From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 18 11:07:51 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1A49E106568A for ; Mon, 18 Jun 2012 11:07:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 04A6F8FC1A for ; Mon, 18 Jun 2012 11:07:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5IB7ogD008021 for ; Mon, 18 Jun 2012 11:07:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5IB7oCi008019 for freebsd-ipfw@FreeBSD.org; Mon, 18 Jun 2012 11:07:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Jun 2012 11:07:50 GMT Message-Id: <201206181107.q5IB7oCi008019@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2012 11:07:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 45 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 19 03:37:37 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 668E4106567B; Tue, 19 Jun 2012 03:37:37 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 396EA8FC14; Tue, 19 Jun 2012 03:37:37 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5J3bbYu058931; Tue, 19 Jun 2012 03:37:37 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5J3bbFp058927; Tue, 19 Jun 2012 03:37:37 GMT (envelope-from linimon) Date: Tue, 19 Jun 2012 03:37:37 GMT Message-Id: <201206190337.q5J3bbFp058927@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/169206: [ipfw] ipfw does not flush entries in table X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 03:37:37 -0000 Old Synopsis: ipfw does not flush entries in table New Synopsis: [ipfw] ipfw does not flush entries in table Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Jun 19 03:37:17 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=169206 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 19 08:56:46 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 742D01065673; Tue, 19 Jun 2012 08:56:46 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 140AD8FC16; Tue, 19 Jun 2012 08:56:46 +0000 (UTC) Received: by obcni5 with SMTP id ni5so12417855obc.13 for ; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=9X8lTk8gfETGERa824kwI1C1bfgbD0dUC1NDJpPyB6I=; b=0B6NAG9yTyxj+Bm3YhOEYsUFiDe2hVUl8COP9LZruJGKUklI8wdqT4f0YABvORG+f/ 88Y7NypVOfGyVQJRswGFDF6reefpD0J5TLi1UA/8G3qwqGvdGmYspM9rZ3JoOLMIieNs L5OW4rN4bQESQ5UOBVAQbDNiHT0dRJGfB217yh2KjGuuT3b9mBk0fx8aIBR8q+uuwEBy e2XwxNWA8x4oDlobCw869DNJng4f/zynU058Vbf1u4UEJCFOs4BdhoZSyT7gGkaFzLK7 /JR0ycsCqzMiYym0YrwA/yGTQsqcds++TobIa+HU/k5OHyLXxqBijugswJ0P7aS+ia77 fDlA== MIME-Version: 1.0 Received: by 10.182.47.105 with SMTP id c9mr19261603obn.49.1340096205682; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) Received: by 10.182.44.101 with HTTP; Tue, 19 Jun 2012 01:56:45 -0700 (PDT) Date: Tue, 19 Jun 2012 11:56:45 +0300 Message-ID: From: Sami Halabi To: freebsd-jail@freebsd.org, bz@freebsd.org, freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: VNET X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 08:56:46 -0000 Hi, I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, but not PF firewall in a cnet jail. is that correct? i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my choice? or i can use pf somehow, I never used pf before, so i would like some advise here... Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 19 22:21:27 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8E391065678; Tue, 19 Jun 2012 22:21:27 +0000 (UTC) (envelope-from malcontentv3@lsinter.net) Received: from rld.com.mx (rld.com.mx [201.144.8.182]) by mx1.freebsd.org (Postfix) with ESMTP id A3C458FC0C; Tue, 19 Jun 2012 22:21:27 +0000 (UTC) Received: from apache by udvbafeabeggufu.ctrip.com with local (Exim 4.63) (envelope-from <, >) id 3E8BCL-A9NUM4-LZ for , ; Tue, 19 Jun 2012 16:21:25 -0600 To: , Date: Tue, 19 Jun 2012 16:21:25 -0600 From: , Message-ID: X-Priority: 3 X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1" Cc: Subject: Company concerning itself with the advertising X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 22:21:27 -0000 Countries of interest: UK, Rep. of Ireland, Germany, Austria, Sweden A company concerning itself with the advertising, spearheading, and production of web media projects, we also are involved with today's green technology, recyclable items, and alternate methods of power and are actively seeking a motivated representative from one of the countries mentioned. Requirements: - You need to be the proprietor of a company or willing to start a fresh company fairly fast. - It is required that you are a citizen of a listed country. - It is also necessary to hold a completion certificate from a reputable school of higher education. - Your English accuracy must be pretty good as communicating back and forth for this position is important. - A long period of good standing with a nearby or international financial entity is a definite bonus. - Work amount will consist of 3-4 hours every day for the first two months of working and after that period of time, 2-3 hours every day. - Contract of work between us will be one year, with a good chance of this period extending on as long as 2 years. Your main job will detail handling receivables from sales. Amount of pay you will receive is a percentage of the amount of product we sell. Our contacts: Rickey@ukconsultantsnet.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 20 14:40:09 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1267106567A for ; Wed, 20 Jun 2012 14:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 930378FC19 for ; Wed, 20 Jun 2012 14:40:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q5KEe9pC022639 for ; Wed, 20 Jun 2012 14:40:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q5KEe9XL022638; Wed, 20 Jun 2012 14:40:09 GMT (envelope-from gnats) Date: Wed, 20 Jun 2012 14:40:09 GMT Message-Id: <201206201440.q5KEe9XL022638@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Alexander V. Chernikov" Cc: Subject: Re: kern/169206: [ipfw] ipfw does not flush entries in table X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Alexander V. Chernikov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2012 14:40:09 -0000 The following reply was made to PR kern/169206; it has been noted by GNATS. From: "Alexander V. Chernikov" To: bug-followup@FreeBSD.org, piotr@pixel.org.pl Cc: Subject: Re: kern/169206: [ipfw] ipfw does not flush entries in table Date: Wed, 20 Jun 2012 18:29:18 +0400 Is it possible for you to upgrade this box to latest 8-STABLE (at least r237309) and check if this helps? From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 20 14:46:44 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 45FCA106566B; Wed, 20 Jun 2012 14:46:44 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 47197B295A; Wed, 20 Jun 2012 14:43:23 +0000 (UTC) Message-ID: <4FE1E175.4060005@FreeBSD.org> Date: Wed, 20 Jun 2012 18:43:01 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120511 Thunderbird/12.0.1 MIME-Version: 1.0 To: Sami Halabi References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, bz@freebsd.org, freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Subject: Re: VNET X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2012 14:46:44 -0000 On 19.06.2012 12:56, Sami Halabi wrote: > Hi, > > I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, > but not PF firewall in a cnet jail. > is that correct? > > i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my 1) You can do nat without vnet. 2) ipfw nat is currently the easiest way to do nat. > choice? or i can use pf somehow, I never used pf before, > so i would like some advise here... > > Thanks in advance, > -- WBR, Alexander From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 20 17:51:28 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DC001065747; Wed, 20 Jun 2012 17:51:28 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9AD628FC12; Wed, 20 Jun 2012 17:51:27 +0000 (UTC) Received: by yenl8 with SMTP id l8so7018352yen.13 for ; Wed, 20 Jun 2012 10:51:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1Qbyx4a9apwgjwYMpP1el6H/cEoQk1RTv/I3MP2pVXM=; b=lb/INqYkpRREYLJG3+BcMafjA9adnEVg3PXrIO8QLCkR0pKbd26xphTJomiT8H41gP V0pFnGhwN09U7ixMqCIHtfntb+h3WViwhcwJR3CdpuyHukje3GTWVSQj9aNCTKqtAt5W S6YCwlW3hFDZ5Euy74c7LPCEcnNcM5fSKTLReM/kiN2m8aczyKGpe4+s6m/n5eZ4HNpW mnApAzFu78NHnURndnhbtgtA9EFFCkpUWFukPrW/IAehQcxmFE1rPVxkf7ZnX+CXgC9l 0KPAzoNgmv7IBWUEI9E6G3sTAZSocXAVHqxolgtN4TURlrBLUMIOniQyGLj8knW65jJC ntTw== MIME-Version: 1.0 Received: by 10.60.19.196 with SMTP id h4mr24360008oee.56.1340214686779; Wed, 20 Jun 2012 10:51:26 -0700 (PDT) Received: by 10.182.44.101 with HTTP; Wed, 20 Jun 2012 10:51:26 -0700 (PDT) In-Reply-To: <4FE1E175.4060005@FreeBSD.org> References: <4FE1E175.4060005@FreeBSD.org> Date: Wed, 20 Jun 2012 20:51:26 +0300 Message-ID: From: Sami Halabi To: "Alexander V. Chernikov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, bz@freebsd.org, freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Subject: Re: VNET X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2012 17:51:28 -0000 Thank you. I want to use vnet jail for a specific subnet that I need to seperate from the system. so basicly i create a vlan + a bridged interface to the public. these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I can do NAT only for that vlan going out. This is the idea, as there are more interfaces in the system and there is only one interface out... so basicly it should be a firewall & Nat only between the specific lan and the outside world. Can this be accomplished otherway? Sami On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov < melifaro@freebsd.org> wrote: > On 19.06.2012 12:56, Sami Halabi wrote: > >> Hi, >> >> I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, >> but not PF firewall in a cnet jail. >> is that correct? >> >> i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my >> > 1) You can do nat without vnet. > 2) ipfw nat is currently the easiest way to do nat. > > > choice? or i can use pf somehow, I never used pf before, >> so i would like some advise here... >> >> Thanks in advance, >> >> > > -- > WBR, Alexander > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 21 07:21:18 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13D65106566C; Thu, 21 Jun 2012 07:21:18 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id E0B438FC0A; Thu, 21 Jun 2012 07:21:17 +0000 (UTC) Received: from JRE-MBP-2.local (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q5L6xbsQ057101 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 20 Jun 2012 23:59:37 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4FE2C653.40805@freebsd.org> Date: Wed, 20 Jun 2012 23:59:31 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Sami Halabi References: <4FD3224A.3080700@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, "Alexander V. Chernikov" , freebsd-ipfw@freebsd.org Subject: Re: ipfw rules consuming CPU X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2012 07:21:18 -0000 On 6/9/12 4:19 AM, Sami Halabi wrote: > Hi, > all rules togther less than 80 rules.... > > how tablearg helps this? each ip & pipe (up & down) are unique... > > any other advices? also, make sure that all rules are only evaluate by packets that might actually test true.. i.e. separate out different interfaces and directions to different rules using skipto... for example skipto 2000 ip from any to any in recv xx0 skipto 3000 ip from any to any out xmit xx0 skipto 4000 ip from any to any in yy0 skipto 5000 ip from any to any out xmit yy0 if yy0 is a 10GB ethernet and there is traffic there, that traffic shouldn't be evaluating the rules that only make sense for xx0. similarly inwards traveling packets shouldn't have to evaluate outwards rules. May or may not help in your situation. you don't really give enough info. > > Sami > > On Sat, Jun 9, 2012 at 1:15 PM, Alexander V. Chernikov > wrote: >> On 09.06.2012 01:56, Sami Halabi wrote: >> >>> Hi, >>> >>> I Manage a FreeBSD server as an edge router& firewall. >>> >>> the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB& >>> bce-BCM5709) connected to 10G/1G switches. >>> >>> With the following setup i get higher cpu usage: >>> bce1-upstream provider with little bandwidth, so i use pipes to limit >>> users, and subnets >>> ix0 - Internet Exchange >>> >>> some rules. >>> . >>> . >>> .from 4000 starts pipes for specefic ips bandwidth allocations >>> 04000 6210053001 5845967300616 pipe 1003 ip from 182.46.92.13 to any >>> out xmit bce1 >>> 04100 41289897537 3064110648124 pipe 1004 ip from any to 182.46.92.13 >>> in recv bce1 >>> >> You should use pipe tablearg for that. Traversing 4k rules effectively >> kills all performance. >> >> >> . >>> . >>> . >>> .7000 is the wider pipeline for the whole block >>> 07000 9127154724 4651308720315 pipe 1000 ip from 182.46.92.0/24 to >>> any out xmit bce1 >>> 07100 4837016828 458027989917 pipe 1002 ip from any to >>> 182.46.92.0/24 in recv bce1 >>> last rule default to accept... >>> >>> specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider >>> pipe (1000 and 1002) has a global limit of 40MBps that should be reached >>> by >>> all other non-specefic ips, config like this: >>> #Wide >>> ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes >>> ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes >>> #specefic >>> ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes >>> ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes >>> ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes >>> ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes >>> ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes >>> ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes >>> ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes >>> ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes >>> >>> >>> with this configuration when i have lots of traffic (3-6GB) going via ix0 >>> (not necessarly the ips described above, lets say to a server in my net ip >>> 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage >>> (70-90%). >>> >>> my first test was to: ipfw add 1 allow all from any to any, and cpu usage >>> drops immediatly to 10-15%. >>> but that not why i want (i wantto keep thelimits) so I add rule right >>> before 4000 and the cpu usage drops down to 10-20%: >>> 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 >>> >>> >>> Any advice why this happens? or should it be there in the first place? >>> I use FreeBSD 8.1-R-p10-amd64. >>> >>> Thanks in advance, >>> >>> >> -- >> WBR, Alexander >> > >