Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Dec 2001 15:13:21 +0200
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        chkno@dork.com
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw+natd packet loop
Message-ID:  <20011219151321.A37899@sunbay.com>
In-Reply-To: <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com>
References:  <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 11:11:16AM +0000, chkno@dork.com wrote:
> I'm trying to use ipfw pipes to impose bandwidth restrictions in a
> natd environment.  I'm having an issue with packets getting caught
> up in some kind of loop between natd & the pipe.
> 
> Note: I'm using natd to nat between two subnets on the same interface.
> This has worked beautifully so far, even though I gather that it
> is not the normal way of doing things.  Hardware restrictions prevent
> me from adding a second NIC.
> 
> 
> Background info:
> 
>    # grep natd /etc/rc.conf
>    natd_enable="YES"
>    natd_flags="-use_sockets -same_ports -unregistered_only"
>    natd_interface="ed1"
>    # ifconfig ed1
>    ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>            inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255
>            inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255
>            ether 00:80:c8:e2:b0:5a
>    # sysctl net.inet.ip.fw.one_pass
>    net.inet.ip.fw.one_pass: 1
>    # ipfw pipe show
>    00010: 120.000 Kbit/s    0 ms    8 sl. 1 queues (1 buckets) droptail
>        mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 
> Demonstration:
> 
> ( XXX.XXX.XXX.XXX is downloading a file via ftp. )
> 
>    # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;s
> leep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000
> 
>    10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
>    Accounting cleared.
>    00049 39 39604 count ip from any to any
>    00050 39 39604 divert 8668 ip from any to any via ed1
>    00051 39 39604 count ip from any to any
>    00100  0     0 allow ip from any to any via lo0
>     00200  0     0 deny ip from any to 127.0.0.0/8
>    00300  0     0 deny ip from 127.0.0.0/8 to any
>    10000 14 21000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
>    65000 25 18604 allow ip from any to any
>    65535  0     0 deny ip from any to any
> 
>    00049    492    471097 count ip from any to any
>    00050    492    471097 divert 8668 ip from any to any via ed1
>    00051 556400 834347613 count ip from any to any
>    00100      0         0 allow ip from any to any via lo0
>    00200      0         0 deny ip from any to 127.0.0.0/8
>    00300      0         0 deny ip from 127.0.0.0/8 to any
>    10000 556141 834210534 pipe 10 ip from any to XXX.XXX.XXX.XXX out
>    65000    259    137079 allow ip from any to any
>    65535      0         0 deny ip from any to any
>    #
> 
> CPU usage jumps to 100%.  233 packets become 556141.  What am I
> doing wrong?
> 
Hmm, I can't reproduce this on a 4.4-STABLE box with the following
ruleset:

# ipfw show; ipfw pipe show
00050 1961 472013 divert 8668 ip from any to any via rl0
00100    0      0 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
10000  661 382995 pipe 10 ip from any to XXX.XXX.XXX.XXX
65000 1300  89018 allow ip from any to any
65535    0      0 deny ip from any to any
00010: 120.000 Kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp    192.168.4.115/49202 XXX.XXX.XXX.XXX/22     234   208380 12 16540   0


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219151321.A37899>