From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 7 12:50:54 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 85AF8A85; Thu, 7 Feb 2013 12:50:54 +0000 (UTC) (envelope-from lars@netapp.com) Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77]) by mx1.freebsd.org (Postfix) with ESMTP id 69A84B6D; Thu, 7 Feb 2013 12:50:54 +0000 (UTC) X-IronPort-AV: E=Sophos;i="4.84,622,1355126400"; d="scan'208";a="17566565" Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx12-out.netapp.com with ESMTP; 07 Feb 2013 04:50:53 -0800 Received: from vmwexceht04-prd.hq.netapp.com (vmwexceht04-prd.hq.netapp.com [10.106.77.34]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id r17Coqa0009706; Thu, 7 Feb 2013 04:50:52 -0800 (PST) Received: from SACEXCMBX01-PRD.hq.netapp.com ([169.254.2.54]) by vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) with mapi id 14.02.0328.009; Thu, 7 Feb 2013 04:50:52 -0800 From: "Eggert, Lars" To: Ian Smith Subject: Re: high cpu usage on natd / dhcpd Thread-Topic: high cpu usage on natd / dhcpd Thread-Index: AQHN/49K3QG1cuBZpEGa6wjl1WYXnJhkDzQAgAqMkACAAEu6AIAAAwSA Date: Thu, 7 Feb 2013 12:50:51 +0000 Message-ID: References: <510A87B8.7000705@luckie.org.nz> <20130207231943.O21988@sola.nimnet.asn.au> In-Reply-To: <20130207231943.O21988@sola.nimnet.asn.au> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.106.53.51] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-net@freebsd.org" , "" , Matthew Luckie X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2013 12:50:54 -0000 Hi, On Feb 7, 2013, at 13:40, Ian Smith wrote: > On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote: >> On Jan 31, 2013, at 16:03, Matthew Luckie wrote: >>>=20 >>> 00510 allow ip from me to not me out via em1 >>> 00550 divert 8668 ip from any to any via em1 >>>=20 >>> Rule 510 fixes it. >>=20 >> Yep, it does. Can I ask someone to commit this to rc.firewall? >=20 > The ruleset Matthew posted bears no resemblance to rc.firewall, so I=20 > don't see that (or how) it solves any generic problem. sorry for having been imprecise. What I was asking for was this change: --- /usr/src/etc/rc.firewall 2012-11-17 12:36:10.000000000 +0100 +++ rc.firewall 2013-02-06 11:35:45.000000000 +0100 @@ -155,6 +155,7 @@ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then + ${fwcmd} add 49 allow ip from me to not me out via ${natd_interface} ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} fi ;; >> (And I wonder if the rules for the ipfw kernel firewall need a=20 >> similar addition, because the system locks up under heavy network=20 >> load if I use that instead of natd.) >=20 > Which rc.firewall ruleset are you referring to? My rc.conf has: gateway_enable=3D"YES"=20 firewall_enable=3D"YES"=20 firewall_type=3D"OPEN"=20 natd_enable=3D"YES" natd_interface=3D"bce0" With the patch above, that seems to work fine. I tried to replace the natd_* lines with: firewall_nat_enable=3D"YES" firewall_nat_interface=3D"bce0" which caused the machine to lock up under load, similar to when natd starte= d eating CPU cycles. This made me wonder if a similar patch to the above fo= r the firewall_nat_* case in rc.firewall might be needed. > There certainly are=20 > problems with the 'simple' ruleset relating to use of $natd_enable vs=20 > $firewall_nat_enable (not to mention the denial of ALL icmp traffic)=20 > that I posted patches to a couple of years ago in ipfw@ to rc.firewall=20 > and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail. >=20 > I suggest following up to ipfw@ (cc'd) rather than net@ Will subscribe, thanks. Lars=