From owner-freebsd-ipfw@freebsd.org Sun Apr 24 13:28:29 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABFAAB197CF for ; Sun, 24 Apr 2016 13:28:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F04916D8 for ; Sun, 24 Apr 2016 13:28:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 25E3F23C3A for ; Sun, 24 Apr 2016 09:28:28 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Sun, 24 Apr 2016 09:28:28 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=4VwiMvzq8aMWp1p Cn3CbJDYL61E=; b=Ia1E2k4PXpa6nxyf5DniNGSwoj9FvJMpxAQJBVJ0lIodoZI EPj1Oh0PC1ZtqURejIO280Jh+toEt2qNCkz2IbpoK5LP/VYIY0xoH2VPCdNTUyVW PUPRJulxuNeLGR27QOtHNXGtRv6qFW8avLQbVr/h92hXmgCXX5tOJRlxLLPI= Received: by web3.nyi.internal (Postfix, from userid 99) id E9A8810AE76; Sun, 24 Apr 2016 09:28:27 -0400 (EDT) Message-Id: <1461504507.3722666.587983145.7C4C681F@webmail.messagingengine.com> X-Sasl-Enc: pmQ5xr4dPUutclCjJ1U0tSUSFg6wefspj1sUka5oVRyN 1461504507 From: Mark Felder To: samira , freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-76f1c811 Subject: Re: Whether IPFW generates " No buffer space available " error ? Date: Sun, 24 Apr 2016 08:28:27 -0500 In-Reply-To: <1461394000058-6093661.post@n5.nabble.com> References: <1461394000058-6093661.post@n5.nabble.com> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Apr 2016 13:28:29 -0000 On Sat, Apr 23, 2016, at 01:46, samira wrote: > Hi everyone, > I using FreeBSD9.2 and defining a rule in ipfw that divert tcp packets on > port 80 to port 8000 and by suricata will be reviewed. > ipfw list: > 01901 divert 8000 tcp from any to any dst-port 80 > > And then the packets is sent by altq to queue defined > ipfw list: > 03009 skipto 3011 tcp from any to any dst-port 80 > 03010 skipto 3012 ip from any to any > 03011 allow altq http-gbeth3-out ip from any to any via gbeth3 out > > And we limit bandwidth in pf.conf for http traffic > pf.conf: > queue http-gbeth3-out bandwidth 50Kb hfsc ( upperlimit 50Kb ) > > When the transmission of huge amounts of http packets and pf action is to > drop packets, suricata crash and the following message appears in the > suricata.log file: > - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert > socket > failed: No buffer space available > > Has anyone dealt with this issue? > > There is a similar problem: > By sending ICMP packets to the queue and send ping from the interface > also > seen this problem and the following message is displayed: > ping: sendto: No buffer space available > > > If the specified bandwidth increased and not drop any packets, this > problem > does not occur. > > Thank you for all of your comments and help. > > I ran into this "No buffer space available" problem when I was first setting up QoS on my IPFW firewall. The problem ended up being an issue with my IPFW/QoS rules combined with my NAT; the order of my rules was incorrect and I think packets kept getting reprocessed. I can't be sure of the issue in your situation, but you may want to carefully review your entire ruleset. Remember that IPFW is "first match wins". -- Mark Felder ports-secteam member feld@FreeBSD.org