Date: Sat, 9 Nov 2002 21:18:07 +0100 From: Bartek Marcinkiewicz <jr@rzeznia.eu.org> To: freebsd-net@freebsd.org Subject: ipfw dummynet and ipfilter conflict? Message-ID: <20021109201807.GB3529@rzeznia.eu.org>
next in thread | raw e-mail | index | archive | help
--cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello. I use ipfilter to do NAT and stateful ip filtering and i really like it. I use dummynet to limit bandwidth and i really like it too. The problem is they don't work together in specific situation. my ipf.rules (in simplification): block in log all block out log all pass out quick on ppp0 proto tcp all flags S keep state keep frags pass out quick on ppp0 proto udp all keep state keep frags pass out quick on ppp0 proto icmp all keep state keep frags ipfw configuration (excluding counters): ipfw add pipe 1 tcp from any 1025-2400 to any out ipfw pipe 1 config bw 4Kbytes/s ipfw add pipe 2 tcp from any 20 to any out ipfw pipe 2 config bw 3Kbytes/s ipfw allow all from any to any So i noticed that ipfilter isn't keeping state correctly on outcoming tcp connections when above ipfw rules are in charge. For example ipfstat -t shows connections that are never fully established, they stop at 4/3. There is no data exchange. I observed that: gateway.36023 -> mailhost.25 S mailhost.25 -> gateway.36023 SA mailhost.25 -> gateway.36023 SA and connection is not established.. in ipflog we can see: ppp0: @0:7 b 217.96.180.81,36023 -> 213.180.130.33,25 PR tcp len 20 52 -AF OUT Packet was blocked. But it shouldn't be.. I can successfuly connect to this mailhost if before "ipfw add pipe ..." rules I had put ipfw add allow ip from any to any. Summarizing: When I try to limit bandwidth i can't use tcp with keep state. Precisely: I can't use tcp from hosts behind gateway (NAT), I can establish tcp connections from gateway. I don't think that exhausting state table is the case here. Even when I had done ipf -FSs tcp didn't work. Perhaps I'm missing something obvious (too much time i spent on this problem), I will be very grateful for every idea, explanation, hint or solution. best regards, B. ps. I'm attaching revelant tcpdump, ipfstat -s and ipnat -s output. --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ipfstat-s # ipfstat -s IP states added: 10111 TCP 3335 UDP 5330 ICMP 1017243 hits 654090 misses 0 maximum 0 no memory 526 bkts in use 545 active 8665 expired 9566 closed # ipnat -s mapped in 140179 out 138894 added 11916 expired 11343 no memory 0 bad nat 0 inuse 573 rules 15 wilds 0 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=mailhost 20:54:54.835061 217.96.180.81.37836 > 213.180.130.33.25: S 1001007946:1001007946(0) win 16060 <mss 1460,sackOK,timestamp 4975732 0,nop,wscale 0> (DF) [tos 0x10] 20:54:54.877479 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0) ack 1001007947 win 10136 <nop,nop,timestamp 1129079898 4975732,nop,wscale 0,nop,nop,sackOK,mss 1460> (DF) 20:54:58.243475 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0) ack 1001007947 win 10136 <nop,nop,timestamp 1129080235 4975732,nop,wscale 0,nop,nop,sackOK,mss 1460> (DF) 20:55:04.964428 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0) ack 1001007947 win 10136 <nop,nop,timestamp 1129080910 4975732,nop,wscale 0,nop,nop,sackOK,mss 1460> (DF) --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021109201807.GB3529>