From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 10 18:27:22 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D91331065694; Sun, 10 Jan 2010 18:27:21 +0000 (UTC) (envelope-from ume@mahoroba.org) Received: from asuka.mahoroba.org (ent.mahoroba.org [IPv6:2001:2f0:104:8010::1]) by mx1.freebsd.org (Postfix) with ESMTP id 373EA8FC1C; Sun, 10 Jan 2010 18:27:21 +0000 (UTC) Received: from yuga.mahoroba.org (ume@yuga.mahoroba.org [IPv6:2001:2f0:104:8010:21b:d3ff:fe38:5381]) (user=ume mech=CRAM-MD5 bits=0) by asuka.mahoroba.org (8.14.3/8.14.3) with ESMTP/inet6 id o0AIRDYi072857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Jan 2010 03:27:14 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 11 Jan 2010 03:27:13 +0900 Message-ID: From: Hajimu UMEMOTO To: David Horn In-Reply-To: <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> User-Agent: xcite1.58> Wanderlust/2.15.7 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.7 Emacs/23.1 (i386-portbld-freebsd8.0) MULE/6.0 (HANACHIRUSATO) X-Operating-System: FreeBSD 8.0-STABLE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: multipart/mixed; boundary="Multipart_Mon_Jan_11_03:27:13_2010-1" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (asuka.mahoroba.org [IPv6:2001:2f0:104:8010::1]); Mon, 11 Jan 2010 03:27:14 +0900 (JST) X-Virus-Scanned: clamav-milter 0.95.3 at asuka.mahoroba.org X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on asuka.mahoroba.org Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2010 18:27:23 -0000 --Multipart_Mon_Jan_11_03:27:13_2010-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, >>>>> On Sat, 2 Jan 2010 20:36:45 -0500 >>>>> David Horn said: > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify t= he default > dhorn2000> rc.firewall flow. > > Here is my proposed patch.  With this patch, 'me' matches to both IPv4 > and IPv6, and 'me4' is added for matching to only IPv4. dhorn2000> The patch for me4/me6 works perfect in my testing to date. I g= uess dhorn2000> we would need to convince a larger audience to get consensus on dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4= /ipv6, dhorn2000> but I personally think it is the right direction. Thank you for testing. I've added current@ and net@ to Cc:. It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me' matches to both IPv4 and IPv6. I think it is desired feature. However, I'm not sure we actually need 'me4'. So, I split my previous patch into two patches. The 1st patch makes 'me' matches to both IPv4 and IPv6. The 2nd patch adds 'me4'. If there is no objection, I'll commit the 1st patch. If someone want 'me4', I'll commit the 2nd patch. And, the 3rd patch is for rc.firewall. dhorn2000> ipfw(8) man page already shows: dhorn2000> me matches any IP address configured on an interface in the dhorn2000> system. dhorn2000> me6 matches any IPv6 address configured on an interface in dhorn2000> the system. The address list is evaluated = at the time dhorn2000> the packet is analysed. I wish to believe this description about 'me' is correct. But, I'm not sure whether it is a feature or not. It might be that someone forgot to change it at the time when an IPv6 support was added to IPFW. Sincerely, --Multipart_Mon_Jan_11_03:27:13_2010-1 Content-Type: text/x-patch; type=patch; charset=US-ASCII Content-Disposition: attachment; filename="ipfw-me-unify.diff" Content-Transfer-Encoding: 7bit Index: sys/netinet/ipfw/ip_fw2.c diff -u -p sys/netinet/ipfw/ip_fw2.c.orig sys/netinet/ipfw/ip_fw2.c --- sys/netinet/ipfw/ip_fw2.c.orig 2010-01-05 04:01:22.000000000 +0900 +++ sys/netinet/ipfw/ip_fw2.c 2010-01-08 12:30:31.039834764 +0900 @@ -1390,7 +1390,14 @@ do { \ INADDR_TO_IFP(src_ip, tif); match = (tif != NULL); + break; } + /* FALLTHROUGH */ +#ifdef INET6 + case O_IP6_SRC_ME: + match = is_ipv6 && + search_ip6_addr_net(&args->f_id.src_ip6); +#endif break; case O_IP_DST_SET: @@ -1423,7 +1430,14 @@ do { \ INADDR_TO_IFP(dst_ip, tif); match = (tif != NULL); + break; } + /* FALLTHROUGH */ +#ifdef INET6 + case O_IP6_DST_ME: + match = is_ipv6 && + search_ip6_addr_net(&args->f_id.dst_ip6); +#endif break; case O_IP_SRCPORT: @@ -1691,14 +1705,6 @@ do { \ } break; - case O_IP6_SRC_ME: - match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); - break; - - case O_IP6_DST_ME: - match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); - break; - case O_FLOW6ID: match = is_ipv6 && flow6id_match(args->f_id.flow_id6, --Multipart_Mon_Jan_11_03:27:13_2010-1 Content-Type: text/x-patch; type=patch; charset=US-ASCII Content-Disposition: attachment; filename="ipfw-me4.diff" Content-Transfer-Encoding: 7bit Index: sbin/ipfw/ipfw.8 diff -u sbin/ipfw/ipfw.8.orig sbin/ipfw/ipfw.8 --- sbin/ipfw/ipfw.8.orig 2009-12-15 18:46:27.000000000 +0900 +++ sbin/ipfw/ipfw.8 2010-01-08 12:33:36.117724529 +0900 @@ -1003,7 +1003,7 @@ its use is discouraged. .It Ar addr : Oo Cm not Oc Bro .Bl -tag -width indent -.Cm any | me | me6 | +.Cm any | me | me4 | me6 | .Cm table Ns Pq Ar number Ns Op , Ns Ar value .Ar | addr-list | addr-set .Brc @@ -1011,6 +1011,8 @@ matches any IP address. .It Cm me matches any IP address configured on an interface in the system. +.It Cm me4 +matches any IPv4 address configured on an interface in the system. .It Cm me6 matches any IPv6 address configured on an interface in the system. The address list is evaluated at the time the packet is Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig 2009-12-15 18:46:27.000000000 +0900 +++ sbin/ipfw/ipfw2.c 2010-01-08 12:33:36.037713520 +0900 @@ -768,6 +768,10 @@ print_ip(ipfw_insn_ip *cmd, char const * printf("me"); return; } + if (cmd->o.opcode == O_IP4_SRC_ME || cmd->o.opcode == O_IP4_DST_ME) { + printf("me4"); + return; + } if (cmd->o.opcode == O_IP_SRC_LOOKUP || cmd->o.opcode == O_IP_DST_LOOKUP) { printf("table(%u", ((ipfw_insn *)cmd)->arg1); @@ -1187,6 +1191,7 @@ show_ipfw(struct ip_fw *rule, int pcwidt case O_IP_SRC_LOOKUP: case O_IP_SRC_MASK: case O_IP_SRC_ME: + case O_IP4_SRC_ME: case O_IP_SRC_SET: show_prerequisites(&flags, HAVE_PROTO, 0); if (!(flags & HAVE_SRCIP)) @@ -1202,6 +1207,7 @@ show_ipfw(struct ip_fw *rule, int pcwidt case O_IP_DST_LOOKUP: case O_IP_DST_MASK: case O_IP_DST_ME: + case O_IP4_DST_ME: case O_IP_DST_SET: show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); if (!(flags & HAVE_DSTIP)) @@ -1972,6 +1978,12 @@ fill_ip(ipfw_insn_ip *cmd, char *av) return; } + if (strcmp(av, "me4") == 0) { + cmd->o.opcode = O_IP4_DST_ME; + cmd->o.len |= F_INSN_SIZE(ipfw_insn); + return; + } + if (strncmp(av, "table(", 6) == 0) { char *p = strchr(av + 6, ','); @@ -2478,6 +2490,8 @@ add_srcip(ipfw_insn *cmd, char *av) cmd->opcode = O_IP_SRC_SET; else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ cmd->opcode = O_IP_SRC_LOOKUP; + else if (cmd->opcode == O_IP4_DST_ME) /* me4 */ + cmd->opcode = O_IP4_SRC_ME; else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */ cmd->opcode = O_IP_SRC_ME; else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */ @@ -2495,6 +2509,8 @@ add_dstip(ipfw_insn *cmd, char *av) ; else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ ; + else if (cmd->opcode == O_IP4_DST_ME) /* me4 */ + ; else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */ cmd->opcode = O_IP_DST_ME; else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */ @@ -2534,7 +2550,7 @@ add_src(ipfw_insn *cmd, char *av, u_char ret = add_srcip6(cmd, av); /* XXX: should check for IPv4, not !IPv6 */ if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || - !inet_pton(AF_INET6, host, &a))) + strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a))) ret = add_srcip(cmd, av); if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; @@ -2560,7 +2576,7 @@ add_dst(ipfw_insn *cmd, char *av, u_char ret = add_dstip6(cmd, av); /* XXX: should check for IPv4, not !IPv6 */ if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || - !inet_pton(AF_INET6, host, &a))) + strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a))) ret = add_dstip(cmd, av); if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; Index: sys/netinet/ip_fw.h diff -u sys/netinet/ip_fw.h.orig sys/netinet/ip_fw.h --- sys/netinet/ip_fw.h.orig 2009-12-23 04:01:47.000000000 +0900 +++ sys/netinet/ip_fw.h 2010-01-08 12:33:36.157742465 +0900 @@ -166,6 +166,8 @@ O_ALTQ, /* u32 = altq classif. qid */ O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */ O_TCPDATALEN, /* arg1 = tcp data len */ + O_IP4_SRC_ME, /* none */ + O_IP4_DST_ME, /* none */ O_IP6_SRC, /* address without mask */ O_IP6_SRC_ME, /* my addresses */ O_IP6_SRC_MASK, /* address with the mask */ Index: sys/netinet/ipfw/ip_fw2.c diff -u -p sys/netinet/ipfw/ip_fw2.c.orig sys/netinet/ipfw/ip_fw2.c --- sys/netinet/ipfw/ip_fw2.c.orig 2010-01-08 12:30:31.039834764 +0900 +++ sys/netinet/ipfw/ip_fw2.c 2010-01-08 12:38:30.778824466 +0900 @@ -1385,6 +1385,7 @@ do { \ break; case O_IP_SRC_ME: + case O_IP4_SRC_ME: if (is_ipv4) { struct ifnet *tif; @@ -1392,6 +1393,8 @@ do { \ match = (tif != NULL); break; } + if (cmd->opcode == O_IP4_SRC_ME) + break; /* FALLTHROUGH */ #ifdef INET6 case O_IP6_SRC_ME: @@ -1425,6 +1428,7 @@ do { \ break; case O_IP_DST_ME: + case O_IP4_DST_ME: if (is_ipv4) { struct ifnet *tif; @@ -1432,6 +1436,8 @@ do { \ match = (tif != NULL); break; } + if (cmd->opcode == O_IP4_DST_ME) + break; /* FALLTHROUGH */ #ifdef INET6 case O_IP6_DST_ME: Index: sys/netinet/ipfw/ip_fw_sockopt.c diff -u -p sys/netinet/ipfw/ip_fw_sockopt.c.orig sys/netinet/ipfw/ip_fw_sockopt.c --- sys/netinet/ipfw/ip_fw_sockopt.c.orig 2010-01-07 19:08:05.000000000 +0900 +++ sys/netinet/ipfw/ip_fw_sockopt.c 2010-01-08 12:33:36.237826387 +0900 @@ -529,6 +529,8 @@ check_ipfw_struct(struct ip_fw *rule, in case O_VERSRCREACH: case O_ANTISPOOF: case O_IPSEC: + case O_IP4_SRC_ME: + case O_IP4_DST_ME: #ifdef INET6 case O_IP6_SRC_ME: case O_IP6_DST_ME: --Multipart_Mon_Jan_11_03:27:13_2010-1 Content-Type: text/x-patch; type=patch; charset=US-ASCII Content-Disposition: attachment; filename="rc.firewall-me-unify.diff" Content-Transfer-Encoding: 7bit Index: etc/defaults/rc.conf diff -u etc/defaults/rc.conf.orig etc/defaults/rc.conf --- etc/defaults/rc.conf.orig 2010-01-02 04:09:40.000000000 +0900 +++ etc/defaults/rc.conf 2010-01-08 18:08:10.227416014 +0900 @@ -143,9 +143,7 @@ firewall_allowservices="" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. -firewall_trusted="" # List of IPv4s which have full access to this - # host for "workstation" firewall. -firewall_trusted_ipv6="" # List of IPv6s which have full access to this +firewall_trusted="" # List of IPs which have full access to this # host for "workstation" firewall. firewall_logdeny="NO" # Set to YES to log default denied incoming # packets for "workstation" firewall. Index: etc/rc.firewall diff -u etc/rc.firewall.orig etc/rc.firewall --- etc/rc.firewall.orig 2010-01-08 18:07:55.805178124 +0900 +++ etc/rc.firewall 2010-01-08 18:08:42.558168213 +0900 @@ -212,8 +212,8 @@ ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me if [ -n "$net6" ]; then - ${fwcmd} add pass all from me6 to ${net6} - ${fwcmd} add pass all from ${net6} to me6 + ${fwcmd} add pass all from me to ${net6} + ${fwcmd} add pass all from ${net6} to me fi if [ -n "$net6" ]; then @@ -221,7 +221,7 @@ ${fwcmd} add pass all from fe80::/10 to ff02::/16 ${fwcmd} add pass all from ${net6} to ff02::/16 # Allow DHCPv6 - ${fwcmd} add pass udp from fe80::/10 to me6 546 + ${fwcmd} add pass udp from fe80::/10 to me 546 fi # Allow TCP through if setup succeeded @@ -232,30 +232,18 @@ # Allow setup of incoming email ${fwcmd} add pass tcp from any to me 25 setup - if [ -n "$net6" ]; then - ${fwcmd} add pass tcp from any to me6 25 setup - fi # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from me to any setup - if [ -n "$net6" ]; then - ${fwcmd} add pass tcp from me6 to any setup - fi # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from me to any 53 keep-state - if [ -n "$net6" ]; then - ${fwcmd} add pass udp from me6 to any 53 keep-state - fi # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state - if [ -n "$net6" ]; then - ${fwcmd} add pass udp from me6 to any 123 keep-state - fi # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -402,25 +390,14 @@ # Allow setup of incoming email ${fwcmd} add pass tcp from any to me 25 setup - if [ -n "$inet6" ]; then - ${fwcmd} add pass tcp from any to me6 25 setup - fi # Allow access to our DNS ${fwcmd} add pass tcp from any to me 53 setup ${fwcmd} add pass udp from any to me 53 ${fwcmd} add pass udp from me 53 to any - if [ -n "$inet6" ]; then - ${fwcmd} add pass tcp from any to me6 53 setup - ${fwcmd} add pass udp from any to me6 53 - ${fwcmd} add pass udp from me6 53 to any - fi # Allow access to our WWW ${fwcmd} add pass tcp from any to me 80 setup - if [ -n "$inet6" ]; then - ${fwcmd} add pass tcp from any to me6 80 setup - fi # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp @@ -434,15 +411,9 @@ # Allow DNS queries out in the world ${fwcmd} add pass udp from me to any 53 keep-state - if [ -n "$inet6" ]; then - ${fwcmd} add pass udp from me6 to any 53 keep-state - fi # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state - if [ -n "$inet6" ]; then - ${fwcmd} add pass udp from me6 to any 123 keep-state - fi # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -477,18 +448,13 @@ # For services permitted below. ${fwcmd} add pass tcp from me to any established - if [ $ipv6_available -eq 0 ]; then - ${fwcmd} add pass tcp from me6 to any established - fi # Allow any connection out, adding state for each. ${fwcmd} add pass tcp from me to any setup keep-state ${fwcmd} add pass udp from me to any keep-state ${fwcmd} add pass icmp from me to any keep-state if [ $ipv6_available -eq 0 ]; then - ${fwcmd} add pass tcp from me6 to any setup keep-state - ${fwcmd} add pass udp from me6 to any keep-state - ${fwcmd} add pass ipv6-icmp from me6 to any keep-state + ${fwcmd} add pass ipv6-icmp from me to any keep-state fi # Allow DHCP. @@ -496,7 +462,7 @@ ${fwcmd} add pass udp from any 67 to me 68 in ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in if [ $ipv6_available -eq 0 ]; then - ${fwcmd} add pass udp from fe80::/10 to me6 546 in + ${fwcmd} add pass udp from fe80::/10 to me 546 in fi # Some servers will ping the IP while trying to decide if it's # still in use. @@ -525,21 +491,15 @@ for i in ${firewall_allowservices} ; do for j in ${firewall_myservices} ; do ${fwcmd} add pass tcp from $i to me $j - if [ $ipv6_available -eq 0 ]; then - ${fwcmd} add pass tcp from $i to me6 $j - fi done done # Allow all connections from trusted IPs. # Playing with the content of firewall_trusted could seriously # degrade the level of protection provided by the firewall. - for i in ${firewall_trusted} ; do + for i in ${firewall_trusted} ${firewall_trusted_ipv6}; do ${fwcmd} add pass ip from $i to me done - for i in ${firewall_trusted_ipv6} ; do - ${fwcmd} add pass all from $i to me6 - done ${fwcmd} add 65000 count ip from any to any --Multipart_Mon_Jan_11_03:27:13_2010-1 Content-Type: text/plain; charset=US-ASCII -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ --Multipart_Mon_Jan_11_03:27:13_2010-1-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 10 18:44:28 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E31AB106566B; Sun, 10 Jan 2010 18:44:28 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id A1A518FC0C; Sun, 10 Jan 2010 18:44:28 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 42D9B73106; Sun, 10 Jan 2010 19:52:32 +0100 (CET) Date: Sun, 10 Jan 2010 19:52:32 +0100 From: Luigi Rizzo To: Hajimu UMEMOTO Message-ID: <20100110185232.GA27907@onelab2.iet.unipi.it> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn , freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2010 18:44:29 -0000 On Mon, Jan 11, 2010 at 03:27:13AM +0900, Hajimu UMEMOTO wrote: > Hi, > > >>>>> On Sat, 2 Jan 2010 20:36:45 -0500 > >>>>> David Horn said: > > > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default > > dhorn2000> rc.firewall flow. > > > > Here is my proposed patch. ??With this patch, 'me' matches to both IPv4 > > and IPv6, and 'me4' is added for matching to only IPv4. > > dhorn2000> The patch for me4/me6 works perfect in my testing to date. I guess > dhorn2000> we would need to convince a larger audience to get consensus on > dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6, > dhorn2000> but I personally think it is the right direction. > > Thank you for testing. > I've added current@ and net@ to Cc:. > It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me' > matches to both IPv4 and IPv6. I think it is desired feature. > However, I'm not sure we actually need 'me4'. So, I split my previous > patch into two patches. The 1st patch makes 'me' matches to both IPv4 > and IPv6. The 2nd patch adds 'me4'. > If there is no objection, I'll commit the 1st patch. If someone want > 'me4', I'll commit the 2nd patch. We only need one 'me' option that matches v4 and v6, because the other two can be implemented as 'ip4 me' and 'ip6 me' at no extra cost (the code for 'me' only scans the list corresponding to the actual address family of the packet). I would actually vote for removing the 'me6' microinstruction from the kernel, and implement it in /sbin/ipfw by generating 'ip6 me'. Feel free to commit the change yourself. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 10 19:54:18 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DA5A106568B; Sun, 10 Jan 2010 19:54:18 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id 34C4E8FC1C; Sun, 10 Jan 2010 19:54:16 +0000 (UTC) Received: from bcs-mail03.internal.cacheflow.com ([10.2.2.95]) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id o0AJefGA028050; Sun, 10 Jan 2010 11:40:42 -0800 (PST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sun, 10 Jan 2010 11:40:34 -0800 Message-ID: In-Reply-To: <20100110185232.GA27907@onelab2.iet.unipi.it> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Unified rc.firewall ipfw me/me6 issue Thread-Index: AcqSJSaXOe/YiAX5TAqjTGXen62l7AAB4P+Q References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com><25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com><25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> <20100110185232.GA27907@onelab2.iet.unipi.it> From: "Li, Qing" To: "Luigi Rizzo" , "Hajimu UMEMOTO" Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn , freebsd-ipfw@freebsd.org Subject: RE: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2010 19:54:18 -0000 >=20 > We only need one 'me' option that matches v4 and v6, because the > other two can be implemented as 'ip4 me' and 'ip6 me' at no extra > cost (the code for 'me' only scans the list corresponding to the > actual address family of the packet). I would actually vote for > removing the 'me6' microinstruction from the kernel, and implement > it in /sbin/ipfw by generating 'ip6 me'. >=20 I agree with Luigi. -- Qing From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 10 22:06:17 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85BD01065670 for ; Sun, 10 Jan 2010 22:06:17 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 15E0F8FC12 for ; Sun, 10 Jan 2010 22:06:16 +0000 (UTC) Received: by bwz5 with SMTP id 5so13364951bwz.3 for ; Sun, 10 Jan 2010 14:06:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=wqbDwOa2vyrXD2vczT1Mp24bYHdTvaYGiscSBzGdXEU=; b=jz0etz3OZEPDkuaMLEfZ7khkJvWI9ZAqNuq0+Cdpgnrf303XxyzTzHtsGJIOIflon0 mPTjQRpFh1peT+RoZDLOgUPGVA7kiR01zuXu0/PbgBDoJy60FDMSNjek8n921xCBPd+f dky7onRT2FNaaajdFRwtBo7VlN1W8B8XqtoTc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=BDBXdLlrgX14g57o8JYGYMZPdytLzr3WtZnq6St7ONkt1xMWy3753kjS9YNLsfrFyc A0ZSYaDkI6gMGp0TD++H9RCcBmx1h4/Jr62cB0/MF6T756NhwiMOpCc5fgpoTCsMKHI9 PUokjPpv1wifXUq55OwEwyCiA8gVlynK12gyU= MIME-Version: 1.0 Received: by 10.204.9.4 with SMTP id j4mr1635178bkj.160.1263159777112; Sun, 10 Jan 2010 13:42:57 -0800 (PST) In-Reply-To: <20091209183821.GA40814@onelab2.iet.unipi.it> References: <20091209183821.GA40814@onelab2.iet.unipi.it> From: Maxim Ignatenko Date: Sun, 10 Jan 2010 23:42:37 +0200 Message-ID: To: Luigi Rizzo Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: RFC: new ipfw options X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2010 22:06:17 -0000 2009/12/9 Luigi Rizzo : > 3. a hash version of 'table's > > =C2=A0 Right now ipfw tables are implented as routing tables, which is > =C2=A0 great if you have to lookup a longest matching prefix, but a > =C2=A0 bit overkill if you care only for ports or jail ids, and > =C2=A0 totally uninteresting if you want to lookup flow ids, > =C2=A0 or generic sequence of bytes. My plan here is to reuse the > =C2=A0 ipfw hash tables to make them available for 'ipfw table ...' > =C2=A0 commands. To avoid code and syntax bloat, I'd use the number > =C2=A0 0..TABLE_MAX-1 for the existing prefix tables, and > =C2=A0 TABLE_MAX..2TABLE_MAX-1 for the new hash tables. > > comments welcome > I think better use another name ('htable' for example) instead of overloading the old one. And thanks for great ideas. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 11 08:02:51 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CFBC1065672 for ; Mon, 11 Jan 2010 08:02:51 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 314838FC13 for ; Mon, 11 Jan 2010 08:02:50 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id D9C17730A1; Mon, 11 Jan 2010 09:10:55 +0100 (CET) Date: Mon, 11 Jan 2010 09:10:55 +0100 From: Luigi Rizzo To: Julian Elischer Message-ID: <20100111081055.GA37788@onelab2.iet.unipi.it> References: <20091209183821.GA40814@onelab2.iet.unipi.it> <4B4AD98A.2080508@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B4AD98A.2080508@elischer.org> User-Agent: Mutt/1.4.2.3i Cc: Maxim Ignatenko , ipfw@freebsd.org Subject: Re: RFC: new ipfw options X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 08:02:51 -0000 On Sun, Jan 10, 2010 at 11:55:54PM -0800, Julian Elischer wrote: > Maxim Ignatenko wrote: > >2009/12/9 Luigi Rizzo : > >>3. a hash version of 'table's > >> > >> Right now ipfw tables are implented as routing tables, which is > >> great if you have to lookup a longest matching prefix, but a > >> bit overkill if you care only for ports or jail ids, and > >> totally uninteresting if you want to lookup flow ids, > >> or generic sequence of bytes. My plan here is to reuse the > >> ipfw hash tables to make them available for 'ipfw table ...' > >> commands. To avoid code and syntax bloat, I'd use the number > >> 0..TABLE_MAX-1 for the existing prefix tables, and > >> TABLE_MAX..2TABLE_MAX-1 for the new hash tables. > >> > >>comments welcome > >> > > > >I think better use another name ('htable' for example) instead of > >overloading the old one. > >And thanks for great ideas. > >_______________________________________________ > >freebsd-ipfw@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > please keep teh current tables for IP addresses, longes prefix > matching is really hard to do right on other schemes with > the same behaviour. I know, I've tried :-) > > the answer id to have different types of tabels I guess, but don't > try combine when things should remain different. for the time being i am not touching tables -- for my immediate needs (matching ports and uid/jails) the radix tree is almost as good as hash tables, so i am using them (code is already in HEAD -- see the "lookup XXX" option). cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 11 08:34:08 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BA26106566B for ; Mon, 11 Jan 2010 08:34:08 +0000 (UTC) (envelope-from julian@elischer.org) Received: from utility-0.aerioconnect.net (utility-0.aerioconnect.net [216.240.32.11]) by mx1.freebsd.org (Postfix) with ESMTP id CA2498FC1B for ; Mon, 11 Jan 2010 08:34:07 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by utility-0.aerioconnect.net (8.13.1/8.13.1) with ESMTP id o0B7tupK032190; Sun, 10 Jan 2010 23:55:56 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id ABA012D6010; Sun, 10 Jan 2010 23:55:55 -0800 (PST) Message-ID: <4B4AD98A.2080508@elischer.org> Date: Sun, 10 Jan 2010 23:55:54 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Maxim Ignatenko References: <20091209183821.GA40814@onelab2.iet.unipi.it> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Luigi Rizzo Subject: Re: RFC: new ipfw options X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 08:34:08 -0000 Maxim Ignatenko wrote: > 2009/12/9 Luigi Rizzo : >> 3. a hash version of 'table's >> >> Right now ipfw tables are implented as routing tables, which is >> great if you have to lookup a longest matching prefix, but a >> bit overkill if you care only for ports or jail ids, and >> totally uninteresting if you want to lookup flow ids, >> or generic sequence of bytes. My plan here is to reuse the >> ipfw hash tables to make them available for 'ipfw table ...' >> commands. To avoid code and syntax bloat, I'd use the number >> 0..TABLE_MAX-1 for the existing prefix tables, and >> TABLE_MAX..2TABLE_MAX-1 for the new hash tables. >> >> comments welcome >> > > I think better use another name ('htable' for example) instead of > overloading the old one. > And thanks for great ideas. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" please keep teh current tables for IP addresses, longes prefix matching is really hard to do right on other schemes with the same behaviour. I know, I've tried :-) the answer id to have different types of tabels I guess, but don't try combine when things should remain different. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 11 11:07:02 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D068410656A5 for ; Mon, 11 Jan 2010 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BFFFA8FC1D for ; Mon, 11 Jan 2010 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0BB72LM034699 for ; Mon, 11 Jan 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0BB72p8034697 for freebsd-ipfw@FreeBSD.org; Mon, 11 Jan 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jan 2010 11:07:02 GMT Message-Id: <201001111107.o0BB72p8034697@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 12 11:05:43 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB166106566C for ; Tue, 12 Jan 2010 11:05:43 +0000 (UTC) (envelope-from dado@cnt.korolev-net.ru) Received: from cnt.korolev-net.ru (mail.korolev-net.ru [89.222.185.1]) by mx1.freebsd.org (Postfix) with ESMTP id 93BE08FC0C for ; Tue, 12 Jan 2010 11:05:42 +0000 (UTC) Received: by cnt.korolev-net.ru (Postfix, from userid 100) id 5350D2AC306; Tue, 12 Jan 2010 14:05:39 +0300 (MSK) Date: Tue, 12 Jan 2010 14:05:39 +0300 From: Evgenii Davidov To: freebsd-ipfw@freebsd.org Message-ID: <20100112110539.GQ10388@korolev-net.ru> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> <20100110185232.GA27907@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20100110185232.GA27907@onelab2.iet.unipi.it> User-Agent: Mutt/1.4.2.1i Subject: dummynet: waking up pipe X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jan 2010 11:05:43 -0000 hello when i enable net.inet.ip.dummynet.debug i get a lot of: Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 1380 at 1460 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 2931 at 40 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 5189 at 40 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 4562 at 112 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 3610 at 51 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 597 at 40 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 1380 at 1400 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 1445 at 99 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 3610 at 51 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 3610 at 40 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 597 at 40 Jan 12 13:53:32 r2 kernel: dummynet: waking up pipe 218 at 1500 is it bad? let's see 3610: ipfw pipe 3610 config bw 10500Kbit/s ipfw queue 3610 config pipe 3610 mask dst-ip 0xffffffff ipfw table 80 add 10.168.167.227 3610 ipfw table 80 add 89.222.187.184 3610 00040 8708035 7887386208 queue tablearg ip from any to table(80) out via bge1 00050 44793529 40386675667 pipe tablearg ip from any to table(2) out via bge1 00070 8006000 3713846496 pipe 16 ip from table(16) to any in via bge1 00071 68767107 23673242157 pipe 5 ip from not table(16) to any in via bge1 ipfw pipe 3610 show 03610: 10.500 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail q03610: weight 1 pipe 3610 50 sl. 1 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 5 ip 0.0.0.0/0 10.10.187.184/0 639563 40272017 0 0 0 my problem is that dummynet cpu usage jumps from 0 to 99%: 33 root 1 -68 - 0K 8K - 1 512.6H 86.18% dummynet 33 root 1 -68 - 0K 8K - 1 512.6H 85.89% dummynet 33 root 1 -68 - 0K 8K - 1 512.6H 88.28% dummynet 33 root 1 -68 - 0K 8K - 0 512.6H 78.17% dummynet 33 root 1 -68 - 0K 8K - 0 512.6H 0.88% dummynet 33 root 1 -68 - 0K 8K - 1 512.6H 0.10% dummynet 33 root 1 -68 - 0K 8K - 1 512.7H 0.00% dummynet 33 root 1 -68 - 0K 8K - 1 512.7H 0.10% dummynet it does not depend on pps and traffic, i watch netstat -w1 os is 7.2-STABLE thank you! -- Evgenii V Davidov