From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 8 05:31:00 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82491106564A for ; Sun, 8 Aug 2010 05:31:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id D7A208FC13 for ; Sun, 8 Aug 2010 05:30:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o785UvWX085260; Sun, 8 Aug 2010 15:30:57 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 8 Aug 2010 15:30:57 +1000 (EST) From: Ian Smith To: Michael In-Reply-To: <4C5A58FE.2050704@gmail.com> Message-ID: <20100808144342.U66749@sola.nimnet.asn.au> References: <4C5A58FE.2050704@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: nat and dynamic external address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Aug 2010 05:31:00 -0000 On Thu, 5 Aug 2010, Michael wrote: > Am I right thinking that "if interface" and "reset" parameters should be > enough to handle changing address (DHCP) on external interface? In theory. > My rules: > > ipfw -q nat 1 config reset if $if_ext log same_ports > ipfw -q add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid > ipfw -q add nat 1 udp from $dns to me in recv $if_ext > > They works fine only when $if_ext gets it's IP address during system boot-up. > If DHCP server is unavailable at the time of rules loading then ipfw says: > > ipfw: cannot get interface name > > (The same happens without "SYNDHCP" option for ipfw in rc.conf) > It loads all rules anyway. Now after DHCP becomes available and $ext_if gets > it's IP address it turns out that NAT is still not working. I have to > manually reload the same ruleset. > > Any ideas how to solve that problem? Michael, you're only releasin snippets of information at a time. This came from a discussion in freebsd-jail, and it was my advice to post to -ipfw rather than -jail if became more complicated: http://lists.freebsd.org/pipermail/freebsd-jail/2010-August/001348.html Only in your later message to -jail and your post to -questions quoted below here did you reveal that this involved a wlan interface, and your issue with your access point / DHCP server being offline when you boot (which perhaps suggests a "then don't do it that way" solution?) ======= from freebsd-questions digest ======= Date: Wed, 04 Aug 2010 20:25:42 +0100 From: Michael Subject: ipfw and changing IP address (dhcp) To: freebsd-questions@freebsd.org Message-ID: <4C59BEB6.8050101@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Hello, I'm using ipfw on my laptop running 8.1R amd64. IP address of it's external interface (wlan0) is assigned by DHCP server on home broadband access point. Everything works fine when access point is up and running but if I boot my FreeBSD laptop when access point (DHCP server) is down then obviously my laptop gets no IP. ipfw complains that it "cannot get interface name" and loads firewall rules anyway. Now after some time access point becomes available and freebsd gets IP address automatically but I still have to manually reload the same ipfw ruleset to get internet access. I am using "me" in all of my firewall rules for example: $cmd 20010 allow icmp from me to any out via $if_ext keep-state Is there anything I have forgotten about? Or ipfw simply can't handle such situations? ======= I know only what I've read about setting up wlan interfaces (no wireless here since FreeBSD 5.5 days) so I can't say whether or not you could successfully configure it with an initial IP address before DHCP assigns one as you can with a normal ethernet interface, which might address the issue of wlan0 having no address while loading your ipfw ruleset? So whether this really points to a bug in ipfw nat (re not resetting NAT rules when interface address changes) or whether this is some issue with wlan, or wlan config (possibly involving what we haven't yet seen, maybe either dhclient and/or wpa_supplicant config) I won't dare to speculate. I _can_ say that if you provide specific information (relevant rc.conf settings, all wlan and dhclient config, ifconfig and netstat information at the time the problem occurs) as well as purely verbal descriptions, you'll have a better chance of someone spotting the problem, which while not discounting the possibility of a bug, seems likely a config issue. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 9 11:06:58 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F90E1065677 for ; Mon, 9 Aug 2010 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C49838FC15 for ; Mon, 9 Aug 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o79B6v3t049035 for ; Mon, 9 Aug 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o79B6v6a049033 for freebsd-ipfw@FreeBSD.org; Mon, 9 Aug 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Aug 2010 11:06:57 GMT Message-Id: <201008091106.o79B6v6a049033@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2010 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148429 ipfw net.inet.ip.dummynet.io_fast broken or documentation i o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 79 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 10 21:03:20 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 011ED1065678 for ; Tue, 10 Aug 2010 21:03:20 +0000 (UTC) (envelope-from naptu@front.ru) Received: from web22.pochta.ru (web22.pochta.ru [82.204.219.122]) by mx1.freebsd.org (Postfix) with ESMTP id 722818FC18 for ; Tue, 10 Aug 2010 21:03:19 +0000 (UTC) Received: from [127.0.0.1] (port=51289 helo=localhost) by web22.pochta.ru ( sendmail 8.13.3/8.13.1) with esmtp id 1OivXB-00038Z-Db for freebsd-ipfw@freebsd.org; Wed, 11 Aug 2010 00:34:53 +0400 From: napTu 3aH To: freebsd-ipfw@freebsd.org Date: Wed, 11 Aug 2010 00:34:53 +0400 Message-Id: <125e044817534e9d9a74b38941a808c1e664050f@mail.qip.ru> X-Priority: 3 MIME-Version: 1.0 X-SpamTest-Envelope-From: naptu@front.ru X-SpamTest-Group-ID: 00000000 X-SpamTest-Info: Profiles 15109 [Aug 10 2010] X-SpamTest-Method: none X-SpamTest-Rate: 0 X-SpamTest-Status: Not detected X-SpamTest-Status-Extended: not_detected X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: traffic bandwidth limit with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 21:03:20 -0000 >thank you luigi,=0A>your explanation really cleared everything out for= me.=0A>i changed my pipe 1 config to:=0A>ipfw pipe 1 config bw 800Mbits= /s queue 200K=0A>and set HZ to 4000=0A>and this solved my problem comple= tely.=0A>i checked limitations with various values between 400Mbits/s to= more than 1000Mbits/s and it works like a charm.=0A>(the problem was wh= en i set queue to 80MBytes, queue value was actually set to "80 slots")= =0A=0A>thanks again luigi.=0A=0A=0Aplease look at PR on near problem wit= h dummynet : http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/147245 .= =0A=0AHere =9Amaximum shaping speed is limited to 11.999Mbit/s with HZ= =3D1000 and net.inet.ip.dummynet.io_fast:1, higher values do not shape t= raffic anymore.=0A=0ASecond problem, when pipe not worked correctly, =9A= downloading traffic to one ip,port from multiple sources.=0A=0AWith HZ= =3D2000,=9A maximum shaping speed is limited on 23.999Mbit/s From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 12 16:27:56 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 915241065670; Thu, 12 Aug 2010 16:27:56 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6927D8FC12; Thu, 12 Aug 2010 16:27:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7CGRuTn063267; Thu, 12 Aug 2010 16:27:56 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7CGRu9u063263; Thu, 12 Aug 2010 16:27:56 GMT (envelope-from linimon) Date: Thu, 12 Aug 2010 16:27:56 GMT Message-Id: <201008121627.o7CGRu9u063263@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/149572: [ipfw] ipfw kernel nat not working properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2010 16:27:56 -0000 Old Synopsis: ipfw kernel nat not working properly New Synopsis: [ipfw] ipfw kernel nat not working properly Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu Aug 12 16:27:44 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=149572