From owner-freebsd-net@FreeBSD.ORG  Mon Nov 28 05:17:12 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 41CC8106564A
	for <net@freebsd.org>; Mon, 28 Nov 2011 05:17:12 +0000 (UTC)
	(envelope-from mi@aldan.algebra.com)
Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net
	[207.172.157.102])
	by mx1.freebsd.org (Postfix) with ESMTP id D7D238FC15
	for <net@freebsd.org>; Mon, 28 Nov 2011 05:17:11 +0000 (UTC)
Received: from mr16.lnh.mail.rcn.net ([207.172.157.36])
	by smtp02.lnh.mail.rcn.net with ESMTP; 27 Nov 2011 23:48:19 -0500
Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11])
	by mr16.lnh.mail.rcn.net (MOS 4.3.3-GA) with ESMTP id BLC43519;
	Sun, 27 Nov 2011 23:48:18 -0500
Received-SPF: None identity=pra; client-ip=209.6.61.133;
	receiver=smtp01.lnh.mail.rcn.net;
	envelope-from="mi@aldan.algebra.com";
	x-sender="mi@aldan.algebra.com"; x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=209.6.61.133;
	receiver=smtp01.lnh.mail.rcn.net;
	envelope-from="mi@aldan.algebra.com";
	x-sender="mi@aldan.algebra.com"; x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=209.6.61.133;
	receiver=smtp01.lnh.mail.rcn.net;
	envelope-from="mi@aldan.algebra.com";
	x-sender="postmaster@narawntapu.narawntapu";
	x-conformance=sidf_compatible
X-Auth-ID: anat
Received: from 209-6-61-133.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com (HELO
	narawntapu.narawntapu) ([209.6.61.133])
	by smtp01.lnh.mail.rcn.net with ESMTP; 27 Nov 2011 23:48:18 -0500
Received: from narawntapu.narawntapu (localhost [127.0.0.1])
	by narawntapu.narawntapu (8.14.5/8.14.4) with ESMTP id pARKh9Hp047644
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 27 Nov 2011 15:43:09 -0500 (EST)
	(envelope-from mi@narawntapu.narawntapu)
Received: (from mi@localhost)
	by narawntapu.narawntapu (8.14.5/8.14.4/Submit) id pARKh9rZ047643;
	Sun, 27 Nov 2011 15:43:09 -0500 (EST) (envelope-from mi)
From: "Mikhail T." <mi@aldan.algebra.com>
Message-Id: <201111272043.pARKh9rZ047643@narawntapu.narawntapu>
To: net@FreeBSD.org
Date: Sun, 27 Nov 2011 15:43:09 -0500 (EST)
X-Face: %UW#n0|w>ydeGt/b@1-.UFP=K^~-:0f#O:D7w<gv/&E-lL7twZCT8B~/PA4|\t$ti+22K">
	hJ5G_<5143Bb3kOIs9XpX+"V+~$adGP:J|SLieM31VIhqXeLBli"<kcG^EOVih
	y+z3/UR{6SCQ
X-Mailer: ELM [version 2.5 PL8]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	narawntapu.narawntapu
X-Junkmail-Status: score=10/50, host=mr16.lnh.mail.rcn.net
X-Junkmail-Signature-Raw: score=unknown,
	refid=str=0001.0A020201.4ED31292.009E,ss=1,re=0.000,fgs=0,
	ip=207.172.4.11, so=2011-07-25 19:15:43,
	dmn=2011-05-27 18:58:46, mode=single engine
X-Junkmail-IWF: false
Cc: brian@awfulhak.org, eivind@dimaga.com, archie@whistle.com, cm@linktel.net,
	suutari@iki.fi
Subject: natd slow, eats up an entire CPU...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 05:17:12 -0000

Hello!

I recently upgraded a friend's computer to 8.2-STABLE and
we are noticing some network performance problems...

In particular, when a large file is being uploaded outside
(via scp), two weird things happen:

	1. Although it begins with a transfer rate of over 2Mb/s
	   (as reported by scp itself), it quickly drops down to
	   10-15Kb/s and even completely stalls on occasion.
	2. natd can be seen (in top) as chewing up an entire CPU
	   (one of the four 1.8GHz Opterons).

Although the first problem can be explained by some sort of attempts
by an ISP to throttle long large file-transfers, I don't have an
easy explanation for the second...

If I flush the ipfw-rules, the natd disappears from top's list and
the transfer speeds up to about 260Kb/s (still nowhere near the
initial 2Mb/s, but much higher than the 10-15Kb/s).

There are two network cards in the machine: nfe0 (external) and bge0
(internal). There is no IPv6 in the picture (world is built with
NO_INET6).

The daemon is running as:

	/sbin/natd -redirect_port tcp natasha:ssh 23 -redirect_port tcp isp.mail.ser.ver:smtp 2525 -dynamic -n nfe0

The ipfw rules are derived from the "simple" firewall:

	00100 allow ip from any to any via lo0
	00200 deny ip from any to 127.0.0.0/8
	00300 deny ip from 127.0.0.0/8 to any
	00400 deny ip from 192.168.1.0 to any in via nfe0
	00500 deny ip from any to 10.0.0.0/8 via nfe0
	00600 deny ip from any to 172.16.0.0/12 via nfe0
	00700 deny ip from any to 192.168.0.0/16 via nfe0
	00800 deny ip from any to 0.0.0.0/8 via nfe0
	00900 deny ip from any to 169.254.0.0/16 via nfe0
	01000 deny ip from any to 192.0.2.0/24 via nfe0
	01100 deny ip from any to 224.0.0.0/4 via nfe0
	01200 deny ip from any to 240.0.0.0/4 via nfe0
	01300 deny ip from not one.special.foreign.ip to any dst-port 2525
	01400 divert 8668 ip4 from any to any via nfe0
	01500 deny ip from 10.0.0.0/8 to any via nfe0
	01600 deny ip from 172.16.0.0/12 to any via nfe0
	01700 deny ip from 192.168.0.0/16 to any via nfe0
	01800 deny ip from 0.0.0.0/8 to any via nfe0
	01900 deny ip from 169.254.0.0/16 to any via nfe0
	02000 deny ip from 192.0.2.0/24 to any via nfe0
	02100 deny ip from 224.0.0.0/4 to any via nfe0
	02200 deny ip from 240.0.0.0/4 to any via nfe0
	02300 allow tcp from any to any established
	02400 allow ip from any to any frag
	02500 allow tcp from any to me dst-port 22 setup
	02600 allow tcp from any to me dst-port 25 setup
	02700 allow tcp from any to me dst-port 53 setup
	02800 allow udp from any to me dst-port 53
	02900 allow udp from me 53 to any
	03000 allow tcp from any to me dst-port 80 setup
	03100 allow tcp from any to me dst-port 2875-3000 setup
	03200 deny log logamount 100 ip4 from any to any in via nfe0 setup proto tcp
	03300 allow tcp from any to any setup
	03400 allow udp from me to any dst-port 53 keep-state
	03500 allow udp from me to any dst-port 123 keep-state

Please, advise. Thanks! Yours,

	-mi