Date: Thu, 7 Feb 2013 12:50:51 +0000 From: "Eggert, Lars" <lars@netapp.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "<freebsd-ipfw@freebsd.org>" <freebsd-ipfw@freebsd.org>, Matthew Luckie <mjl@luckie.org.nz> Subject: Re: high cpu usage on natd / dhcpd Message-ID: <D4D47BCFFE5A004F95D707546AC0D7E91F6EEA32@SACEXCMBX01-PRD.hq.netapp.com> In-Reply-To: <20130207231943.O21988@sola.nimnet.asn.au> References: <D4D47BCFFE5A004F95D707546AC0D7E91F6B79D2@SACEXCMBX01-PRD.hq.netapp.com> <510A87B8.7000705@luckie.org.nz> <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com> <20130207231943.O21988@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Feb 7, 2013, at 13:40, Ian Smith <smithi@nimnet.asn.au> wrote:
> On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
>> On Jan 31, 2013, at 16:03, Matthew Luckie <mjl@luckie.org.nz> wrote:
>>>
>>> 00510 allow ip from me to not me out via em1
>>> 00550 divert 8668 ip from any to any via em1
>>>
>>> Rule 510 fixes it.
>>
>> Yep, it does. Can I ask someone to commit this to rc.firewall?
>
> The ruleset Matthew posted bears no resemblance to rc.firewall, so I
> don't see that (or how) it solves any generic problem.
sorry for having been imprecise. What I was asking for was this change:
--- /usr/src/etc/rc.firewall 2012-11-17 12:36:10.000000000 +0100
+++ rc.firewall 2013-02-06 11:35:45.000000000 +0100
@@ -155,6 +155,7 @@
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add 49 allow ip from me to not me out via ${natd_interface}
${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
fi
;;
>> (And I wonder if the rules for the ipfw kernel firewall need a
>> similar addition, because the system locks up under heavy network
>> load if I use that instead of natd.)
>
> Which rc.firewall ruleset are you referring to?
My rc.conf has:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="bce0"
With the patch above, that seems to work fine.
I tried to replace the natd_* lines with:
firewall_nat_enable="YES"
firewall_nat_interface="bce0"
which caused the machine to lock up under load, similar to when natd started eating CPU cycles. This made me wonder if a similar patch to the above for the firewall_nat_* case in rc.firewall might be needed.
> There certainly are
> problems with the 'simple' ruleset relating to use of $natd_enable vs
> $firewall_nat_enable (not to mention the denial of ALL icmp traffic)
> that I posted patches to a couple of years ago in ipfw@ to rc.firewall
> and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.
>
> I suggest following up to ipfw@ (cc'd) rather than net@
Will subscribe, thanks.
Lars
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D4D47BCFFE5A004F95D707546AC0D7E91F6EEA32>