From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 14 07:28:05 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8207E16A4E1 for ; Mon, 14 Aug 2006 07:28:05 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75F2B43D7F for ; Mon, 14 Aug 2006 07:27:55 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7E7RtDH038476 for ; Mon, 14 Aug 2006 07:27:55 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7E7RsGg038472 for freebsd-ipfw@FreeBSD.org; Mon, 14 Aug 2006 07:27:54 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 14 Aug 2006 07:27:54 GMT Message-Id: <200608140727.k7E7RsGg038472@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 07:28:05 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups 12 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to different syslog prio o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/93422 ipfw ipfw divert rule no longer works in 6.0 (regression) o bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bogus 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 16 00:58:09 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5BE116A4DA for ; Wed, 16 Aug 2006 00:58:09 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA22B43D49 for ; Wed, 16 Aug 2006 00:58:09 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k7G0w9iX045809; Tue, 15 Aug 2006 17:58:09 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k7G0w86N045808; Tue, 15 Aug 2006 17:58:08 -0700 (PDT) (envelope-from rizzo) Date: Tue, 15 Aug 2006 17:58:08 -0700 From: Luigi Rizzo To: Ian FREISLICH Message-ID: <20060815175808.A45688@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from if@hetzner.co.za on Tue, Aug 15, 2006 at 03:21:32PM +0200 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2006 00:58:10 -0000 On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote: > Luigi Rizzo wrote: ... > > another approach that was suggested long ago was to put, in > > the interface definition, a starting ipfw rule number so > > the ip_fw_chk() would start from there if available, > > rather than from rule 1. > > Do you have a quick-start on how I would go about doing this? I in abstract terms, add to the struct ifnet a field to store the initial rule number for incoming and outgoing traffic, to be set through ifconfig or some other way. When the firewall gets the packet and has an ifnet pointer, lookup the initial number, then lookup the rule pointer through a hash table or something like that (at the moment the number->rule translation is done within each rule, but that needs to be centralized as it does not scale or maps well to SMP), then start from there instead of rule 1. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 17 20:40:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A72B816A4E6 for ; Thu, 17 Aug 2006 20:40:18 +0000 (UTC) (envelope-from if@hetzner.co.za) Received: from hetzner.co.za (office.cpt2.your-server.co.za [196.7.147.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id B69DA43D5E for ; Thu, 17 Aug 2006 20:40:11 +0000 (GMT) (envelope-from if@hetzner.co.za) Received: from localhost ([127.0.0.1] helo=ian.hetzner.africa) by hetzner.co.za with esmtp (Exim 4.62 (FreeBSD)) (envelope-from ) id 1GCyrM-000MtP-W7; Tue, 15 Aug 2006 15:21:32 +0200 To: Luigi Rizzo From: Ian FREISLICH In-Reply-To: Message from Luigi Rizzo of "Wed, 02 Aug 2006 12:40:53 MST." <20060802124053.A22010@xorpc.icir.org> X-Attribution: BOFH Date: Tue, 15 Aug 2006 15:21:32 +0200 Message-Id: Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2006 20:40:18 -0000 Luigi Rizzo wrote: > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote: > > You're thinking somewhere on the lines of: > > > > skipto base hash-if from to delta [offset ] > > i did not consider the range in interface numbers, > but that's a possibility, yes. That's the only way to do this to eliminate yet another linear search in the firewall processing. > On the other hand, i don't think one is going to write > 500 different subsets of ipfw rules to handle the 500 > different interfaces. This is exactly what I'm doing. My routers have hundreds of interfaces and my customers can edit rules that apply to only their interface. I need to make the firewall go faster because one host on a 100M ethernet can fully occupy ipfw's attention. > another approach that was suggested long ago was to put, in > the interface definition, a starting ipfw rule number so > the ip_fw_chk() would start from there if available, > rather than from rule 1. Do you have a quick-start on how I would go about doing this? I am not familiar with how packets get from the NIC into the firewall and how I would get this information from the interface to the firewall. I can then figure out which will be within my grasp. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 18 17:38:01 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64B1616A4E0 for ; Fri, 18 Aug 2006 17:38:01 +0000 (UTC) (envelope-from mrutman@widevine.com) Received: from seamail003.widevine.com (seamail003.widevine.com [67.105.198.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9546343D6B for ; Fri, 18 Aug 2006 17:37:59 +0000 (GMT) (envelope-from mrutman@widevine.com) Received: from seamail002.widevine.com (seamail002.widevine.com [10.200.10.15]) by seamail003.widevine.com (8.13.4/8.13.4) with ESMTP id k7IHbtBj002502 for ; Fri, 18 Aug 2006 10:37:55 -0700 (PDT) Received: from [192.168.99.40] ([10.101.207.2]) by seamail002.widevine.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 18 Aug 2006 10:37:54 -0700 Mime-Version: 1.0 Message-Id: Date: Fri, 18 Aug 2006 13:37:55 -0400 To: freebsd-ipfw@freebsd.org From: Michael Rutman Content-Type: text/plain; charset="us-ascii" X-OriginalArrivalTime: 18 Aug 2006 17:37:54.0969 (UTC) FILETIME=[0989A090:01C6C2ED] X-SMTP-Vilter-Version: 1.1.9 X-SMTP-Vilter-Virus-Backend: clamd X-SMTP-Vilter-Status: clean X-SMTP-Vilter-clamd-Virus-Status: clean X-SMTP-Vilter-Unwanted-Backend: attachment X-SMTP-Vilter-attachment-Unwanted-Status: clean Subject: DummyNet in Bridge mode help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 17:38:01 -0000 I am unable to get dummynet to do anything for me I am using FreeBSD 6.1. I recompiled the kernel to add these options: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options DUMMYNET options HZ=1000 options NMBCLUSTERS=65535 options BRIDGE options IPFIREWALL_DEFAULT_TO_ACCEPT I set these options to 1, though not at boot time, does that matter? net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.enable: 1 net.link.ether.bridge.config: em1,bge0 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_cfg: em1,bge0 net.link.ether.ipfw: 1 net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 10000 At this point I can ping through the bridge. I can take the bridge down and see the pings stop, bring it back up and see them continue, so I know the packets go through it. I then do ipfw add pipe 1 ip from any to any ipfw pipe config 1 delay 5000ms The pings do not slow down at all. Any suggestions for what I'm doing wrong? Thanks