005 18:12:08 -0400 (EDT) (envelope-from greg@qwest.net) From: Greg Rowe Organization: Qwest Wireless, L.L.C. To: freebsd-net@freebsd.org Date: Fri, 24 Jun 2005 18:12:06 -0400 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506241812.07076.greg@qwest.net> X-DCC-Qwest.net-Metrics: mail.oss.uswest.net 1209; Body=1 Fuz1=1 Fuz2=1 X-oss.uswest.net-MailScanner-Information: Please contact mpls_syseng for more information X-oss.uswest.net-MailScanner: Found to be clean of viruses X-oss.uswest.net-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.088, required 11, autolearn=spam, AWL 0.04, FORGED_RCVD_HELO 0.05) Subject: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: greg@qwest.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 22:11:56 -0000 Greetings, I've been chasing a network interface "freeze" problem on and off for some time now and it's driving me nuts ! The problem occurs on two identical mail servers that sit behind a firewall. Both systems have two ethernet interfaces and when I'm having this problem the external interface will "freeze" once or twice an hour for between 10-15 seconds. The systems continue to run during these freezes and it doesn't effect the traffic on the 2nd interface. The problem is also intermittent in that it will effect one system for several weeks and then just go away. Today it's effecting both systems. The systems are Sun Fire V60X dual 3.06GHZ Xeon processor systems with integrated Intel PRO/1000 (em0) ethernet ports, 2GB of memory. We have a number of these systems and these are the only two experiencing the problem. They are running 4.11 STABLE although they were originally installed with 4.10 STABLE and upgraded to see if this fixed the problem. The one system currently has an Intel EtherExpress Pro/100B card installed as the primary interface to see if the em0 was my problem, but I still have freezes using fxp0. Both systems are very lightly loaded and running Sendmail and anti-spam packages. The systems hang off Catalyst switches that have been checked and rechecked. No errors or config issues. Duplex, speed and mediaopt are all set in rc.conf and aren't autodetected. Cables and ports have all been swapped. No errors in netstat or any logs. Sysctl " log_in_vain's" aren't showing me any clues. The interface just freezes and then starts again with no messages. Tests using pings from system to the other out each interface prove that the emo/fxp0 freezes with packet loss while pings to the em1 interface have no problems. Now, here's where it gets stranger. By accident I found one way to guarantee that a freeze won't occur. If I log into the system via the fxp0/em0 interface and start a ping against the IP of that interface. As long as the ping is running (I've tried days) and outputing the ping stats every second, the interface is freeze free ! I liken it to keeping the interface "warm" !! Doing the same ping with a -q for some reason doesn't stop the freezes. It needs the ping output to keep "warm". Pinging the em0 address from another system or while logged in through the other interface also won't stop the freeze. The freeze isn't login window related, although it may sound that way. The interface just stops working for no apparent reason and then starts again after 10 or 15 seconds. I've gone the network sniffer route and really can't see anything out of the ordinary happening when the freeze occurs. Most ports are blocked by the firewall and the systems also have ipfw enabled (taken out of the kernel on one to see if maybe that was causing the problem). I'm running out of ideas short of replacing bigger hardware than an ethernet card. The problem is I don't know what to replace. I've been building and running FreeBSD systems for many years and this one has me and everyone else stumped. I'm looking for any suggestions as to what I could enable or tweak that may give me some info as to why the interfaces are intermittently freezing. I'm willing to try just about anything right now. Thanks. From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 22:15:51 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F82F16A41C for ; Fri, 24 Jun 2005 22:15:51 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E21743D58 for ; Fri, 24 Jun 2005 22:15:51 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by zproxy.gmail.com with SMTP id 16so602206nzp for ; Fri, 24 Jun 2005 15:15:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qkTrvTN14mAQh0FFOtZJo6U+8BTu6N7z6HnIXbFAXys48nHAWlKLjr6icQzMTCUOKXe6+h6MG53s0mqnKkx8UYyPtwjvGgNtQQKvA8dZpbhxWXMVcdzYUpTrcod3yMIb2NAOq29MR0d7zzBB1HukAnYB9RG+s9bfO5QPerFD5Ok= Received: by 10.36.135.4 with SMTP id i4mr2343558nzd; Fri, 24 Jun 2005 15:15:50 -0700 (PDT) Received: by 10.36.86.4 with HTTP; Fri, 24 Jun 2005 15:15:50 -0700 (PDT) Message-ID: <79722fad050624151524700a27@mail.gmail.com> Date: Sat, 25 Jun 2005 01:15:50 +0300 From: Vlad GALU To: freebsd-net@freebsd.org In-Reply-To: <200506241812.07076.greg@qwest.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200506241812.07076.greg@qwest.net> Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vlad GALU List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 22:15:51 -0000 On 6/25/05, Greg Rowe wrote: > Greetings, > I've been chasing a network interface "freeze" problem on and off for so= me > time now and it's driving me nuts ! >=20 > The problem occurs on two identical mail servers that sit behind a firewa= ll. > Both systems have two ethernet interfaces and when I'm having this proble= m > the external interface will "freeze" once or twice an hour for between 10= -15 > seconds. The systems continue to run during these freezes and it doesn't > effect the traffic on the 2nd interface. The problem is also intermittent= in > that it will effect one system for several weeks and then just go away. T= oday > it's effecting both systems. >=20 > The systems are Sun Fire V60X dual 3.06GHZ Xeon processor systems with > integrated Intel PRO/1000 (em0) ethernet ports, 2GB of memory. We have a > number of these systems and these are the only two experiencing the probl= em. > They are running 4.11 STABLE although they were originally installed with > 4.10 STABLE and upgraded to see if this fixed the problem. The one system > currently has an Intel EtherExpress Pro/100B card installed as the primar= y > interface to see if the em0 was my problem, but I still have freezes usin= g > fxp0. Both systems are very lightly loaded and running Sendmail and anti-= spam > packages. >=20 > The systems hang off Catalyst switches that have been checked and rechec= ked. > No errors or config issues. Duplex, speed and mediaopt are all set in rc.= conf > and aren't autodetected. Cables and ports have all been swapped. No error= s in > netstat or any logs. Sysctl " log_in_vain's" aren't showing me any clues.= The > interface just freezes and then starts again with no messages. Tests usin= g > pings from system to the other out each interface prove that the emo/fxp0 > freezes with packet loss while pings to the em1 interface have no problem= s. >=20 > Now, here's where it gets stranger. By accident I found one way to guara= ntee > that a freeze won't occur. If I log into the system via the fxp0/em0 > interface and start a ping against the IP of that interface. As long as t= he > ping is running (I've tried days) and outputing the ping stats every seco= nd, > the interface is freeze free ! I liken it to keeping the interface "warm"= !! > Doing the same ping with a -q for some reason doesn't stop the freezes. I= t > needs the ping output to keep "warm". Pinging the em0 address from anothe= r > system or while logged in through the other interface also won't stop the > freeze. The freeze isn't login window related, although it may sound that > way. The interface just stops working for no apparent reason and then sta= rts > again after 10 or 15 seconds. >=20 > I've gone the network sniffer route and really can't see anything out of= the > ordinary happening when the freeze occurs. Most ports are blocked by the > firewall and the systems also have ipfw enabled (taken out of the kernel = on > one to see if maybe that was causing the problem). I'm running out of ide= as > short of replacing bigger hardware than an ethernet card. The problem is = I > don't know what to replace. I've been building and running FreeBSD system= s > for many years and this one has me and everyone else stumped. >=20 > I'm looking for any suggestions as to what I could enable or tweak that = may > give me some info as to why the interfaces are intermittently freezing. I= 'm > willing to try just about anything right now. Thanks. >=20 Are you sure that's not your catalyst forgetting about the MAC of the machine ? Or the MAC expiring from the ARP table of your router ? Are you experiencing unicast floods while this phenomena is happening ? >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20 --=20 If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 22:19:51 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E625816A41C for ; Fri, 24 Jun 2005 22:19:51 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 951CC43D48 for ; Fri, 24 Jun 2005 22:19:51 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by zproxy.gmail.com with SMTP id 9so218143nzo for ; Fri, 24 Jun 2005 15:19:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eK/4HsdIoA4OraPcItyueNQs1+Lx1fbcN8NUnvPM0VRtyS4eekdASBpwri9cVwpGQzEGqq7eEQ2iUxcNdg2Ge8i1+okOcMqLEEmS3p0obgTF/CPKunp4tvS2+hhR4vABH5yHQxfjOHYn/M0/E8N/t/SZhCeiHwLYYyeGEBWn0D4= Received: by 10.36.138.7 with SMTP id l7mr1276903nzd; Fri, 24 Jun 2005 15:19:51 -0700 (PDT) Received: by 10.36.86.4 with HTTP; Fri, 24 Jun 2005 15:19:51 -0700 (PDT) Message-ID: <79722fad050624151926fe2eb0@mail.gmail.com> Date: Sat, 25 Jun 2005 01:19:51 +0300 From: Vlad GALU To: freebsd-net@freebsd.org In-Reply-To: <200506241812.07076.greg@qwest.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200506241812.07076.greg@qwest.net> Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vlad GALU List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 22:19:52 -0000 On 6/25/05, Greg Rowe wrote: > Greetings, > I've been chasing a network interface "freeze" problem on and off for so= me > time now and it's driving me nuts ! >=20 > The problem occurs on two identical mail servers that sit behind a firewa= ll. > Both systems have two ethernet interfaces and when I'm having this proble= m > the external interface will "freeze" once or twice an hour for between 10= -15 > seconds. The systems continue to run during these freezes and it doesn't > effect the traffic on the 2nd interface. The problem is also intermittent= in > that it will effect one system for several weeks and then just go away. T= oday > it's effecting both systems. >=20 > The systems are Sun Fire V60X dual 3.06GHZ Xeon processor systems with > integrated Intel PRO/1000 (em0) ethernet ports, 2GB of memory. We have a > number of these systems and these are the only two experiencing the probl= em. > They are running 4.11 STABLE although they were originally installed with > 4.10 STABLE and upgraded to see if this fixed the problem. The one system > currently has an Intel EtherExpress Pro/100B card installed as the primar= y > interface to see if the em0 was my problem, but I still have freezes usin= g > fxp0. Both systems are very lightly loaded and running Sendmail and anti-= spam > packages. >=20 > The systems hang off Catalyst switches that have been checked and rechec= ked. > No errors or config issues. Duplex, speed and mediaopt are all set in rc.= conf > and aren't autodetected. Cables and ports have all been swapped. No error= s in > netstat or any logs. Sysctl " log_in_vain's" aren't showing me any clues.= The > interface just freezes and then starts again with no messages. Tests usin= g > pings from system to the other out each interface prove that the emo/fxp0 > freezes with packet loss while pings to the em1 interface have no problem= s. I suppose your default route is through em1. Try sending the responses to packets that arrive on em0/fxp0 on the very interfaces they arrived on. You can do that with any of the packet filters FreeBSD has. It should pretty much take care of your issue. I suppose this is what happens: a requests comes on fxp0, the machine sends the reply back via em1. I'm pretty sure your catalyst forgets the MAC of fxp0. =20 >=20 > Now, here's where it gets stranger. By accident I found one way to guara= ntee > that a freeze won't occur. If I log into the system via the fxp0/em0 > interface and start a ping against the IP of that interface. As long as t= he > ping is running (I've tried days) and outputing the ping stats every seco= nd, > the interface is freeze free ! I liken it to keeping the interface "warm"= !! > Doing the same ping with a -q for some reason doesn't stop the freezes. I= t > needs the ping output to keep "warm". Pinging the em0 address from anothe= r > system or while logged in through the other interface also won't stop the > freeze. The freeze isn't login window related, although it may sound that > way. The interface just stops working for no apparent reason and then sta= rts > again after 10 or 15 seconds. >=20 > I've gone the network sniffer route and really can't see anything out of= the > ordinary happening when the freeze occurs. Most ports are blocked by the > firewall and the systems also have ipfw enabled (taken out of the kernel = on > one to see if maybe that was causing the problem). I'm running out of ide= as > short of replacing bigger hardware than an ethernet card. The problem is = I > don't know what to replace. I've been building and running FreeBSD system= s > for many years and this one has me and everyone else stumped. >=20 > I'm looking for any suggestions as to what I could enable or tweak that = may > give me some info as to why the interfaces are intermittently freezing. I= 'm > willing to try just about anything right now. Thanks. >=20 >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20 --=20 If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-net@FreeBSD.ORG Fri Jun 24 22:42:46 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF52316A41C for ; Fri, 24 Jun 2005 22:42:46 +0000 (GMT) (envelope-from greg@qwest.net) Received: from mail.oss.uswest.net (mail.oss.uswest.net [204.147.85.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7032843D49 for ; Fri, 24 Jun 2005 22:42:46 +0000 (GMT) (envelope-from greg@qwest.net) Received: from psv.rowes.org (rrcs-24-173-162-118.se.biz.rr.com [24.173.162.118]) by mail.oss.uswest.net (8.13.1/8.13.1) with ESMTP id j5OMggfi043357; Fri, 24 Jun 2005 17:42:42 -0500 (CDT) (envelope-from greg@qwest.net) Received: from localhost.rowes.org (localhost.rowes.org [127.0.0.1]) by psv.rowes.org (8.13.1/8.12.9) with ESMTP id j5OMgwTH029929; Fri, 24 Jun 2005 18:42:58 -0400 (EDT) (envelope-from greg@qwest.net) From: Greg Rowe Organization: Qwest Wireless, L.L.C. To: freebsd-net@freebsd.org, Vlad GALU Date: Fri, 24 Jun 2005 18:42:57 -0400 User-Agent: KMail/1.7 References: <200506241812.07076.greg@qwest.net> <79722fad050624151524700a27@mail.gmail.com> In-Reply-To: <79722fad050624151524700a27@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506241842.57903.greg@qwest.net> X-DCC-Qwest.net-Metrics: mail.oss.uswest.net 1209; Body=2 Fuz1=2 Fuz2=2 X-oss.uswest.net-MailScanner-Information: Please contact mpls_syseng for more information X-oss.uswest.net-MailScanner: Found to be clean of viruses X-oss.uswest.net-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.086, required 11, autolearn=spam, AWL 0.04, FORGED_RCVD_HELO 0.05) Cc: Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: greg@qwest.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 22:42:46 -0000 On Friday 24 June 2005 06:15 pm, Vlad GALU wrote: > On 6/25/05, Greg Rowe wrote: > > Greetings, > > I've been chasing a network interface "freeze" problem on and off for > > some time now and it's driving me nuts ! > Are you sure that's not your catalyst forgetting about the MAC of > the machine ? Or the MAC expiring from the ARP table of your router ? > Are you experiencing unicast floods while this phenomena is happening > ? No unicast floods that I can see using ethereal. These systems are part of a larger cluster of servers, both Solaris and FreeBSD, so I have a number of other systems besides these on that Catalyst and routers. All the systems have multiple interfaces for both external and internal system to system traffic. These two systems are the only ones having the issue. > I suppose your default route is through em1. Try sending the > responses to packets that arrive on em0/fxp0 on the very interfaces > they arrived on. You can do that with any of the packet filters > FreeBSD has. It should pretty much take care of your issue. > I suppose this is what happens: a requests comes on fxp0, the > machine sends the reply back via em1. I'm pretty sure your catalyst > forgets the MAC of fxp0. The default route is em0. Inbound mail comes in through that interface, is processed, and then is sent to other systems that reside on the em1 network segment (different network). Looking at the TCP sessions, the traffic appears to stay on the proper LAN. I'll double verify this though. Thanks -- Greg Rowe Qwest Wireless, L.L.C. "The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities." -- Nathaniel Borenstein From owner-freebsd-net@FreeBSD.ORG Sat Jun 25 11:52:17 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A8BC16A41C for ; Sat, 25 Jun 2005 11:52:17 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD23043D1F for ; Sat, 25 Jun 2005 11:52:16 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 64672 invoked from network); 25 Jun 2005 11:52:14 -0000 Received: from cicuta.babolo.ru (194.135.49.133) by ints.mail.pike.ru with SMTP; 25 Jun 2005 11:52:14 -0000 Received: (nullmailer pid 11576 invoked by uid 136); Sat, 25 Jun 2005 11:54:05 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <200506241812.07076.greg@qwest.net> To: greg@qwest.net Date: Sat, 25 Jun 2005 15:54:05 +0400 (MSD) From: .@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1119700445.017683.11575.nullmailer@cicuta.babolo.ru> Cc: freebsd-net@freebsd.org Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 11:52:17 -0000 netstat -m ? > I've been chasing a network interface "freeze" problem on and off for some > time now and it's driving me nuts ! > way. The interface just stops working for no apparent reason and then starts > again after 10 or 15 seconds. What kind of "stop working" Does out packets not transtited (by tcpdump, by leds on Catalist)? Does packets not received? verify presense of packets on wire? Sorry for bad English. From owner-freebsd-net@FreeBSD.ORG Sat Jun 25 12:48:09 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A10D16A41C for ; Sat, 25 Jun 2005 12:48:09 +0000 (GMT) (envelope-from greg@qwest.net) Received: from mail.oss.uswest.net (mail.oss.uswest.net [204.147.85.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D2D843D48 for ; Sat, 25 Jun 2005 12:48:08 +0000 (GMT) (envelope-from greg@qwest.net) Received: from psv.rowes.org (rrcs-24-173-162-118.se.biz.rr.com [24.173.162.118]) by mail.oss.uswest.net (8.13.1/8.13.1) with ESMTP id j5PCm4Om045924 for ; Sat, 25 Jun 2005 07:48:05 -0500 (CDT) (envelope-from greg@qwest.net) Received: from localhost.rowes.org (localhost.rowes.org [127.0.0.1]) by psv.rowes.org (8.13.1/8.12.9) with ESMTP id j5PCm5NG035344 for ; Sat, 25 Jun 2005 08:48:05 -0400 (EDT) (envelope-from greg@qwest.net) From: Greg Rowe Organization: Qwest Wireless, L.L.C. To: freebsd-net@freebsd.org Date: Sat, 25 Jun 2005 08:48:04 -0400 User-Agent: KMail/1.7 References: <1119700445.017683.11575.nullmailer@cicuta.babolo.ru> In-Reply-To: <1119700445.017683.11575.nullmailer@cicuta.babolo.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506250848.04719.greg@qwest.net> X-DCC-Qwest.net-Metrics: mail.oss.uswest.net 1209; Body=1 Fuz1=1 Fuz2=1 X-oss.uswest.net-MailScanner-Information: Please contact mpls_syseng for more information X-oss.uswest.net-MailScanner: Found to be clean of viruses X-oss.uswest.net-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.084, required 11, autolearn=spam, AWL 0.03, FORGED_RCVD_HELO 0.05) Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: greg@qwest.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 12:48:09 -0000 netstat -m 324/1408/200000 mbufs in use (current/peak/max): 322 mbufs allocated to data 2 mbufs allocated to packet headers 320/1162/50000 mbuf clusters in use (current/peak/max) 2676 Kbytes allocated to network (1% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines The interface just stops accepting input packets for 10-15 seconds and then starts up again. A ping from one system on the same LAN to the problem system shows that the interface stops receiving packets. It appears, using tcpdump and ethereal, that I can still see traffic on the interface during the freeze. Thanks On Saturday 25 June 2005 07:54 am, .@babolo.ru wrote: > netstat -m > ? > > > I've been chasing a network interface "freeze" problem on and off for > > some time now and it's driving me nuts ! > > > > way. The interface just stops working for no apparent reason and then > > starts again after 10 or 15 seconds. > > What kind of "stop working" > Does out packets not transtited > (by tcpdump, by leds on Catalist)? > Does packets not received? > verify presense of packets on wire? > > Sorry for bad English. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Greg Rowe Qwest Wireless, L.L.C. "The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities." -- Nathaniel Borenstein From owner-freebsd-net@FreeBSD.ORG Sat Jun 25 23:56:30 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 563B516A41C for ; Sat, 25 Jun 2005 23:56:30 +0000 (GMT) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F1E343D1D for ; Sat, 25 Jun 2005 23:56:29 +0000 (GMT) (envelope-from mike@sentex.net) Received: from BLUELAPIS.sentex.ca (cage.simianscience.com [64.7.134.1]) by smarthost2.sentex.ca (8.13.3/8.13.3) with SMTP id j5PNuSmd033863; Sat, 25 Jun 2005 19:56:28 -0400 (EDT) (envelope-from mike@sentex.net) From: Mike Tancsa To: Greg Rowe Date: Sat, 25 Jun 2005 19:56:52 -0400 Message-ID: References: <1119700445.017683.11575.nullmailer@cicuta.babolo.ru> <200506250848.04719.greg@qwest.net> In-Reply-To: <200506250848.04719.greg@qwest.net> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.51 on 205.211.164.50 Cc: freebsd-net@freebsd.org Subject: Re: Looking For Ideas or Suggestions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 23:56:30 -0000 On Sat, 25 Jun 2005 08:48:04 -0400, in sentex.lists.freebsd.net you wrote: > >The interface just stops accepting input packets for 10-15 seconds and = then=20 >starts up again. A ping from one system on the same LAN to the problem = system=20 >shows that the interface stops receiving packets. It appears, using = tcpdump=20 >and ethereal, that I can still see traffic on the interface during the=20 >freeze. Are you sure the port is not blocking due to spanning tree ? On the catalyst, try and add some debugging options to see whats going on. Specifically, debug spanning all. When you see packets with TCPDUMP, what are the packets you see during the "freeze" ? What are the config options you have on the switch port ? Can you do an ifconfig -au ---Mike -------------------------------------------------------- Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 mike@sentex.net, (http://www.tancsa.com)