Date: Thu, 7 Feb 2013 23:40:04 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Eggert, Lars" <lars@netapp.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, freebsd-ipfw@freebsd.org, Matthew Luckie <mjl@luckie.org.nz> Subject: Re: high cpu usage on natd / dhcpd Message-ID: <20130207231943.O21988@sola.nimnet.asn.au> In-Reply-To: <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com> References: <D4D47BCFFE5A004F95D707546AC0D7E91F6B79D2@SACEXCMBX01-PRD.hq.netapp.com> <510A87B8.7000705@luckie.org.nz> <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
> On Jan 31, 2013, at 16:03, Matthew Luckie <mjl@luckie.org.nz> wrote:
> >
> > 00510 allow ip from me to not me out via em1
> > 00550 divert 8668 ip from any to any via em1
> >
> > Rule 510 fixes it.
>
> Yep, it does. Can I ask someone to commit this to rc.firewall?
The ruleset Matthew posted bears no resemblance to rc.firewall, so I
don't see that (or how) it solves any generic problem.
> (And I wonder if the rules for the ipfw kernel firewall need a
> similar addition, because the system locks up under heavy network
> load if I use that instead of natd.)
>
> Lars
Which rc.firewall ruleset are you referring to? There certainly are
problems with the 'simple' ruleset relating to use of $natd_enable vs
$firewall_nat_enable (not to mention the denial of ALL icmp traffic)
that I posted patches to a couple of years ago in ipfw@ to rc.firewall
and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.
I suggest following up to ipfw@ (cc'd) rather than net@
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130207231943.O21988>