Date: Tue, 16 Jan 2001 13:13:07 -0500 (EST) From: Ted Wisniewski <ted@wiz.plymouth.edu> To: freebsd-net@freebsd.org Subject: Bridging-Firewall/bandwith limit problem Message-ID: <200101161813.f0GID7k32443@ness.plymouth.edu>
next in thread | raw e-mail | index | archive | help
We have a FreeBSD 4.2-STABLE machine running as a Bridging Firewall and we are having some difficulties, can anyone give me a pointer, or outright help... figuring out what is the problem? Details below. Problem repeatable using different network cards (fxp or xl) FreeBSD 4.2 stable ipfw/dummynet issues (Kernel Config Below): Sending selected TCP ports, or selected subnets through dummynet pipes for bandwidth control, the pipes sometimes get "clogged up", causing all packets going through the pipe to be dropped. Deleting and re-creating the pipe clears it up. We tried assigning selected subnets to pipes via dummynet queues, masking for host addresses, so that each host address would get a bucket. The system seemed to ignore the actual mask we gave it and assigned flows to buckets by 4th octet only. The system generated log messages "... /kernel: == not eligible, size nnnn" and after a while paniced, rebooted. This set of rules get you "clogged" pipes: ipfw pipe 1 config bw 512KBytes/s queue 200Kbytes ipfw pipe 2 config bw 256KBytes/s queue 100Kbytes ipfw add 15130 pipe 1 ip from any to XXX.YYY.208.0/20 recv xl1 ipfw add 15140 pipe 1 ip from any to XXX.YYY.172.0/22 recv xl1 ipfw add 15110 pipe 2 ip from XXX.YYY.208.0/20 to any recv xl0 ipfw add 15120 pipe 2 ip from XXX.YYY.172.0/22 to any recv xl0 This set of rules caused OS-Crash (reboot): ipfw pipe 1 config bw 256KBytes/s queue 150Kbytes ipfw queue 1 config pipe 1 weight 1 mask src-ip 0x00000FFF buckets 256 queue 75K Bytes ipfw queue 2 config pipe 1 weight 1 mask src-ip 0x000003FF buckets 128 queue 75K Bytes ipfw pipe 2 config bw 512KBytes/s queue 300Kbytes ipfw queue 3 config pipe 2 weight 1 mask dst-ip 0x00000FFF buckets 256 queue 75K Bytes ipfw queue 4 config pipe 2 weight 1 mask dst-ip 0x000003FF buckets 128 queue 75K Bytes ipfw add 16010 queue 1 ip from XXX.YYY.208.0/20 to any recv xl0 ipfw add 16020 queue 2 ip from XXX.YYY.172.0/22 to any recv xl0 ipfw add 16030 queue 3 ip from any to XXX.YYY.208.0/20 recv xl1 ipfw add 16040 queue 4 ip from any to XXX.YYY.172.0/22 recv xl1 In each case traffic flows worked as we had intended for a while before failure. Appropriate Settings from /etc/rc.conf: bridging_enable="YES" bridging_fw_enable="YES" portmap_enable="NO" firewall_enable="YES" firewall_script="/usr/local/etc/firewall/rc.firewall" drop_synfin_enable="YES" extra Sysctls set are: sysctl -w net.link.ether.bridge=1 sysctl -w net.link.ether.bridge_ipfw=1 KERNEL Config file: # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.20 2000/10/31 23:16:07 n_hibma Exp $ machine i386 cpu I586_CPU cpu I686_CPU ident GENERIC maxusers 128 options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options CD9660 #ISO 9660 Filesystem options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options KBD_INSTALL_CDEV # install a CDEV entry in /dev options DUMMYNET options IPDIVERT options BRIDGE options NMBCLUSTERS=16384 options TCP_DROP_SYNFIN options IPSTEALTH #support for stealth forwarding options TCP_RESTRICT_RST #restrict emission of TCP RST options ICMP_BANDLIM #Rate limit bad replies options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT device isa device eisa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 #device fd1 at fdc0 drive 1 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering #options ATA_ENABLE_ATAPI_DMA #Enable DMA on ATAPI devices # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 options FAT_CURSOR # start with block cursor # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 # PCI Ethernet NICs that use the common MII bus controller code. device fxp # Intel EtherExpress PRO/100B (82557, 82558) # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Pseudo devices - the number indicates how many units to allocated. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device pty # Pseudo-ttys (telnet etc) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter -- | Ted Wisniewski INET: ted@oz.plymouth.edu | | Computer Services ted@wiz.plymouth.edu | | Plymouth State College tedw@tigger.plymouth.edu | | Plymouth NH, 03264 HTTP: http://oz.plymouth.edu/~ted/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101161813.f0GID7k32443>