Date: Wed, 19 Dec 2001 15:13:21 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: chkno@dork.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd packet loop Message-ID: <20011219151321.A37899@sunbay.com> In-Reply-To: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com> References: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 11:11:16AM +0000, chkno@dork.com wrote: > I'm trying to use ipfw pipes to impose bandwidth restrictions in a > natd environment. I'm having an issue with packets getting caught > up in some kind of loop between natd & the pipe. > > Note: I'm using natd to nat between two subnets on the same interface. > This has worked beautifully so far, even though I gather that it > is not the normal way of doing things. Hardware restrictions prevent > me from adding a second NIC. > > > Background info: > > # grep natd /etc/rc.conf > natd_enable="YES" > natd_flags="-use_sockets -same_ports -unregistered_only" > natd_interface="ed1" > # ifconfig ed1 > ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255 > inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255 > ether 00:80:c8:e2:b0:5a > # sysctl net.inet.ip.fw.one_pass > net.inet.ip.fw.one_pass: 1 > # ipfw pipe show > 00010: 120.000 Kbit/s 0 ms 8 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > Demonstration: > > ( XXX.XXX.XXX.XXX is downloading a file via ftp. ) > > # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;s > leep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000 > > 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out > Accounting cleared. > 00049 39 39604 count ip from any to any > 00050 39 39604 divert 8668 ip from any to any via ed1 > 00051 39 39604 count ip from any to any > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 10000 14 21000 pipe 10 ip from any to XXX.XXX.XXX.XXX out > 65000 25 18604 allow ip from any to any > 65535 0 0 deny ip from any to any > > 00049 492 471097 count ip from any to any > 00050 492 471097 divert 8668 ip from any to any via ed1 > 00051 556400 834347613 count ip from any to any > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 10000 556141 834210534 pipe 10 ip from any to XXX.XXX.XXX.XXX out > 65000 259 137079 allow ip from any to any > 65535 0 0 deny ip from any to any > # > > CPU usage jumps to 100%. 233 packets become 556141. What am I > doing wrong? > Hmm, I can't reproduce this on a 4.4-STABLE box with the following ruleset: # ipfw show; ipfw pipe show 00050 1961 472013 divert 8668 ip from any to any via rl0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 10000 661 382995 pipe 10 ip from any to XXX.XXX.XXX.XXX 65000 1300 89018 allow ip from any to any 65535 0 0 deny ip from any to any 00010: 120.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 192.168.4.115/49202 XXX.XXX.XXX.XXX/22 234 208380 12 16540 0 Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219151321.A37899>