From owner-freebsd-stable Tue Jan 22 15: 3:20 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns2.robhughes.com (12-237-138-77.client.attbi.com [12.237.138.77]) by hub.freebsd.org (Postfix) with SMTP id 090AC37B41E for ; Tue, 22 Jan 2002 15:02:49 -0800 (PST) Received: (qmail 4719 invoked from network); 22 Jan 2002 23:02:34 -0000 Received: from hexch01.robhughes.com (192.168.1.3) by ns2.robhughes.com with SMTP; 22 Jan 2002 23:02:34 -0000 content-class: urn:content-classes:message Subject: RE: NATD, or another one I haven't seen before MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Jan 2002 17:02:48 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NATD, or another one I haven't seen before Thread-Index: AcGjE4i8UOE2B+Q6Q7mHrb2+HFZmjAAhQaGw From: "Robert D. Hughes" To: Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If that's the case, then it seems to point to a problem in the way NATD handles arps. I've hammered this box, as well as others, and never seen this problem. At any rate, hopefully one of the more senior people can decide whether a PR is warranted. If so, I'll be happy to submit it. Thanks, Rob -----Original Message----- From: Barry Irwin [mailto:bvi@itouchlabs.com] Sent: Tuesday, January 22, 2002 1:13 AM To: Robert D. Hughes Cc: freebsd-stable@freebsd.org Subject: Re: NATD, or another one I haven't seen before I dont think this is neccesarily a new source code related bug. During the CodeRed / CodeRedII sagas of last year I had a number of NATD's lock up On a range of boxes from 4.3 right to 4.0, they exhibited a massive growth in memory usage 30MB+ and CPU time. Packets were getting handled, but ere taking forever, I was getting ping times on the order of 400 seconds. This also occured on network segments in 4 different continents. Again a pile of arp traffic was seen on the external side of the firewalls. My initial response was that state table swere filling up because of all the incomplete connections, but tests with synfloods by muself were unable to duplicate the problem. Barry -- Barry Irwin bvi@itouchlabs.com +27214875150 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa On Mon 2002-01-21 (11:48), Robert D. Hughes wrote: >=20 > CVSUP from 1/16, running natd with command /sbin/natd -config /etc/natd.conf -n dc0. Config file is: >=20 > log_denied > log_facility security > use_sockets > same_ports=20 > unregistered_only > redirect_port tcp x.x.x.x:80 x.x.x.x:80 > redirect_port tcp x.x.x.x:443 x.x.x.x:443 > redirect_port tcp x.x.x.x:8880 x.x.x.x:8880 > redirect_port tcp x.x.x.x:2953 x.x.x.x:2953 > redirect_port tcp x.x.x.x:2954 x.x.x.x:2954 > dynamic > punch_fw 10000:1000 >=20 > I'm going to try removing the log options and see if it improves. but since this is a new issue with the recent cvs build, I did want to send out a query. >=20 > What I'm seeing is natd going to well over 90% cpu on this box, which has never happened before to the best of my knowledge. What tcpdump is showing my is very large amounts of arp traffic on the external interface from a large part of the 12.237/16 network (yeah, I know, lame provider). Has anyone else been running into similar issues? >=20 > "Great spirits have always encountered violent opposition from mediocre minds." -- Albert Einstein=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message >=20 >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message