From owner-freebsd-ipfw@FreeBSD.ORG  Thu Feb  7 12:40:14 2013
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 045EC86A;
 Thu,  7 Feb 2013 12:40:14 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 by mx1.freebsd.org (Postfix) with ESMTP id 6FD58AEB;
 Thu,  7 Feb 2013 12:40:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r17Ce415023805;
 Thu, 7 Feb 2013 23:40:05 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Thu, 7 Feb 2013 23:40:04 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: "Eggert, Lars" <lars@netapp.com>
Subject: Re: high cpu usage on natd / dhcpd
In-Reply-To: <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com>
Message-ID: <20130207231943.O21988@sola.nimnet.asn.au>
References: <D4D47BCFFE5A004F95D707546AC0D7E91F6B79D2@SACEXCMBX01-PRD.hq.netapp.com>
 <510A87B8.7000705@luckie.org.nz>
 <D4D47BCFFE5A004F95D707546AC0D7E91F6EB387@SACEXCMBX01-PRD.hq.netapp.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 freebsd-ipfw@freebsd.org, Matthew Luckie <mjl@luckie.org.nz>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 12:40:14 -0000

On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
 > On Jan 31, 2013, at 16:03, Matthew Luckie <mjl@luckie.org.nz> wrote:
 > > 
 > > 00510 allow ip from me to not me out via em1
 > > 00550 divert 8668 ip from any to any via em1
 > > 
 > > Rule 510 fixes it.
 > 
 > Yep, it does. Can I ask someone to commit this to rc.firewall?

The ruleset Matthew posted bears no resemblance to rc.firewall, so I 
don't see that (or how) it solves any generic problem.

 > (And I wonder if the rules for the ipfw kernel firewall need a 
 > similar addition, because the system locks up under heavy network 
 > load if I use that instead of natd.)
 >
 > Lars

Which rc.firewall ruleset are you referring to?  There certainly are 
problems with the 'simple' ruleset relating to use of $natd_enable vs 
$firewall_nat_enable (not to mention the denial of ALL icmp traffic) 
that I posted patches to a couple of years ago in ipfw@ to rc.firewall 
and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.

I suggest following up to ipfw@ (cc'd) rather than net@

cheers, Ian