From owner-freebsd-net@FreeBSD.ORG  Thu Feb  7 08:09:03 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 0246E9B0
 for <freebsd-net@freebsd.org>; Thu,  7 Feb 2013 08:09:03 +0000 (UTC)
 (envelope-from lars@netapp.com)
Received: from mx1.netapp.com (mx1.netapp.com [216.240.18.38])
 by mx1.freebsd.org (Postfix) with ESMTP id DF42B7DB
 for <freebsd-net@freebsd.org>; Thu,  7 Feb 2013 08:09:02 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="4.84,621,1355126400"; d="scan'208";a="239872721"
Received: from smtp2.corp.netapp.com ([10.57.159.114])
 by mx1-out.netapp.com with ESMTP; 07 Feb 2013 00:09:02 -0800
Received: from vmwexceht01-prd.hq.netapp.com (exchsmtp.hq.netapp.com
 [10.106.76.239])
 by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id r17891iY009241;
 Thu, 7 Feb 2013 00:09:02 -0800 (PST)
Received: from SACEXCMBX01-PRD.hq.netapp.com ([169.254.2.54]) by
 vmwexceht01-prd.hq.netapp.com ([10.106.76.239]) with mapi id 14.02.0328.009;
 Thu, 7 Feb 2013 00:09:01 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: Matthew Luckie <mjl@luckie.org.nz>
Subject: Re: high cpu usage on natd / dhcpd
Thread-Topic: high cpu usage on natd / dhcpd
Thread-Index: AQHN/49K3QG1cuBZpEGa6wjl1WYXnJhkDzQAgAqMkAA=
Date: Thu, 7 Feb 2013 08:08:59 +0000
Message-ID: <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com>
References: <D4D47BCFFE5A004F95D707546AC0D7E91F6B79D2@SACEXCMBX01-PRD.hq.netapp.com>
 <510A87B8.7000705@luckie.org.nz>
In-Reply-To: <510A87B8.7000705@luckie.org.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.106.53.51]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <02EEE0B2A5AC25418D7123D96F4D80C5@tahoe.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 08:09:03 -0000

On Jan 31, 2013, at 16:03, Matthew Luckie <mjl@luckie.org.nz> wrote:
>=20
> 00510 allow ip from me to not me out via em1
> 00550 divert 8668 ip from any to any via em1
>=20
> Rule 510 fixes it.

Yep, it does. Can I ask someone to commit this to rc.firewall?

(And I wonder if the rules for the ipfw kernel firewall need a similar addi=
tion, because the system locks up under heavy network load if I use that in=
stead of natd.)

Lars