Site Navigation

Date:      Thu, 27 Dec 2001 12:38:14 +0000
From:      chkno@dork.com
To:        freebsd-questions@freebsd.org
Subject:   ipfw + natd packet loop
Message-ID:  <20011227123535.VFFS6450.rwcrmhc52.attbi.com@chk.phattydomain.com>

---

next in thread | raw e-mail | index | archive | help

---

I'm trying to use ipfw pipes to impose bandwidth restrictions in a
natd environment.  I'm having an issue with packets getting caught
up in some kind of loop between natd & the pipe.

I am using the standard dual-nic network topology.  ed1 is the
exteral interface, rl0 the internal.


Background info:

   # uname -a
   FreeBSD chk.phattydomain.com 4.4-STABLE FreeBSD 4.4-STABLE #1: Sun Dec 23 23:47:23 PST 2001     su@chk.phattydomain.com:/usr/src/sys/compile/CHK  i386
   # grep natd /etc/rc.conf
   natd_enable="YES"
   natd_flags="-use_sockets -same_ports -unregistered_only"
   natd_interface="ed1"
   # ifconfig ed1
   ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
           inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255
           ether 00:80:c8:e2:b0:5a
   # ifconfig rl0
   rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
           inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255
           ether 00:50:bf:43:68:6a
           media: Ethernet autoselect (100baseTX <full-duplex>)
           status: active
   # sysctl net.inet.ip.fw
   net.inet.ip.fw.enable: 1
   net.inet.ip.fw.one_pass: 1
   net.inet.ip.fw.debug: 1
   net.inet.ip.fw.verbose: 0
   net.inet.ip.fw.verbose_limit: 0
   net.inet.ip.fw.dyn_buckets: 256
   net.inet.ip.fw.curr_dyn_buckets: 256
   net.inet.ip.fw.dyn_count: 0
   net.inet.ip.fw.dyn_max: 1000
   net.inet.ip.fw.static_count: 8
   net.inet.ip.fw.dyn_ack_lifetime: 300
   net.inet.ip.fw.dyn_syn_lifetime: 20
   net.inet.ip.fw.dyn_fin_lifetime: 1
   net.inet.ip.fw.dyn_rst_lifetime: 1
   net.inet.ip.fw.dyn_udp_lifetime: 10
   net.inet.ip.fw.dyn_short_lifetime: 5
   net.inet.ip.fw.dyn_grace_time: 10
   # ipfw pipe show
   00010: 120.000 Kbit/s    0 ms    8 sl. 1 queues (1 buckets) droptail
       mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

   Relevant lines of kernel conf:
   options         INET
   device          miibus
   device          rl
   device          ed0     at isa? port 0x280 irq 10 iomem 0xd8000
   pseudo-device   ether
   options         IPFIREWALL
   options         IPFIREWALL_FORWARD
   options         IPDIVERT
   options         DUMMYNET
   options         NMBCLUSTERS=8192

   Relevant lines of dmesg:
   rl0: <RealTek 8139 10/100BaseTX> port 0x7000-0x70ff mem 0x80100000-0x801000ff irq 10 at device 20.0 on pci0
   rl0: Ethernet address: 00:50:bf:43:68:6a
   miibus0: <MII bus> on rl0
   rlphy0: <RealTek internal media interface> on miibus0
   rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
   ed1: <D-Link DE-220P PnP ISA Card> at port 0x240-0x25f irq 3 on isa0
   ed1: address 00:80:c8:e2:b0:5a, type NE2000 (16 bit)



Demonstration:

( XXX.XXX.XXX.XXX is an external address transfering a file from the
firewall machine.)

   # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;sleep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000

   10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   Accounting cleared.
   00049 22 15615 count ip from any to any
   00050 22 15615 divert 8668 ip from any to any via ed1
   00051 22 15615 count ip from any to any
   00100  0     0 allow ip from any to any via lo0
   00200  0     0 deny ip from any to 127.0.0.0/8
   00300  0     0 deny ip from 127.0.0.0/8 to any
   10000 10 15000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   65000 12   615 allow ip from any to any
   65535  0     0 deny ip from any to any

   00049    377    236476 count ip from any to any
   00050    302    202257 divert 8668 ip from any to any via ed1
   00051 514805 771881388 count ip from any to any
   00100      0         0 allow ip from any to any via lo0
   00200      0         0 deny ip from any to 127.0.0.0/8
   00300      0         0 deny ip from 127.0.0.0/8 to any
   10000 514538 771807000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   65000    267     74388 allow ip from any to any
   65535      0         0 deny ip from any to any
   #


   $ vmstat 3|cut -c55-       # During the above
       faults      cpu
      in   sy  cs us sy id
     258  335  81  0  5 95
     259  341  90  0  2 98
     258  336  88  1  3 97
     258 28460 143  5 46 49
     255 56690 109 10 90  0
     260 57120 111  9 91  0
     264 56505 114 11 89  0
     260 57644 111  8 92  0
     248 58215 109  9 91  0
     271 39266 154  8 63 29
     292  359  93  0  4 96
     315  387 100  0  4 96
     356  419  98  0  5 95


What's going on?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011227123535.VFFS6450.rwcrmhc52.attbi.com>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact