From owner-freebsd-net@FreeBSD.ORG Thu Jan 26 04:16:27 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BC87106566B for ; Thu, 26 Jan 2012 04:16:27 +0000 (UTC) (envelope-from mjl@luckie.org.nz) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.122]) by mx1.freebsd.org (Postfix) with ESMTP id 48C528FC15 for ; Thu, 26 Jan 2012 04:16:27 +0000 (UTC) Received: from cdptpa-omtalb.mail.rr.com ([10.127.143.52]) by cdptpa-qmta01.mail.rr.com with ESMTP id <20120126024507686.SVCR16141@cdptpa-qmta01.mail.rr.com> for ; Thu, 26 Jan 2012 02:45:07 +0000 X-Authority-Analysis: v=2.0 cv=adPjbGUt c=1 sm=0 a=aIgkrZOPZtJQBHPFbnUF7Q==:17 a=tm9qpUR5xacA:10 a=07AZlKUsOKkA:10 a=8nJEP1OIZ-IA:10 a=bzY6Fysj7q9iz3SMlDoA:9 a=s7YZLsFBfEiFwCzSuLcA:7 a=wPNLvfGTeEIA:10 a=aIgkrZOPZtJQBHPFbnUF7Q==:117 X-Cloudmark-Score: 0 X-Originating-IP: 76.88.32.44 Received: from [76.88.32.44] ([76.88.32.44:60054] helo=spandex.luckie.org.nz) by cdptpa-oedge02.mail.rr.com (envelope-from ) (ecelerity 2.2.3.46 r()) with ESMTP id 77/6F-15128-4FDB02F4; Thu, 26 Jan 2012 02:44:06 +0000 Received: from mylar.luckie.org.nz ([192.168.2.20]) by spandex.luckie.org.nz with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RqFJk-0000it-Aw for freebsd-net@freebsd.org; Wed, 25 Jan 2012 18:44:04 -0800 Message-ID: <4F20BE24.3050101@luckie.org.nz> Date: Wed, 25 Jan 2012 18:44:52 -0800 From: Matthew Luckie User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:9.0) Gecko/20111231 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: high cpu usage on natd / dhcpd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 04:16:27 -0000 Hi I have a small system running FreeBSD 8.2 that does NAT using ipfw and natd to systems attached to two interfaces: em0 and wlan0. I have a dhcpd daemon issuing leases on those interfaces. The system has an em1 interface plugged into a cable modem where it obtains a DHCP lease from an ISP. For some reason, when traffic from the Internet terminates on the system itself (I scp a file from the computer) the natd and dhcpd processes consume significant CPU, and the throughput is less than I expect. Traffic that passes through to a computer behind the NAT flows without causing the natd or dhcpd processes to measurably consume CPU. From top: CPU: 10.9% user, 0.0% nice, 56.0% system, 21.1% interrupt, 12.0% idle Mem: 225M Active, 92M Inact, 162M Wired, 556K Cache, 112M Buf, 1506M Free PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 1222 root 1 104 0 3572K 1448K RUN 1:29 39.36% natd 1676 root 1 62 0 5340K 3544K select 0:59 24.56% dhcpd What is going on? My ipfw ruleset is below, and is based on the example in the FreeBSD handbook. 00001 allow ip from any to any via lo0 00002 allow ip from any to any via em0 00003 allow ip from any to any via wlan0 00101 divert 8668 ip from any to any in via em1 00102 check-state 00110 skipto 500 tcp from any to any out via em1 setup keep-state 00111 skipto 500 udp from any to any out via em1 keep-state 00112 skipto 500 icmp from any to any out via em1 keep-state 00201 allow udp from any to any dst-port 68 in keep-state 00202 allow tcp from any to me dst-port 80 in via em1 setup keep-state 00210 allow tcp from 130.217.250.13 to me in via em1 setup keep-state 00211 allow tcp from 199.109.33.1 to me in via em1 setup keep-state 00212 allow tcp from 192.172.226.78 to me in via em1 setup keep-state 00213 allow tcp from 192.172.226.95 to me in via em1 setup keep-state 00230 allow tcp from any to me dst-port 6984 in via em1 setup keep-state 00231 allow udp from any to me dst-port 6984 in via em1 00240 allow icmp from any to me in via em1 00300 unreach filter-prohib log ip from any to any 00500 divert 8668 ip from any to any out via em1 00501 allow ip from any to any 65535 allow ip from any to any