From owner-freebsd-net@FreeBSD.ORG  Thu Feb  7 12:50:54 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 85AF8A85;
 Thu,  7 Feb 2013 12:50:54 +0000 (UTC) (envelope-from lars@netapp.com)
Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77])
 by mx1.freebsd.org (Postfix) with ESMTP id 69A84B6D;
 Thu,  7 Feb 2013 12:50:54 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="4.84,622,1355126400"; d="scan'208";a="17566565"
Received: from smtp1.corp.netapp.com ([10.57.156.124])
 by mx12-out.netapp.com with ESMTP; 07 Feb 2013 04:50:53 -0800
Received: from vmwexceht04-prd.hq.netapp.com (vmwexceht04-prd.hq.netapp.com
 [10.106.77.34])
 by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id r17Coqa0009706;
 Thu, 7 Feb 2013 04:50:52 -0800 (PST)
Received: from SACEXCMBX01-PRD.hq.netapp.com ([169.254.2.54]) by
 vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) with mapi id 14.02.0328.009;
 Thu, 7 Feb 2013 04:50:52 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: Ian Smith <smithi@nimnet.asn.au>
Subject: Re: high cpu usage on natd / dhcpd
Thread-Topic: high cpu usage on natd / dhcpd
Thread-Index: AQHN/49K3QG1cuBZpEGa6wjl1WYXnJhkDzQAgAqMkACAAEu6AIAAAwSA
Date: Thu, 7 Feb 2013 12:50:51 +0000
Message-ID: <D4D47BCFFE5A004F95D707546AC0D7E91F6EEA32@SACEXCMBX01-PRD.hq.netapp.com>
References: <D4D47BCFFE5A004F95D707546AC0D7E91F6B79D2@SACEXCMBX01-PRD.hq.netapp.com>
 <510A87B8.7000705@luckie.org.nz>
 <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com>
 <20130207231943.O21988@sola.nimnet.asn.au>
In-Reply-To: <20130207231943.O21988@sola.nimnet.asn.au>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.106.53.51]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BE3414EB74D4E64B9EEAD237908EEFA4@tahoe.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 "<freebsd-ipfw@freebsd.org>" <freebsd-ipfw@freebsd.org>,
 Matthew Luckie <mjl@luckie.org.nz>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 12:50:54 -0000

Hi,

On Feb 7, 2013, at 13:40, Ian Smith <smithi@nimnet.asn.au> wrote:
> On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
>> On Jan 31, 2013, at 16:03, Matthew Luckie <mjl@luckie.org.nz> wrote:
>>>=20
>>> 00510 allow ip from me to not me out via em1
>>> 00550 divert 8668 ip from any to any via em1
>>>=20
>>> Rule 510 fixes it.
>>=20
>> Yep, it does. Can I ask someone to commit this to rc.firewall?
>=20
> The ruleset Matthew posted bears no resemblance to rc.firewall, so I=20
> don't see that (or how) it solves any generic problem.

sorry for having been imprecise. What I was asking for was this change:

--- /usr/src/etc/rc.firewall	2012-11-17 12:36:10.000000000 +0100
+++ rc.firewall	2013-02-06 11:35:45.000000000 +0100
@@ -155,6 +155,7 @@
 	case ${natd_enable} in
 	[Yy][Ee][Ss])
 		if [ -n "${natd_interface}" ]; then
+			${fwcmd} add 49 allow ip from me to not me out via ${natd_interface}
 			${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
 		fi
 		;;

>> (And I wonder if the rules for the ipfw kernel firewall need a=20
>> similar addition, because the system locks up under heavy network=20
>> load if I use that instead of natd.)
>=20
> Which rc.firewall ruleset are you referring to?

My rc.conf has:

	gateway_enable=3D"YES"=20
	firewall_enable=3D"YES"=20
	firewall_type=3D"OPEN"=20
	natd_enable=3D"YES"
	natd_interface=3D"bce0"

With the patch above, that seems to work fine.

I tried to replace the natd_* lines with:

	firewall_nat_enable=3D"YES"
	firewall_nat_interface=3D"bce0"

which caused the machine to lock up under load, similar to when natd starte=
d eating CPU cycles. This made me wonder if a similar patch to the above fo=
r the firewall_nat_* case in rc.firewall might be needed.

>  There certainly are=20
> problems with the 'simple' ruleset relating to use of $natd_enable vs=20
> $firewall_nat_enable (not to mention the denial of ALL icmp traffic)=20
> that I posted patches to a couple of years ago in ipfw@ to rc.firewall=20
> and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.
>=20
> I suggest following up to ipfw@ (cc'd) rather than net@

Will subscribe, thanks.

Lars=