From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 08:15:34 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E74116A417 for ; Mon, 13 Aug 2007 08:15:34 +0000 (UTC) (envelope-from emss@free.fr) Received: from kraid.nerim.net (kraid.ipv6.nerim.net [IPv6:2001:7a8:1:1::95]) by mx1.freebsd.org (Postfix) with ESMTP id 90F1613C465 for ; Mon, 13 Aug 2007 08:15:33 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by kraid.nerim.net (Postfix) with ESMTP id 59243CF136 for ; Mon, 13 Aug 2007 10:15:31 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 6DD12C143 for ; Mon, 13 Aug 2007 10:15:30 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAWdqyzrGEdc for ; Mon, 13 Aug 2007 10:15:23 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 24605D20E; Mon, 13 Aug 2007 10:15:23 +0200 (CEST) To: Mailing List FreeBSD Network From: Eric Masson X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Mon, 13 Aug 2007 10:15:22 +0200 Message-ID: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Subject: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 08:15:34 -0000 Hello, I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS workstations (FAST_IPSEC + Yvan's NAT-T patch) Thanks to mpd4, the l2tp part works fine, as the box could in fine have only a dynamic ip address, I've made mpd listen on a loopback interface on the box and then redirected incoming l2tp traffic to this loopback interface : $ ifconfig lo1 lo1: flags=8049 mtu 16384 inet 10.127.0.1 netmask 0xff000000 $ cat /usr/local/etc/mpd4/mpd.links l2tp1: set link type l2tp set l2tp self 10.127.0.1 set l2tp enable incoming set l2tp disable originate $ cat /etc/pf.conf ext_if="vxn0" rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701 If ipsec isn't enabled (no spd & no racoon running on the freebsd side, ipsec disabled on the xp box), this setup works fine. If ipsec is enabled on the box and on the xp box, phase I & phase II succeed but mpd4 doesn't get any l2tp packet. If I setup mpd4 to listen on the external interface address and disable pf rdr rule, everything works fine (ipsec enabled or disabled) >From this, it seems that pf rdr rule isn't applied to the incoming l2tp packets once they've been ipsec processed. Is this an expected behaviour or a bug ? TIA Regards Éric Masson -- tenir à bout de bras un câble ethernet qui traverse une salle de restau pour pas qu'il tombe dans les tiramisu, pendant que d'autres parlent en infrarouge, c'est bien la vraie vie, n'est-ce pas ? -+- DA in Guide du Macounet Pervers : http://www.le-visconti.net/ -+- From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 08:51:57 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1654316A418 for ; Mon, 13 Aug 2007 08:51:57 +0000 (UTC) (envelope-from rana.rajneesh@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id 1F29F13C442 for ; Mon, 13 Aug 2007 08:51:55 +0000 (UTC) (envelope-from rana.rajneesh@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so1618156muf for ; Mon, 13 Aug 2007 01:51:55 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=BGaRXQnGRclQj3qvIwP3GWydGDEeydt6hco/6L/TmJTFum/qODen1FCiwvf0RBP4D0Y3N/qVvA6Zftu8KPE2ubGT3QL4rV5wGY3Z6a00br21KHRxZ4sCnSxrVZu6GPfshSG4A2oBgc1WHWmy60GFs4vlBZL/O8/7iXX9hw0D0aE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=fUMR8SP/74HGHQ5bbv+Z7ajCo6Wfe6Uj7NlSGxOnJct8eLPA4FNvx7gj31xzi3uVkzs16jL6Ygim6HZ3xIIAD3LIosIsih/YgGf8QQItrIuz9NLtYpKVkXHkWnbFJ5+GXuvTcW86fHKWh7J8zXdpRw9dbKXOmFsEkaSQlyQW+Q8= Received: by 10.82.136.4 with SMTP id j4mr7632605bud.1186993458522; Mon, 13 Aug 2007 01:24:18 -0700 (PDT) Received: by 10.82.169.13 with HTTP; Mon, 13 Aug 2007 01:24:18 -0700 (PDT) Message-ID: <228b46650708130124w6c5f4adfqd727b52d41b23143@mail.gmail.com> Date: Mon, 13 Aug 2007 13:54:18 +0530 From: "rajneesh rana" To: freebsd-net@freebsd.org. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: tcp connection b/w two modules using tap devices. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 08:51:57 -0000 i am writing two modules on same machine which interacts with each other through tcp connection using two taps: tap1 tap2 with IP address of class C. Both taps are connected to bridge. Module1 opens a client tcp socket, bind that socket to tap1 and write to socket with destination IP of tap2. Module2 opens a server socket connection listening on IP address of tap2. Problem is connection is not getting established and i am getting error connection timeout. From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 09:02:46 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CD7F16A418 for ; Mon, 13 Aug 2007 09:02:46 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by mx1.freebsd.org (Postfix) with ESMTP id 387E813C458 for ; Mon, 13 Aug 2007 09:02:46 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1922575waf for ; Mon, 13 Aug 2007 02:02:45 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=N/tYNd6mFUlYkJBcL5XDNhV9UrmqbNLCgKzROJ+YA3+xoC1i+4Dn4dlbYSFVkjiUVW/Tc17eCr7jM/UfYg5xe6EIOseyj/ljuDpEyjJE2A/8NqAnJQdyJm+A3p35EGRjnW4lpgZ/iBXYfeiInaKeF8fCPEH9gFa/VdSbJoyNtnQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KgmVtPv8ndXVxcSkHlsLR8CmzwpN2V7Q2MiIwwri1xzdP4IxvdzpoDa2YI6j4QPE0GSM/K/toSfZwNJUyLSAOUPa4BiolrTLI9jvEkbXgdr7ih0xyXpp6/nzA6jfwFJ5lILNLVnWHY/NjQwm3kfDoXJfW8KXcQk2Y3AyspzaimA= Received: by 10.114.134.1 with SMTP id h1mr1781869wad.1186994029555; Mon, 13 Aug 2007 01:33:49 -0700 (PDT) Received: by 10.115.107.4 with HTTP; Mon, 13 Aug 2007 01:33:49 -0700 (PDT) Message-ID: <64de5c8b0708130133i51c1918bg5ad8ab3c6e381f5b@mail.gmail.com> Date: Mon, 13 Aug 2007 14:03:49 +0530 From: "Rajkumar S" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ng_nat connected to ng_ether not working? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 09:02:46 -0000 Hi, I am trying to connect an ng_nat node between ng_ether:upper and ng_ether:lower so that all packets traversing via ng_ether node gets nat'd. But it does not seems to be working. I am using the follwoing commands to connect rl1: and ng_nat ngctl mkpeer rl1: nat upper out ngctl name rl1:upper nat ngctl connect rl1: nat: lower in ngctl msg nat: setaliasaddr x.x.x.x (I have also swapped out with in in the above set of commands, just in case, but with same results) with warm regards, raj From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 09:20:07 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 933CA16A41B for ; Mon, 13 Aug 2007 09:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 4F06313C46E for ; Mon, 13 Aug 2007 09:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9B04F41C691; Mon, 13 Aug 2007 11:20:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id LbHgR7Nf1yuh; Mon, 13 Aug 2007 11:20:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 484D041C690; Mon, 13 Aug 2007 11:20:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E3EAD444885; Mon, 13 Aug 2007 09:17:33 +0000 (UTC) Date: Mon, 13 Aug 2007 09:17:33 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Eric Masson In-Reply-To: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> Message-ID: <20070813091634.C87821@maildrop.int.zabbadoz.net> References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 09:20:07 -0000 On Mon, 13 Aug 2007, Eric Masson wrote: > Hello, > > I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS > workstations (FAST_IPSEC + Yvan's NAT-T patch) > > Thanks to mpd4, the l2tp part works fine, as the box could in fine have > only a dynamic ip address, I've made mpd listen on a loopback interface > on the box and then redirected incoming l2tp traffic to this loopback > interface : > > $ ifconfig lo1 > lo1: flags=8049 mtu 16384 > inet 10.127.0.1 netmask 0xff000000 > > $ cat /usr/local/etc/mpd4/mpd.links > l2tp1: > set link type l2tp > set l2tp self 10.127.0.1 > set l2tp enable incoming > set l2tp disable originate > > $ cat /etc/pf.conf > ext_if="vxn0" > rdr on $ext_if proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701 > > If ipsec isn't enabled (no spd & no racoon running on the freebsd side, > ipsec disabled on the xp box), this setup works fine. > > If ipsec is enabled on the box and on the xp box, phase I & phase II > succeed but mpd4 doesn't get any l2tp packet. > > If I setup mpd4 to listen on the external interface address and disable > pf rdr rule, everything works fine (ipsec enabled or disabled) > >> From this, it seems that pf rdr rule isn't applied to the incoming l2tp > packets once they've been ipsec processed. > > Is this an expected behaviour or a bug ? this is expected behavior. You want to read about the IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and enc(4). -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 09:39:50 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13BBE16A417 for ; Mon, 13 Aug 2007 09:39:50 +0000 (UTC) (envelope-from emss@free.fr) Received: from mallaury.nerim.net (mallaury.ipv6.nerim.net [IPv6:2001:7a8:1:5::82]) by mx1.freebsd.org (Postfix) with ESMTP id B079013C4B0 for ; Mon, 13 Aug 2007 09:39:49 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 7121B4F3E0; Mon, 13 Aug 2007 11:39:41 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 9748DD21C; Mon, 13 Aug 2007 11:39:46 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewgsmR1nfAVK; Mon, 13 Aug 2007 11:39:44 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 05B40D213; Mon, 13 Aug 2007 11:39:44 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <20070813091634.C87821@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Mon, 13 Aug 2007 09:17:33 +0000 (UTC)") References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Mon, 13 Aug 2007 11:39:43 +0200 Message-ID: <863aynn57k.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 09:39:50 -0000 "Bjoern A. Zeeb" writes: Hi Bjoern, > this is expected behavior. Fine, > You want to read about the IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) > kernel option and enc(4). Ok, thanks for your help Regards Éric Masson -- DP>à partir de quand n'est-on plus un neuneu? est-ce que ça se soigne? C'est une variété de maladie infantile la réponse est donc oui. La réponse à la question est-ce que ça se guérit est ; pas toujours. -+- JdC in : Guide du Neuneu Usenetien - La maladie infantile -+- From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 11:08:28 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D49AC16A46B for ; Mon, 13 Aug 2007 11:08:28 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B821113C4B7 for ; Mon, 13 Aug 2007 11:08:28 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7DB8SDm047760 for ; Mon, 13 Aug 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7DB8RoB047756 for freebsd-net@FreeBSD.org; Mon, 13 Aug 2007 11:08:27 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Aug 2007 11:08:27 GMT Message-Id: <200708131108.l7DB8RoB047756@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 11:08:28 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/115360 net [ipv6] IPv6 address and if_bridge don't play well toge 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/21998 net [socket] [patch] ident only for outgoing connections a kern/38554 net changing interface ipaddress doesn't seem to work s kern/39937 net ipstealth issue s kern/81147 net [net] [patch] em0 reinitialization while adding aliase o kern/92552 net A serious bug in most network drivers from 5.X to 6.X s kern/95665 net [if_tun] "ping: sendto: No buffer space available" wit s kern/105943 net Network stack may modify read-only mbuf chain copies o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets o kern/108542 net [bce]: Huge network latencies with 6.2-RELEASE / STABL o kern/109406 net [ndis] Broadcom WLAN driver 4.100.15.5 doesn't work wi o kern/110959 net [ipsec] Filtering incoming packets with enc0 does not o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112722 net IP v4 udp fragmented packet reject o kern/113359 net [ipv6] panic sbdrop after ICMP6, packet too big o kern/113457 net [ipv6] deadlock occurs if a tunnel goes down while the o kern/113842 net [ipv6] PF_INET6 proto domain state can't be cleared wi o kern/114714 net [gre][patch] gre(4) is not MPSAFE and does not support o kern/114839 net [fxp] fxp looses ability to speak with traffic o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/115413 net [ipv6] ipv6 pmtu not working 21 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/23063 net [PATCH] for static ARP tables in rc.network s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr o kern/54383 net [nfs] [patch] NFS root configurations without dynamic s kern/60293 net FreeBSD arp poison patch o kern/95267 net packet drops periodically appear f kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/102035 net [plip] plip networking disables parallel port printing o conf/102502 net [patch] ifconfig name does't rename netgraph node in n o kern/103253 net inconsistent behaviour in arp reply of a bridge o conf/107035 net [patch] bridge interface given in rc.conf not taking a o kern/112654 net [pcn] Kernel panic upon if_pcn module load on a Netfin o kern/114095 net [carp] carp+pf delay with high state limit o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f 14 problems total. From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 14:46:20 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 800BB16A418 for ; Mon, 13 Aug 2007 14:46:20 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 0DB8913C4E8 for ; Mon, 13 Aug 2007 14:46:19 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from onob2.irc.local ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Aug 2007 16:34:13 +0200 Message-ID: <46C06C02.5090908@ide.resurscentrum.se> Date: Mon, 13 Aug 2007 16:34:42 +0200 From: Jon Otterholm User-Agent: Thunderbird 2.0.0.0 (X11/20070614) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Aug 2007 14:34:13.0765 (UTC) FILETIME=[05195B50:01C7DDB7] Subject: proxy-arp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 14:46:20 -0000 Hi. I have a problem with proxy-arp entries. If I add an arp-entry: arp -s $hostip $routermac permanent pub only the router sends an arp and replies to it's own arp like: 15:40:02.074419 arp who-has $hostip tell $hostip 15:40:02.074663 arp reply $hostip is-at $routermac (oui Unknown) This is a problem because some clients interpret this as an ip-address conflict. In my case the router answers for arp on a bridge where all clients have their own member-interface and clients are prohibited to talk directly to each other. Have I completely misunderstood the proxy-arp function? IMHO the router should only answer to arp for $hostip to other clients than the one that actually have the ip-address. //Jon From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 15:47:20 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C94516A417 for ; Mon, 13 Aug 2007 15:47:20 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outH.internet-mail-service.net (outH.internet-mail-service.net [216.240.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id 2398413C46B for ; Mon, 13 Aug 2007 15:47:20 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Mon, 13 Aug 2007 08:47:19 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 89063125B69; Mon, 13 Aug 2007 08:47:18 -0700 (PDT) Message-ID: <46C07D0A.1010301@elischer.org> Date: Mon, 13 Aug 2007 08:47:22 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Rajkumar S References: <64de5c8b0708130133i51c1918bg5ad8ab3c6e381f5b@mail.gmail.com> In-Reply-To: <64de5c8b0708130133i51c1918bg5ad8ab3c6e381f5b@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ng_nat connected to ng_ether not working? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 15:47:20 -0000 Rajkumar S wrote: > Hi, > > I am trying to connect an ng_nat node between ng_ether:upper and > ng_ether:lower so that all packets traversing via ng_ether node gets > nat'd. But it does not seems to be working. > > I am using the follwoing commands to connect rl1: and ng_nat > > ngctl mkpeer rl1: nat upper out > ngctl name rl1:upper nat > ngctl connect rl1: nat: lower in > ngctl msg nat: setaliasaddr x.x.x.x ng_nat assumes you have IP packets ng_ether gives you ethernet packets. > > (I have also swapped out with in in the above set of commands, just in > case, but with same results) > > with warm regards, > > raj > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 15:57:55 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C544D16A420 for ; Mon, 13 Aug 2007 15:57:55 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outH.internet-mail-service.net (outH.internet-mail-service.net [216.240.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id AF59713C45E for ; Mon, 13 Aug 2007 15:57:55 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Mon, 13 Aug 2007 08:57:55 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id EF09C125EB8; Mon, 13 Aug 2007 08:57:54 -0700 (PDT) Message-ID: <46C07F86.6000201@elischer.org> Date: Mon, 13 Aug 2007 08:57:58 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Rajkumar S References: <64de5c8b0708130133i51c1918bg5ad8ab3c6e381f5b@mail.gmail.com> <46C07D0A.1010301@elischer.org> In-Reply-To: <46C07D0A.1010301@elischer.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ng_nat connected to ng_ether not working? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 15:57:55 -0000 Julian Elischer wrote: > Rajkumar S wrote: >> Hi, >> >> I am trying to connect an ng_nat node between ng_ether:upper and >> ng_ether:lower so that all packets traversing via ng_ether node gets >> nat'd. But it does not seems to be working. >> >> I am using the follwoing commands to connect rl1: and ng_nat >> >> ngctl mkpeer rl1: nat upper out >> ngctl name rl1:upper nat >> ngctl connect rl1: nat: lower in >> ngctl msg nat: setaliasaddr x.x.x.x > > ng_nat assumes you have IP packets > ng_ether gives you ethernet packets. I should add, that you probably want to divert the IP packets from the IP layer by using ipfw, a divert socket, and a netgraph divert ksocket, (Or a ipfw netgraph ipfw rule if you are using 7.0, I don't believe it is in 6.x) > >> >> (I have also swapped out with in in the above set of commands, just in >> case, but with same results) >> >> with warm regards, >> >> raj >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 18:34:29 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DACF416A417 for ; Mon, 13 Aug 2007 18:34:29 +0000 (UTC) (envelope-from SRS0=5cc8ce267651958d2877072618eacc9d334ec462=426=es.net=oberman@es.net) Received: from postal1.es.net (postal4.es.net [IPv6:2001:400:6000:1::66]) by mx1.freebsd.org (Postfix) with ESMTP id 2DC3013C458 for ; Mon, 13 Aug 2007 18:34:28 +0000 (UTC) (envelope-from SRS0=5cc8ce267651958d2877072618eacc9d334ec462=426=es.net=oberman@es.net) Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal4.es.net (Postal Node 4) with ESMTP (SSL) id SAV71827 for ; Mon, 13 Aug 2007 11:34:27 -0700 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id C196D45045 for ; Mon, 13 Aug 2007 11:34:26 -0700 (PDT) To: freebsd-net@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1187030066_15083P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 13 Aug 2007 11:34:26 -0700 From: "Kevin Oberman" Message-Id: <20070813183426.C196D45045@ptavv.es.net> Subject: Very high wide area TCP tuning X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 18:34:29 -0000 --==_Exmh_1187030066_15083P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I am attempting to use a FreeBSD box with either a Myricom or Chelsio 10GE card to generate very large TCP streams over cross-country links. The RTT for the test path is 94 ms. It is dedicated to my testing at this time, so I have no contention other than a few KB of routing updates. Clearly, I need a very large window...about 120 MB, but I am unsure how FreeBSD will handle this. (Unless I do other things, I suspect it will not be pretty.) I imagine I will need a large kvm space, at the least, but are there any other sysctls that are likely to need adjusting to make this all work? IS it likely to work better on a amd64 system than a i386? Any suggestions would be appreciated. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1187030066_15083P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFGwKQykn3rs5h7N1ERAn3xAKC0blxPnlY6mcgsrz10XqInlYl4ZwCgsKjh yJABikt5WHeSARkGBsnxUxI= =2kzw -----END PGP SIGNATURE----- --==_Exmh_1187030066_15083P-- From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 18:43:28 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2963216A41B for ; Mon, 13 Aug 2007 18:43:28 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 123CA13C469 for ; Mon, 13 Aug 2007 18:43:28 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay6.apple.com (relay6.apple.com [17.128.113.36]) by mail-out4.apple.com (Postfix) with ESMTP id E8AB6EC0C30; Mon, 13 Aug 2007 11:43:27 -0700 (PDT) Received: from relay6.apple.com (unknown [127.0.0.1]) by relay6.apple.com (Symantec Mail Security) with ESMTP id D12641018B; Mon, 13 Aug 2007 11:43:27 -0700 (PDT) X-AuditID: 11807124-a87bebb0000007f3-ac-46c0a64f6f71 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay6.apple.com (Apple SCV relay) with ESMTP id C34931011B; Mon, 13 Aug 2007 11:43:27 -0700 (PDT) In-Reply-To: <46C06C02.5090908@ide.resurscentrum.se> References: <46C06C02.5090908@ide.resurscentrum.se> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8B0BAE02-4E6C-418C-AB7A-568B44B4CA41@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 13 Aug 2007 11:43:26 -0700 To: Jon Otterholm X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-net@freebsd.org Subject: Re: proxy-arp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 18:43:28 -0000 On Aug 13, 2007, at 7:34 AM, Jon Otterholm wrote: > I have a problem with proxy-arp entries. > > If I add an arp-entry: > > arp -s $hostip $routermac permanent pub only > > the router sends an arp and replies to it's own arp like: > > 15:40:02.074419 arp who-has $hostip tell $hostip > 15:40:02.074663 arp reply $hostip is-at $routermac (oui Unknown) > > This is a problem because some clients interpret this as an ip- > address conflict. Are you sure that your router is issuing the ARPOP_REQUESTS? Is the entry you've published already listed in "arp -a"? > In my case the router answers for arp on a bridge where all clients > have their own member-interface and clients are prohibited to talk > directly to each other. > > Have I completely misunderstood the proxy-arp function? IMHO the > router should only answer to arp for $hostip to other clients than > the one that actually have the ip-address. I use proxy-arp where I've got a router running IPFW which needs to forward some IPs on the external/routable subnet to internal RFC-1918 addresses via NAT. I don't use the "only" keyword, but do use "permanent pub". -- -Chuck From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 19:19:24 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B095416A41B for ; Mon, 13 Aug 2007 19:19:24 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 318D113C467 for ; Mon, 13 Aug 2007 19:19:23 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from onob2.irc.local ([192.168.44.2]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Aug 2007 21:19:22 +0200 Message-ID: <46C0AED6.6070406@ide.resurscentrum.se> Date: Mon, 13 Aug 2007 21:19:50 +0200 From: Jon Otterholm User-Agent: Thunderbird 2.0.0.0 (X11/20070614) MIME-Version: 1.0 To: Chuck Swiger , freebsd-net@freebsd.org References: <46C06C02.5090908@ide.resurscentrum.se> <8B0BAE02-4E6C-418C-AB7A-568B44B4CA41@mac.com> In-Reply-To: <8B0BAE02-4E6C-418C-AB7A-568B44B4CA41@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Aug 2007 19:19:22.0077 (UTC) FILETIME=[DA7298D0:01C7DDDE] Cc: Subject: Re: proxy-arp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 19:19:24 -0000 Chuck Swiger wrote: > On Aug 13, 2007, at 7:34 AM, Jon Otterholm wrote: >> I have a problem with proxy-arp entries. >> >> If I add an arp-entry: >> >> arp -s $hostip $routermac permanent pub only >> >> the router sends an arp and replies to it's own arp like: >> >> 15:40:02.074419 arp who-has $hostip tell $hostip >> 15:40:02.074663 arp reply $hostip is-at $routermac (oui Unknown) >> >> This is a problem because some clients interpret this as an >> ip-address conflict. > > Are you sure that your router is issuing the ARPOP_REQUESTS? > Is the entry you've published already listed in "arp -a"? Yes, the entry is already listed as an static arp with the "real" clients mac. The one I published earlier is intended for proxy only. //Jon From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 19:32:15 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB09B16A417 for ; Mon, 13 Aug 2007 19:32:15 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id A27A113C465 for ; Mon, 13 Aug 2007 19:32:15 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.37]) by mail-out3.apple.com (Postfix) with ESMTP id 9211DE651F0; Mon, 13 Aug 2007 12:32:15 -0700 (PDT) Received: from relay7.apple.com (unknown [127.0.0.1]) by relay7.apple.com (Symantec Mail Security) with ESMTP id 7C57330078; Mon, 13 Aug 2007 12:32:15 -0700 (PDT) X-AuditID: 11807125-a221ebb0000007e5-04-46c0b1bf6207 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id 6752E30051; Mon, 13 Aug 2007 12:32:15 -0700 (PDT) In-Reply-To: <46C0AED6.6070406@ide.resurscentrum.se> References: <46C06C02.5090908@ide.resurscentrum.se> <8B0BAE02-4E6C-418C-AB7A-568B44B4CA41@mac.com> <46C0AED6.6070406@ide.resurscentrum.se> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1112A450-7558-4474-9F5A-64954895DF16@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 13 Aug 2007 12:32:14 -0700 To: Jon Otterholm X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-net@freebsd.org Subject: Re: proxy-arp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 19:32:15 -0000 On Aug 13, 2007, at 12:19 PM, Jon Otterholm wrote: >>> This is a problem because some clients interpret this as an ip- >>> address conflict. >> >> Are you sure that your router is issuing the ARPOP_REQUESTS? >> Is the entry you've published already listed in "arp -a"? > > Yes, the entry is already listed as an static arp with the "real" > clients mac. The one I published earlier is intended for proxy only. Are the clients connecting via the same interface which is sending & receiving the proxy arps? Normally, you use proxy-arp'ing to connect NAT'ed IPs to public IPs you want to forward the traffic to. If you are not using NAT, but bridging, normally then the clients can ARP for themselves.... -- -Chuck From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 20:36:22 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A29C216A419 for ; Mon, 13 Aug 2007 20:36:22 +0000 (UTC) (envelope-from yusheng.huang@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id 7EA4313C4B7 for ; Mon, 13 Aug 2007 20:36:22 +0000 (UTC) (envelope-from yusheng.huang@bluecoat.com) Received: from bcs-mail2.internal.cacheflow.com (bcs-mail2.internal.cacheflow.com [10.2.2.59]) by whisker.bluecoat.com (8.13.8/8.13.8) with ESMTP id l7DKOvk0011212 for ; Mon, 13 Aug 2007 13:24:58 -0700 (PDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Mon, 13 Aug 2007 13:24:56 -0700 Message-ID: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: An ISN(initial sequence number) bug? Thread-Index: Acfd6ANyOR9KoL3xSTKdw7BW/o9AlQ== From: "Huang, Yusheng" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: An ISN(initial sequence number) bug? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 20:36:22 -0000 Hi, =20 I think there is a bug in the tcp_isn_tick() function. =20 1477 static void 1478 tcp_isn_tick(xtp) 1479 void *xtp; 1480 { 1481 u_int32_t projected_offset; 1482=20 1483 INP_INFO_WLOCK(&tcbinfo); 1484 projected_offset =3D isn_offset_old + ISN_BYTES_PER_SECOND / 100; 1485=20 1486 if (projected_offset > isn_offset) 1487 isn_offset =3D projected_offset; 1488=20 1489 isn_offset_old =3D isn_offset; 1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL); 1491 INP_INFO_WUNLOCK(&tcbinfo); 1492 } =20 If isn_offset is close to the 4G boundary, the projected_offset is likely to overflow the 4G value so the unsigned comparison at line#1486 will not be true and isn_offset will not be incremented by the tcp_isn_tick() for a very long long time.=20 =20 -yusheng =20 From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 23:02:28 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49AD116A41B for ; Mon, 13 Aug 2007 23:02:28 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (adsl-75-1-14-242.dsl.scrm01.sbcglobal.net [75.1.14.242]) by mx1.freebsd.org (Postfix) with ESMTP id 128CD13C45B for ; Mon, 13 Aug 2007 23:02:28 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id l7DMYiSX067226; Mon, 13 Aug 2007 15:34:48 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <200708132234.l7DMYiSX067226@gw.catspoiler.org> Date: Mon, 13 Aug 2007 15:34:44 -0700 (PDT) From: Don Lewis To: yusheng.huang@bluecoat.com In-Reply-To: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: freebsd-net@FreeBSD.org Subject: Re: An ISN(initial sequence number) bug? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 23:02:28 -0000 On 13 Aug, Huang, Yusheng wrote: > Hi, > > > > I think there is a bug in the tcp_isn_tick() function. > > > > 1477 static void > > 1478 tcp_isn_tick(xtp) > > 1479 void *xtp; > > 1480 { > > 1481 u_int32_t projected_offset; > > 1482 > > 1483 INP_INFO_WLOCK(&tcbinfo); > > 1484 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / > 100; > > 1485 > > 1486 if (projected_offset > isn_offset) > > 1487 isn_offset = projected_offset; > > 1488 > > 1489 isn_offset_old = isn_offset; > > 1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL); > > 1491 INP_INFO_WUNLOCK(&tcbinfo); > > 1492 } > > > > If isn_offset is close to the 4G boundary, the projected_offset is > likely to overflow the 4G value so the unsigned comparison at line#1486 > will not be true and isn_offset will not be incremented by the > tcp_isn_tick() for a very long long time. I think the comparison should be done with the SEQ_GT() macro. From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 00:10:33 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DD6116A417 for ; Tue, 14 Aug 2007 00:10:33 +0000 (UTC) (envelope-from lstewart@room52.net) Received: from swin.edu.au (gpo3.cc.swin.edu.au [136.186.1.223]) by mx1.freebsd.org (Postfix) with ESMTP id D9CF513C457 for ; Tue, 14 Aug 2007 00:10:32 +0000 (UTC) (envelope-from lstewart@room52.net) Received: from [136.186.229.95] (lstewart.caia.swin.edu.au [136.186.229.95]) by swin.edu.au (8.13.6.20060614/8.13.1) with ESMTP id l7DNqMeH029020; Tue, 14 Aug 2007 09:52:23 +1000 Message-ID: <46C0EEB6.6010702@room52.net> Date: Tue, 14 Aug 2007 09:52:22 +1000 From: Lawrence Stewart User-Agent: Thunderbird 1.5.0.9 (X11/20070123) MIME-Version: 1.0 To: Kevin Oberman References: <20070813183426.C196D45045@ptavv.es.net> In-Reply-To: <20070813183426.C196D45045@ptavv.es.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.1.9 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on gpo3.cc.swin.edu.au Cc: freebsd-net@freebsd.org Subject: Re: Very high wide area TCP tuning X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 00:10:33 -0000 Hi Kevin, Kevin Oberman wrote: > I am attempting to use a FreeBSD box with either a Myricom or Chelsio > 10GE card to generate very large TCP streams over cross-country > links. The RTT for the test path is 94 ms. It is dedicated to my testing > at this time, so I have no contention other than a few KB of routing > updates. > > Clearly, I need a very large window...about 120 MB, but I am unsure how > FreeBSD will handle this. (Unless I do other things, I suspect it will > not be pretty.) I imagine I will need a large kvm space, at the least, > but are there any other sysctls that are likely to need adjusting to > make this all work? IS it likely to work better on a amd64 system than a > i386? > > Any suggestions would be appreciated. > We recently wrote a small technical report that covers some of the issues related to FreeBSD network tuning for some TCP research we've been doing. The report's title is "Tuning and Testing the FreeBSD 6 TCP Stack" and you can grab it from here: http://caia.swin.edu.au/reports/070717B/CAIA-TR-070717B.pdf We didn't tune for 10GB speeds, but I imagine the principles should all still apply. As you correctly point out, you'll also probably want to raise the allowable kernel mem size using the "vm.kmem_size" and "vm.kmem_size_max" sysctls to avoid any random kernel panics. We used a kmem size of 500MB which worked flawlessly with our GigE multiflow tests and left us plenty of room to move. This is something you might have to use a bit of trial and error to figure out though to ensure you get something stable. And of course you're going to want to control the number of flows active at one time based on your kmem setting and hardware constraints... Cheers, Lawrence http://caia.swin.edu.au From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 00:58:23 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A93416A417 for ; Tue, 14 Aug 2007 00:58:23 +0000 (UTC) (envelope-from ik1024@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.189]) by mx1.freebsd.org (Postfix) with ESMTP id DF85C13C457 for ; Tue, 14 Aug 2007 00:58:22 +0000 (UTC) (envelope-from ik1024@gmail.com) Received: by rv-out-0910.google.com with SMTP id f1so1137675rvb for ; Mon, 13 Aug 2007 17:58:22 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Nykj7jg16PchGZwusCfHKn6haWwWK6K7qd872Cm1m10SNXS7YP3Mywi7d6zl/dZ/6dX7SCV7xleniwfS++sewQe/u8b59s5TD9BRcHkGLQbScYMp2jPYsi/Y/fPMQqFNTyRl+wIgrZELcR7r1EoVQN8f0q4MuypX5VA58CexwJQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=JshZf8K3gZ0XIYXhI2cWgUhabP64p6cniak7/u5luW5lbaqIMqjb2C4s76p1uGUXMFYqknFsCTKqs02qRrhfxZVAFGKiTipHSiS4pwmjq5JtrOhvy6aws6YHHiVTUlV35KKpwGUKfGBTsEcmmDgTRPOYHufeDT9NKY1+4ejy4fM= Received: by 10.115.74.1 with SMTP id b1mr1120313wal.1187053102108; Mon, 13 Aug 2007 17:58:22 -0700 (PDT) Received: by 10.114.78.16 with HTTP; Mon, 13 Aug 2007 17:58:22 -0700 (PDT) Message-ID: <7feb82f40708131758t194e93f1k371642524991eb71@mail.gmail.com> Date: Mon, 13 Aug 2007 20:58:22 -0400 From: "Isaac Kohen" To: "Lawrence Stewart" In-Reply-To: <46C0EEB6.6010702@room52.net> MIME-Version: 1.0 References: <20070813183426.C196D45045@ptavv.es.net> <46C0EEB6.6010702@room52.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, Kevin Oberman Subject: Re: Very high wide area TCP tuning X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 00:58:23 -0000 I've sent several messages to "freebsd-net-unsubscribe@freebsd.org" and I'm still receiving messages. How do I stop this? On 8/13/07, Lawrence Stewart wrote: > > Hi Kevin, > > Kevin Oberman wrote: > > I am attempting to use a FreeBSD box with either a Myricom or Chelsio > > 10GE card to generate very large TCP streams over cross-country > > links. The RTT for the test path is 94 ms. It is dedicated to my testing > > at this time, so I have no contention other than a few KB of routing > > updates. > > > > Clearly, I need a very large window...about 120 MB, but I am unsure how > > FreeBSD will handle this. (Unless I do other things, I suspect it will > > not be pretty.) I imagine I will need a large kvm space, at the least, > > but are there any other sysctls that are likely to need adjusting to > > make this all work? IS it likely to work better on a amd64 system than a > > i386? > > > > Any suggestions would be appreciated. > > > > We recently wrote a small technical report that covers some of the > issues related to FreeBSD network tuning for some TCP research we've > been doing. > > The report's title is "Tuning and Testing the FreeBSD 6 TCP Stack" and > you can grab it from here: > http://caia.swin.edu.au/reports/070717B/CAIA-TR-070717B.pdf > > We didn't tune for 10GB speeds, but I imagine the principles should all > still apply. As you correctly point out, you'll also probably want to > raise the allowable kernel mem size using the "vm.kmem_size" and > "vm.kmem_size_max" sysctls to avoid any random kernel panics. We used a > kmem size of 500MB which worked flawlessly with our GigE multiflow tests > and left us plenty of room to move. This is something you might have to > use a bit of trial and error to figure out though to ensure you get > something stable. And of course you're going to want to control the > number of flows active at one time based on your kmem setting and > hardware constraints... > > Cheers, > Lawrence > > http://caia.swin.edu.au > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 06:56:06 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2D3D16A418 for ; Tue, 14 Aug 2007 06:56:06 +0000 (UTC) (envelope-from ldacol@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id A685213C457 for ; Tue, 14 Aug 2007 06:56:06 +0000 (UTC) (envelope-from ldacol@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so2244616waf for ; Mon, 13 Aug 2007 23:56:06 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Qc9cD8LYbU9TAA3s6IbolzjZtXtNaRZLfSEAMW0uYDcWp7NQUuuJui9wDrKHPN4Zih+TvN5NMVcKeFsRpQAucoJxiuis2dyUIDZ12f+e/qa3PTeZVpKAkEFpfxMqZ0Wws96XircbHdf0az5Yd4FBDpnO62jwaTrZLFetMgTMV4U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=gyGJY+CX0WPikUhAlDmTBuQsuLbbKndfCu2IJsDgGOZZO/8JczVPX+ZmsQQitw2FL7yS1O9DnSkgdOZHtSzU5/KO+IjgFrjB0ANQ4og5T9ANRiXl1u/T0xwBJM105J9z8ob8HUyluX6GZyK3xINQYHlj/sV61gPC4OApbraXCWc= Received: by 10.115.93.16 with SMTP id v16mr2224558wal.1187072919799; Mon, 13 Aug 2007 23:28:39 -0700 (PDT) Received: by 10.114.174.8 with HTTP; Mon, 13 Aug 2007 23:28:39 -0700 (PDT) Message-ID: Date: Tue, 14 Aug 2007 08:28:39 +0200 From: "Luca Da Col" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Unexpected behaviors connectivity FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 06:56:06 -0000 We have a FreeBSD 6.2 System connected to our DMZ used to store periodical informations about our network. FreeBSD is showing some unexpected behaviors loosing connectivity with other boxes in the network. Problem is completely aleatory and can affect any box. However rest of boxes are completely reachables from FreeBSD while specific server is affected. Deleting ARP entry in FreeBSD box solves the problem as you can see from the following lines. Problem is showing quite frequently during the day. Any hint about this issue? Thank you, Best regards, Luca Da Col [root@srv001 /Scripts]# [root@srv001 /Scripts]# ping SWI002-DMZ PING SWI002-DMZ (10.192.149.45): 56 data bytes ^C --- SWI002-DMZ ping statistics --- 20 packets transmitted, 0 packets received, 100% packet loss [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# arp -a ? (10.192.149.9) at 08:00:20:f2:cf:da on dc0 [ethernet] ? (10.192.149.33) at 00:07:ec:50:e4:08 on dc0 [ethernet] ? (10.192.149.44) at 00:0a:b7:8d:0b:00 on dc0 [ethernet] ? (10.192.149.45) at 00:07:85:a5:20:40 on dc0 [ethernet] [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# arp -d 10.192.149.45 10.192.149.45 (10.192.149.45) deleted [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# ping SWI002-DMZ PING SWI002-DMZ (10.192.149.45): 56 data bytes 64 bytes from 10.192.149.45: icmp_seq=0 ttl=255 time=1.261 ms 64 bytes from 10.192.149.45: icmp_seq=1 ttl=255 time=1.196 ms 64 bytes from 10.192.149.45: icmp_seq=2 ttl=255 time=1.092 ms 64 bytes from 10.192.149.45: icmp_seq=3 ttl=255 time=1.093 ms ^C --- SWI002-DMZ ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.092/1.160/1.261/0.072 ms [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# [root@srv001 /Scripts]# arp -a ? (10.192.149.9) at 08:00:20:f2:cf:da on dc0 [ethernet] ? (10.192.149.33) at 00:07:ec:50:e4:08 on dc0 [ethernet] ? (10.192.149.44) at 00:0a:b7:8d:0b:00 on dc0 [ethernet] ? (10.192.149.45) at 00:07:85:a5:20:40 on dc0 [ethernet] From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 09:38:35 2007 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CADBC16A41A; Tue, 14 Aug 2007 09:38:35 +0000 (UTC) (envelope-from jroberson@chesapeake.net) Received: from webaccess-cl.virtdom.com (webaccess-cl.virtdom.com [216.240.101.25]) by mx1.freebsd.org (Postfix) with ESMTP id 7DAB013C461; Tue, 14 Aug 2007 09:38:35 +0000 (UTC) (envelope-from jroberson@chesapeake.net) Received: from [192.168.1.103] (c-71-231-138-78.hsd1.or.comcast.net [71.231.138.78]) (authenticated bits=0) by webaccess-cl.virtdom.com (8.13.6/8.13.6) with ESMTP id l7E9cVMs039213 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 14 Aug 2007 05:38:32 -0400 (EDT) (envelope-from jroberson@chesapeake.net) Date: Tue, 14 Aug 2007 02:41:31 -0700 (PDT) From: Jeff Roberson X-X-Sender: jroberson@10.0.0.1 To: fs@freebsd.org, net@freebsd.org Message-ID: <20070814024024.U568@10.0.0.1> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: netncp/netsmb users please test a patch. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 09:38:35 -0000 http://people.freebsd.org/~jeff/select.diff I have redone the select locking. This included changing some cruft in smb/ncp. I have tested smb myself, but would appreciate more feedback. I am not able to test ncp. Please let me know if this works for you. Thanks, Jeff From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 10:04:36 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E92B916A41B for ; Tue, 14 Aug 2007 10:04:36 +0000 (UTC) (envelope-from emss@free.fr) Received: from mallaury.nerim.net (mallaury.ipv6.nerim.net [IPv6:2001:7a8:1:5::82]) by mx1.freebsd.org (Postfix) with ESMTP id 90C2813C459 for ; Tue, 14 Aug 2007 10:04:36 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 4009D4F42F; Tue, 14 Aug 2007 12:04:27 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 32FD9D299; Tue, 14 Aug 2007 12:04:30 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phGzCrkJwws2; Tue, 14 Aug 2007 12:04:27 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 51252D036; Tue, 14 Aug 2007 12:04:27 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <20070813091634.C87821@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Mon, 13 Aug 2007 09:17:33 +0000 (UTC)") References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Tue, 14 Aug 2007 12:04:27 +0200 Message-ID: <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 10:04:37 -0000 "Bjoern A. Zeeb" writes: Hello Bjoern & all, > this is expected behavior. You want to read about the > IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and > enc(4). I've compiled a new kernel with IPSEC_FILTERGIF, tcpdump now can see unencrypted L2TP packets on external interfaces but rdr rule doesn't have any effect. Just to be sure, I added "device enc" to the kernel configuration and changed the rdr rule to : rdr on enc0 proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701 But no success atm. Any idea ? Regards Éric Masson -- FYLG> Tiens, vlà une URL qui va bien : FYLG> ftp://127.0.0.1/WaReZ/NiouZeS/WinDoZe/NeWSMoNGeR/SuPeR c'est gentil sauf que l'adresse ne fonctionne pas sa me fais une erreur -+- Furtif in Guide du Neuneu Usenet : -+- From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 10:20:07 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74D1816A41B for ; Tue, 14 Aug 2007 10:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 2F8EB13C4A8 for ; Tue, 14 Aug 2007 10:20:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 4E22641C6A1; Tue, 14 Aug 2007 12:20:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id m9UzAfzrjxAb; Tue, 14 Aug 2007 12:20:04 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E911C41C69F; Tue, 14 Aug 2007 12:20:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id B48E0444885; Tue, 14 Aug 2007 10:18:46 +0000 (UTC) Date: Tue, 14 Aug 2007 10:18:46 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Eric Masson In-Reply-To: <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> Message-ID: <20070814101809.Q87821@maildrop.int.zabbadoz.net> References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 10:20:07 -0000 On Tue, 14 Aug 2007, Eric Masson wrote: > "Bjoern A. Zeeb" writes: > > Hello Bjoern & all, > >> this is expected behavior. You want to read about the >> IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and >> enc(4). > > I've compiled a new kernel with IPSEC_FILTERGIF, tcpdump now can see > unencrypted L2TP packets on external interfaces but rdr rule doesn't > have any effect. > > Just to be sure, I added "device enc" to the kernel configuration and > changed the rdr rule to : > rdr on enc0 proto udp from any to ($ext_if) port 1701 -> 10.127.0.1 port 1701 > > But no success atm. Any idea ? ifconfig enc0 | grep UP if not, ifconfig enc0 up -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Tue Aug 14 10:55:10 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22EEE16A41B for ; Tue, 14 Aug 2007 10:55:10 +0000 (UTC) (envelope-from emss@free.fr) Received: from mallaury.nerim.net (mallaury.ipv6.nerim.net [IPv6:2001:7a8:1:5::82]) by mx1.freebsd.org (Postfix) with ESMTP id 8CCB213C461 for ; Tue, 14 Aug 2007 10:55:09 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 3329C4F3F8; Tue, 14 Aug 2007 12:55:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id E8E5CD32E; Tue, 14 Aug 2007 12:55:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJj8n6A9RQbb; Tue, 14 Aug 2007 12:55:00 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id CE854D036; Tue, 14 Aug 2007 12:54:59 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <20070814101809.Q87821@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Tue, 14 Aug 2007 10:18:46 +0000 (UTC)") References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070814101809.Q87821@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Tue, 14 Aug 2007 12:54:59 +0200 Message-ID: <86fy2mjsho.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 10:55:10 -0000 "Bjoern A. Zeeb" writes: > ifconfig enc0 | grep UP > > if not, ifconfig enc0 up Ok, this is better as mpd4 receives l2tp packets, thanks :) emss@freebsd6:~> sudo /usr/local/sbin/mpd4 Multi-link PPP daemon for FreeBSD process 1586 started, version 4.2.2 (root@freebsd6 22:09 9-Aug-2007) CONSOLE: listening on 127.0.0.1 5005 [l2tp1] using interface ng1 [l2tp2] using interface ng2 [l2tp3] using interface ng3 [l2tp4] using interface ng4 [l2tp5] using interface ng5 L2TP: waiting for connection on 10.127.0.1 1701 Incoming L2TP packet from 192.168.1.105 1701 But from the dump on vxn0 interface, response packets are not passed to the ipsec layer (192.168.1.105 is the remote XP host) : emss@freebsd6:~> sudo tcpdump -n -i vxn0 not tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vxn0, link-type EN10MB (Ethernet), capture size 96 bytes 12:43:50.408045 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident 12:43:50.413619 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident 12:43:50.472048 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident 12:43:50.591613 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident 12:43:50.863929 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 1 I ident[E] 12:43:50.939090 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 1 R ident[E] 12:43:50.943675 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E] 12:43:50.961028 IP 192.168.1.231.500 > 192.168.1.105.500: isakmp: phase 2/others R oakley-quick[E] 12:43:50.977231 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I oakley-quick[E] 12:43:51.013177 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x1), length 140 12:43:51.064857 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:51.960621 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x2), length 140 12:43:51.962668 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:52.020466 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:53.942587 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x3), length 140 12:43:53.943445 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:53.943710 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:43:57.742123 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x4), length 140 12:43:57.745058 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:43:57.789932 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:07.186961 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:07.208935 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x5), length 140 12:44:07.209418 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:44:16.802284 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:16.849849 IP 192.168.1.105 > 192.168.1.231: ESP(spi=0x0eb4187d,seq=0x6), length 140 12:44:16.849860 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=1,Nr=1 ZLB 12:44:18.808989 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E] 12:44:18.821602 IP 192.168.1.105.500 > 192.168.1.231.500: isakmp: phase 2/others I inf[E] 12:44:26.418196 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... 12:44:36.033944 IP 192.168.1.231.1701 > 192.168.1.105.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) |... I dont really understand here as the ipsec selectors are the following : emss@freebsd6:~> sudo /usr/local/sbin/setkey -DP 0.0.0.0/0[any] 192.168.1.231[1701] udp in ipsec esp/transport//require spid=1 seq=2 pid=2086 refcnt=1 192.168.1.105[1701] 192.168.1.231[1701] udp in ipsec esp/transport//require spid=6 seq=1 pid=2086 refcnt=1 192.168.1.231[1701] 192.168.1.105[1701] udp out ipsec esp/transport//require spid=7 seq=0 pid=2086 refcnt=1 So outgoing l2tp packets should be esp transformed, right ? Regards Éric Masson -- E> desole mais je n est pas trop l habitude des groupes de discutions Leçon n° 1 : on répond en haut et on vire le message auquel on répond Cette suppression facilite grandement la lecture !!! -+- DrN in : Le Neuneu par l'exemple -+- From owner-freebsd-net@FreeBSD.ORG Thu Aug 16 09:56:56 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7628716A417 for ; Thu, 16 Aug 2007 09:56:56 +0000 (UTC) (envelope-from ginga@ginganet.org) Received: from mx.gate01.com (pip7.gyao.ne.jp [61.122.117.245]) by mx1.freebsd.org (Postfix) with ESMTP id 3114813C478 for ; Thu, 16 Aug 2007 09:56:55 +0000 (UTC) (envelope-from ginga@ginganet.org) Received: from [202.210.243.26] (helo=athena.ginganet.org) by smtp31.isp.us-com.jp with esmtp (Mail 4.41) id 1ILbab-0003KK-Hr for freebsd-net@freebsd.org; Thu, 16 Aug 2007 18:24:25 +0900 Received: from localhost (localhost.olympus.local [127.0.0.1]) by athena.ginganet.org (Postfix) with ESMTP id 5B8BE7BB9; Thu, 16 Aug 2007 18:24:25 +0900 (JST) X-Virus-Scanned: amavisd-new at ginganet.org Received: from athena.ginganet.org ([127.0.0.1]) by localhost (athena.ginganet.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-fovP1xKwb0; Thu, 16 Aug 2007 18:24:18 +0900 (JST) Received: by athena.ginganet.org (Postfix, from userid 5003) id 380637BB3; Thu, 16 Aug 2007 18:24:18 +0900 (JST) Date: Thu, 16 Aug 2007 18:24:18 +0900 From: KAWAGUTI Ginga To: freebsd-net@freebsd.org Message-ID: <20070816092418.GH6523@ginganet.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.14 (2007-02-12) Cc: ginga-freebsd@ginganet.org Subject: Some Broadcom GbE NIC(bge driver) suffers packet loss at receiving X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2007 09:56:56 -0000 Hi. Some revision of Broadcom GbE NIC with bge driver seems to loss 1 packet per 1000 packet at receiving on some occasion. Sending doesn't have this problem(receiving only). This loss doesn't always happen, but when happens, it seems that loss is exactly 1 per 1000, as the last 3 digits of lost packets' sequence number are all same. (i.e. example of lost packet seq-No. are: 3284, 4284, 5284, 8284, 9284, ...) I've tested with: * tcpdump capturing of SmartBits, * ports/net/rude(network traffic generator/collector software) * owping(one-way-ping) This loss happens with: * BCM5704(?) @ FreeBSD/i386 6-stable (Aug. 2007) (6-stable of some months ago also suffered with this problem) * same type hardware (I tested with 2 HP DL385 servers, and happend with both H/W.) This loss doesn't happen with: * same hardware with Linux(Fedora-Core 5) * same server with different NIC (Intel GbE with em driver) also with same version of FreeBSD/i386 6-stable * same FreeBSD/i386 6-stable with some other Broadcom cards(Broadcom BCM5752) (not same PC/server, but other PC hardware) ------------------------------------------------------- More precise hardware information is given below: This happens with BCM5704 of this revision: (on-board with HP DL385 Opteron Server) bge0: mem 0xf7df0000-0xf7dfffff irq 28 at device 6.0 on pci3 bge0: Reserved 0x10000 bytes for rid 0x10 type 3 at 0xf7df0000 miibus0: on bge0 brgphy0: on miibus0 brgphy0: OUI 0x000818, model 0x0019, rev. 0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: bpf attached bge0: Ethernet address: 00:17:a4:8f:22:bc ioapic2: routing intpin 0 (PCI IRQ 28) to vector 53 bge0: [MPSAFE] bge1: mem 0xf7de0000-0xf7deffff irq 29 at device 6.1 on pci3 bge1: Reserved 0x10000 bytes for rid 0x10 type 3 at 0xf7de0000 miibus1: on bge1 brgphy1: on miibus1 brgphy1: OUI 0x000818, model 0x0019, rev. 0 brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge1: bpf attached bge1: Ethernet address: 00:17:a4:8f:22:bb ioapic2: routing intpin 1 (PCI IRQ 29) to vector 54 bge1: [MPSAFE] pciconf -lvc: bge0@pci3:6:0: class=0x020000 card=0x00d00e11 chip=0x164814e4 rev=0x10 hdr=0x00 vendor = 'Broadcom Corporation' device = 'BCM5704 NetXtreme Dual Gigabit Adapter' class = network subclass = ethernet cap 07[40] = PCI-X 64-bit supports 133MHz, 2048 burst read, 1 split transaction cap 01[48] = powerspec 2 supports D0 D3 current D0 cap 03[50] = VPD cap 05[58] = MSI supports 8 messages, 64 bit Other bge cards that doesn't suffer with this problem: (HP xw8400 Workstation on-board) bge0: mem 0xfb600000-0xfb60ffff irq 17 at device 0.0 on pci31 bge0: Reserved 0x10000 bytes for rid 0x10 type 3 at 0xfb600000 bge0: Disabling fastboot bge0: Disabling fastboot miibus0: on bge0 brgphy0: on miibus0 brgphy0: OUI 0x000818, model 0x0010, rev. 0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: bpf attached bge0: Ethernet address: 00:17:08:2a:a3:a3 ioapic0: routing intpin 17 (PCI IRQ 17) to vector 49 bge0: [MPSAFE] pciconf -lvc: bge0@pci31:0:0: class=0x020000 card=0x3015103c chip=0x160014e4 rev=0x01 hdr=0x00 vendor = 'Broadcom Corporation' device = 'Broadcom NetXtreme Gigabit Ethernet' class = network subclass = ethernet cap 01[48] = powerspec 2 supports D0 D3 current D0 cap 03[50] = VPD cap 05[58] = MSI supports 8 messages, 64 bit cap 10[d0] = PCI-Express 1 endpoint ------------------------------------------------------- ####################################################### Example usage of ports/net/rude (and crude) to test this. ####################################################### (At packet sender:) sender% cat > rude.cfg << EOFEOF START NOW 1000 0030 ON 3002 10.1.1.1:10001 CONSTANT 10000 200 11000 0030 OFF EOFEOF sender% # Above config will send 10000 packets/sec for 10 secs. # ==> 100001 packets will be generated. # (+1 comes from rude's spec(bug?)) sender% rude -s rude.cfg (Run packet generator) rude version 0.70, Copyright (C) 1999 Juha Laine and Sampo Saaristo rude comes with ABSOLUTELY NO WARRANTY! This is free software, and you are welcome to redistribute it under GNU GENERAL PUBLIC LICENSE Version 2. F_ID: F_START: F_STOP: F_SPORT: F_DADD: F_DPORT: F_err: F_suc: F_seq: F_TYPE: [+ type params] 30 1187254729.594905 1187254739.594905 3002 129.60.75.70 10001 0 100001 100001 CBR [r:10000 s:200] sender% ####################################################### (At packet receiver; which have bge cards) receiver% crude -s 30 crude version 0.70, Copyright (C) 1999 Juha Laine and Sampo Saaristo crude comes with ABSOLUTELY NO WARRANTY! This is free software, and you are welcome to redistribute it under GNU GENERAL PUBLIC LICENSE Version 2. ^C (Press Ctrl+C after rude@sender has finished) Runtime statistics results: --------------------------- Flow_ID=30 Packets: received=100001 out-of-seq=0 lost(est)=0 Total bytes received=20000200 Sequence numbers: first=0 last=100000 Delay: average = -0.001333 jitter=0.000069 seconds Absolute maximum jitter=0.008760 seconds Throughput=2.00001e+06 Bps (from first to last packet received) receiver% ------------------------------------------------------- For good GbE-cards, packet received count should be equal with sender's packet count. For some bge cards mentioned above, lost packet percentage comes ~ 0.1%, and when looking to sequence numbers, the loss seem to happen every 1000 packets. From owner-freebsd-net@FreeBSD.ORG Thu Aug 16 14:51:59 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B77D816A418 for ; Thu, 16 Aug 2007 14:51:59 +0000 (UTC) (envelope-from is@rambler-co.ru) Received: from relay0.rambler.ru (relay0.rambler.ru [81.19.66.187]) by mx1.freebsd.org (Postfix) with ESMTP id 7469B13C46B for ; Thu, 16 Aug 2007 14:51:59 +0000 (UTC) (envelope-from is@rambler-co.ru) Received: from relay0.rambler.ru (localhost [127.0.0.1]) by relay0.rambler.ru (Postfix) with ESMTP id 89B7B6084 for ; Thu, 16 Aug 2007 18:24:33 +0400 (MSD) Received: from localhost (is1.park.rambler.ru [81.19.64.121]) by relay0.rambler.ru (Postfix) with ESMTP id 68E976052 for ; Thu, 16 Aug 2007 18:24:33 +0400 (MSD) Date: Thu, 16 Aug 2007 18:24:31 +0400 From: Igor Sysoev To: freebsd-net@freebsd.org Message-ID: <20070816142431.GO57126@rambler-co.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="rS8CxjVDS/+yyDmU" Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: No virus found Subject: syncookie in 6.x and 7.x X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2007 14:51:59 -0000 --rS8CxjVDS/+yyDmU Content-Type: text/plain; charset=koi8-r Content-Disposition: inline During testing 7.0-CURRENT I have found that it always sends syncookies while on early FreeBSD versions "netstat -s -p tcp" always shows: 0 cookies sent 0 cookies received I have looked sources and found that in early versions the sent counter was simply not incremented at all. The patch attached. After the patch has been applied I have found that 6 always sends syncookies too, however, 6 unlike 7 never receives them. Why ? Here is 6 statistics: 1046714 syncache entries added 28395 retransmitted 32879 dupsyn 0 dropped 1038153 completed 0 bucket overflow 0 cache overflow 4201 reset 3972 stale 0 aborted 0 badack 254 unreach 0 zone failures 1046714 cookies sent 0 cookies received Here is 7 statistics: 76018 syncache entries added 2536 retransmitted 2574 dupsyn 0 dropped 75114 completed 0 bucket overflow 0 cache overflow 456 reset 267 stale 0 aborted 0 badack 20 unreach 0 zone failures 76018 cookies sent 24 cookies received -- Igor Sysoev http://sysoev.ru/en/ --rS8CxjVDS/+yyDmU Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="syncookie.patch" --- sys/netinet/tcp_syncache.c 2006-02-16 04:06:22.000000000 +0300 +++ sys/netinet/tcp_syncache.c 2007-08-15 13:55:25.000000000 +0400 @@ -1323,6 +1323,7 @@ MD5Final((u_char *)&md5_buffer, &syn_ctx); data ^= (md5_buffer[0] & ~SYNCOOKIE_WNDMASK); *flowid = md5_buffer[1]; + tcpstat.tcps_sc_sendcookie++; return (data); } --rS8CxjVDS/+yyDmU-- From owner-freebsd-net@FreeBSD.ORG Thu Aug 16 20:52:52 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45CB916A469 for ; Thu, 16 Aug 2007 20:52:52 +0000 (UTC) (envelope-from davidch@broadcom.com) Received: from mms2.broadcom.com (mms2.broadcom.com [216.31.210.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1AF3B13C469 for ; Thu, 16 Aug 2007 20:52:52 +0000 (UTC) (envelope-from davidch@broadcom.com) Received: from [10.10.64.154] by mms2.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.3.1)); Thu, 16 Aug 2007 13:52:39 -0700 X-Server-Uuid: A6C4E0AE-A7F0-449F-BAE7-7FA0D737AC76 Received: by mail-irva-10.broadcom.com (Postfix, from userid 47) id 12EC82AF; Thu, 16 Aug 2007 13:52:40 -0700 (PDT) Received: from mail-irva-8.broadcom.com (mail-irva-8 [10.10.64.221]) by mail-irva-10.broadcom.com (Postfix) with ESMTP id F338A2AE; Thu, 16 Aug 2007 13:52:39 -0700 (PDT) Received: from mail-irva-12.broadcom.com (mail-irva-12.broadcom.com [10.10.64.146]) by mail-irva-8.broadcom.com (MOS 3.7.5a-GA) with ESMTP id FOO43875; Thu, 16 Aug 2007 13:52:39 -0700 (PDT) Received: from NT-IRVA-0750.brcm.ad.broadcom.com ( nt-irva-0750.brcm.ad.broadcom.com [10.8.194.64]) by mail-irva-12.broadcom.com (Postfix) with ESMTP id 33C6369CA5; Thu, 16 Aug 2007 13:52:39 -0700 (PDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 16 Aug 2007 13:52:37 -0700 Message-ID: <09BFF2FA5EAB4A45B6655E151BBDD90304C34AED@NT-IRVA-0750.brcm.ad.broadcom.com> In-Reply-To: <20070816092418.GH6523@ginganet.org> Thread-Topic: Some Broadcom GbE NIC(bge driver) suffers packet loss at receiving Thread-Index: Acff69vcLdQzGRHCQmGPQFJ4EhzM5wAWyGYQ References: <20070816092418.GH6523@ginganet.org> From: "David Christensen" To: "KAWAGUTI Ginga" , freebsd-net@freebsd.org X-WSS-ID: 6ADA669D3E89255435-01-01 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Cc: Subject: RE: Some Broadcom GbE NIC(bge driver) suffers packet loss at receiving X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2007 20:52:52 -0000 > Some revision of Broadcom GbE NIC with bge driver=20 > seems to loss 1 packet per 1000 packet at receiving on some occasion.=20 > Sending doesn't have this problem(receiving only). >=20 > This loss doesn't always happen,=20 > but when happens, it seems that loss is exactly 1 per 1000,=20 > as the last 3 digits of lost packets' sequence number are all same. > (i.e. example of lost packet seq-No. are: =20 > 3284, 4284, 5284, 8284, 9284, ...) >=20 The NIC maintains internal statistics which might give a clue to the cause of the packet loss. The latest bge driver in -CURRENT includes a number of "sysctl" nodes to bring out those statistics. Can you get that info? Dave From owner-freebsd-net@FreeBSD.ORG Fri Aug 17 08:00:01 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C35E16A418 for ; Fri, 17 Aug 2007 08:00:01 +0000 (UTC) (envelope-from rana.rajneesh@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0087413C4B3 for ; Fri, 17 Aug 2007 08:00:00 +0000 (UTC) (envelope-from rana.rajneesh@gmail.com) Received: by fk-out-0910.google.com with SMTP id z22so463256fkz for ; Fri, 17 Aug 2007 00:59:59 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Q/TATc6pLOEiY0B37T7dzjZ1YOxjqCbVL2REYeNmrKc98hM+Nt8th6+UIja0Hd+Y2Ctu0Ny079xE6ZhQ/z83yZHg6YqoV6jX2us/TdzjfyvcmLLbg4gLVMLXzpceu10anq0vARAl1Gk4hmOizlcOP26zJgXFKeeX7YEn28nxX5g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ny/iG3om8g3HtJIbXqGCnBXfI/nbRSCfPKTJNPr9SwBJ6X9qeJLOszIHYzKrkbEfrx42HyIJuyDcZH8fDFtV+qvvX7ThpdnAXCxSN0RT9u44VliFPXzA7XCXj4d1vQfua2H5tCb890zRANRPtqXsPG7pc0opbz6BRGyQlTnTcR8= Received: by 10.82.189.6 with SMTP id m6mr3832738buf.1187337599286; Fri, 17 Aug 2007 00:59:59 -0700 (PDT) Received: by 10.82.169.13 with HTTP; Fri, 17 Aug 2007 00:59:59 -0700 (PDT) Message-ID: <228b46650708170059j3813f81sdd6974337d7ce4cb@mail.gmail.com> Date: Fri, 17 Aug 2007 13:29:59 +0530 From: "rajneesh rana" To: freebsd-net@freebsd.org. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: routing local traffic w/o using loopback interface X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 08:00:01 -0000 hello all, i am opening up two tap interfaces, both connected to bridge, assigning them IP addresses and want to open up tcp connection b/w them without using loopback interface, so i bind client socket to first tap using SO_BINDTODEVICE option and socket server listening on other tap device. The problem is that when i m calling connect, it is giving timeout error. Is it possible two route traffic b/w two interfaces of same machine w/o using loopback interface and kernel hacking. thanx From owner-freebsd-net@FreeBSD.ORG Fri Aug 17 12:27:43 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C672316A420 for ; Fri, 17 Aug 2007 12:27:43 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.freebsd.org (Postfix) with ESMTP id 9295513C4D0 for ; Fri, 17 Aug 2007 12:27:43 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id C7D1A135A6; Fri, 17 Aug 2007 08:27:42 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Fri, 17 Aug 2007 08:27:42 -0400 X-Sasl-enc: ZlYNw8/Zm6KrSQxYTsZLJvsNs/7kFPdT9O/6SELpjU22 1187353662 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id 1D2561A7FE; Fri, 17 Aug 2007 08:27:42 -0400 (EDT) Message-ID: <46C5943C.6070000@FreeBSD.org> Date: Fri, 17 Aug 2007 13:27:40 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.4 (X11/20070630) MIME-Version: 1.0 To: rajneesh rana References: <228b46650708170059j3813f81sdd6974337d7ce4cb@mail.gmail.com> In-Reply-To: <228b46650708170059j3813f81sdd6974337d7ce4cb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: routing local traffic w/o using loopback interface X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 12:27:43 -0000 rajneesh rana wrote: > hello all, > > i am opening up two tap interfaces, both connected to bridge, assigning them > IP addresses and want to open up tcp connection b/w them without using > loopback interface, so i bind client socket to first tap using > SO_BINDTODEVICE option and socket server listening on other tap device. > The problem is that when i m calling connect, it is giving timeout error. > I am confused by your question because to the best of my knowledge the SO_BINDTODEVICE socket option does not exist in FreeBSD. > Is it possible two route traffic b/w two interfaces of same machine w/o > using loopback interface and kernel hacking. Yes, I use if_bridge for this on a daily basis. regards, BMS From owner-freebsd-net@FreeBSD.ORG Fri Aug 17 14:55:09 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BACAC16A417 for ; Fri, 17 Aug 2007 14:55:09 +0000 (UTC) (envelope-from ginga@ginganet.org) Received: from mx.gate01.com (pip1.gyao.ne.jp [61.122.117.239]) by mx1.freebsd.org (Postfix) with ESMTP id 613D613C458 for ; Fri, 17 Aug 2007 14:55:05 +0000 (UTC) (envelope-from ginga@ginganet.org) Received: from [202.210.243.26] (helo=athena.ginganet.org) by smtp33.isp.us-com.jp with esmtp (Mail 4.41) id 1IM3E7-0000rL-Qi; Fri, 17 Aug 2007 23:55:03 +0900 Received: from localhost (localhost.olympus.local [127.0.0.1]) by athena.ginganet.org (Postfix) with ESMTP id 540C07504; Fri, 17 Aug 2007 23:55:03 +0900 (JST) X-Virus-Scanned: amavisd-new at ginganet.org Received: from athena.ginganet.org ([127.0.0.1]) by localhost (athena.ginganet.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iviuWww4Odqb; Fri, 17 Aug 2007 23:54:54 +0900 (JST) Received: by athena.ginganet.org (Postfix, from userid 5003) id 879AB74BF; Fri, 17 Aug 2007 23:54:54 +0900 (JST) Date: Fri, 17 Aug 2007 23:54:54 +0900 From: KAWAGUTI Ginga To: David Christensen Message-ID: <20070817145454.GK6523@ginganet.org> References: <20070816092418.GH6523@ginganet.org> <09BFF2FA5EAB4A45B6655E151BBDD90304C34AED@NT-IRVA-0750.brcm.ad.broadcom.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <09BFF2FA5EAB4A45B6655E151BBDD90304C34AED@NT-IRVA-0750.brcm.ad.broadcom.com> User-Agent: Mutt/1.5.14 (2007-02-12) Cc: KAWAGUTI Ginga , freebsd-net@freebsd.org Subject: Re: Some Broadcom GbE NIC(bge driver) suffers packet loss at receiving X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 14:55:09 -0000 In Thu, Aug 16, 2007 at 01:52:37PM -0700, David Christensen wrote: > > Some revision of Broadcom GbE NIC with bge driver > > seems to loss 1 packet per 1000 packet at receiving on some occasion. > > Sending doesn't have this problem(receiving only). > > > > This loss doesn't always happen, > > but when happens, it seems that loss is exactly 1 per 1000, > > as the last 3 digits of lost packets' sequence number are all same. > > (i.e. example of lost packet seq-No. are: > > 3284, 4284, 5284, 8284, 9284, ...) > > The NIC maintains internal statistics which might give a clue to > the cause of the packet loss. The latest bge driver in -CURRENT > includes a number of "sysctl" nodes to bring out those statistics. > Can you get that info? My previous problem report was based on 6-stable. I tried with 7-current, but the bge device didn't even work... With cable plugged in, "ifconfig bge0" doesn't recognize the online status: bge0: flags=8802 metric 0 mtu 1500 options=9b ether 00:17:a4:8f:22:bc media: Ethernet autoselect status: no carrier And when running ifconfig to set V4 address, FreeBSD itself gets frozen. 7-current% ifconfig bge0 inet 192.168.0.100 netmask 0xffffff00 (... frozen without any message... I need to reset the server hardware.) So, only information I can take is the below sysctl message, but without any packet send/receive. ------------------------------------------------------- 7-current% sysctl -a | grep bge hw.bge.allow_asf: 1 dev.bge.0.%desc: HP NC7782 Gigabit Server Adapter, ASIC rev. 0x2100 dev.bge.0.%driver: bge dev.bge.0.%location: slot=6 function=0 handle=\_SB_.CFG0.PCI2.NICA dev.bge.0.%pnpinfo: vendor=0x14e4 device=0x1648 subvendor=0x0e11 subdevice=0x00d0 class=0x020000 dev.bge.0.%parent: pci3 dev.bge.0.stats.FramesDroppedDueToFilters: 0 dev.bge.0.stats.DmaWriteQueueFull: 0 dev.bge.0.stats.DmaWriteHighPriQueueFull: 0 dev.bge.0.stats.NoMoreRxBDs: 0 dev.bge.0.stats.InputDiscards: 0 dev.bge.0.stats.InputErrors: 0 dev.bge.0.stats.RecvThresholdHit: 0 dev.bge.0.stats.DmaReadQueueFull: 0 dev.bge.0.stats.DmaReadHighPriQueueFull: 0 dev.bge.0.stats.SendDataCompQueueFull: 0 dev.bge.0.stats.RingSetSendProdIndex: 0 dev.bge.0.stats.RingStatusUpdate: 0 dev.bge.0.stats.Interrupts: 0 dev.bge.0.stats.AvoidedInterrupts: 0 dev.bge.0.stats.SendThresholdHit: 0 dev.bge.0.stats.rx.Octets: 0 dev.bge.0.stats.rx.Fragments: 0 dev.bge.0.stats.rx.UcastPkts: 0 dev.bge.0.stats.rx.MulticastPkts: 0 dev.bge.0.stats.rx.FCSErrors: 0 dev.bge.0.stats.rx.AlignmentErrors: 0 dev.bge.0.stats.rx.xonPauseFramesReceived: 0 dev.bge.0.stats.rx.xoffPauseFramesReceived: 0 dev.bge.0.stats.rx.ControlFramesReceived: 0 dev.bge.0.stats.rx.xoffStateEntered: 0 dev.bge.0.stats.rx.FramesTooLong: 0 dev.bge.0.stats.rx.Jabbers: 0 dev.bge.0.stats.rx.UndersizePkts: 0 dev.bge.0.stats.rx.inRangeLengthError: 0 dev.bge.0.stats.rx.outRangeLengthError: 0 dev.bge.0.stats.tx.Octets: 0 dev.bge.0.stats.tx.Collisions: 0 dev.bge.0.stats.tx.XonSent: 0 dev.bge.0.stats.tx.XoffSent: 0 dev.bge.0.stats.tx.flowControlDone: 0 dev.bge.0.stats.tx.InternalMacTransmitErrors: 0 dev.bge.0.stats.tx.SingleCollisionFrames: 0 dev.bge.0.stats.tx.MultipleCollisionFrames: 0 dev.bge.0.stats.tx.DeferredTransmissions: 0 dev.bge.0.stats.tx.ExcessiveCollisions: 0 dev.bge.0.stats.tx.LateCollisions: 0 dev.bge.0.stats.tx.UcastPkts: 0 dev.bge.0.stats.tx.MulticastPkts: 0 dev.bge.0.stats.tx.BroadcastPkts: 0 dev.bge.0.stats.tx.CarrierSenseErrors: 0 dev.bge.0.stats.tx.Discards: 0 dev.bge.0.stats.tx.Errors: 0 dev.bge.1.%desc: HP NC7782 Gigabit Server Adapter, ASIC rev. 0x2100 dev.bge.1.%driver: bge dev.bge.1.%location: slot=6 function=1 dev.bge.1.%pnpinfo: vendor=0x14e4 device=0x1648 subvendor=0x0e11 subdevice=0x00d0 class=0x020000 dev.bge.1.%parent: pci3 dev.bge.1.stats.FramesDroppedDueToFilters: 0 dev.bge.1.stats.DmaWriteQueueFull: 0 dev.bge.1.stats.DmaWriteHighPriQueueFull: 0 dev.bge.1.stats.NoMoreRxBDs: 0 dev.bge.1.stats.InputDiscards: 0 dev.bge.1.stats.InputErrors: 0 dev.bge.1.stats.RecvThresholdHit: 0 dev.bge.1.stats.DmaReadQueueFull: 0 dev.bge.1.stats.DmaReadHighPriQueueFull: 0 dev.bge.1.stats.SendDataCompQueueFull: 0 dev.bge.1.stats.RingSetSendProdIndex: 0 dev.bge.1.stats.RingStatusUpdate: 0 dev.bge.1.stats.Interrupts: 0 dev.bge.1.stats.AvoidedInterrupts: 0 dev.bge.1.stats.SendThresholdHit: 0 dev.bge.1.stats.rx.Octets: 0 dev.bge.1.stats.rx.Fragments: 0 dev.bge.1.stats.rx.UcastPkts: 0 dev.bge.1.stats.rx.MulticastPkts: 0 dev.bge.1.stats.rx.FCSErrors: 0 dev.bge.1.stats.rx.AlignmentErrors: 0 dev.bge.1.stats.rx.xonPauseFramesReceived: 0 dev.bge.1.stats.rx.xoffPauseFramesReceived: 0 dev.bge.1.stats.rx.ControlFramesReceived: 0 dev.bge.1.stats.rx.xoffStateEntered: 0 dev.bge.1.stats.rx.FramesTooLong: 0 dev.bge.1.stats.rx.Jabbers: 0 dev.bge.1.stats.rx.UndersizePkts: 0 dev.bge.1.stats.rx.inRangeLengthError: 0 dev.bge.1.stats.rx.outRangeLengthError: 0 dev.bge.1.stats.tx.Octets: 0 dev.bge.1.stats.tx.Collisions: 0 dev.bge.1.stats.tx.XonSent: 0 dev.bge.1.stats.tx.XoffSent: 0 dev.bge.1.stats.tx.flowControlDone: 0 dev.bge.1.stats.tx.InternalMacTransmitErrors: 0 dev.bge.1.stats.tx.SingleCollisionFrames: 0 dev.bge.1.stats.tx.MultipleCollisionFrames: 0 dev.bge.1.stats.tx.DeferredTransmissions: 0 dev.bge.1.stats.tx.ExcessiveCollisions: 0 dev.bge.1.stats.tx.LateCollisions: 0 dev.bge.1.stats.tx.UcastPkts: 0 dev.bge.1.stats.tx.MulticastPkts: 0 dev.bge.1.stats.tx.BroadcastPkts: 0 dev.bge.1.stats.tx.CarrierSenseErrors: 0 dev.bge.1.stats.tx.Discards: 0 dev.bge.1.stats.tx.Errors: 0 dev.miibus.0.%parent: bge0 dev.miibus.1.%parent: bge1 ------------------------------------------------------- Regards, Ginga KAWAGUTI From owner-freebsd-net@FreeBSD.ORG Fri Aug 17 21:06:54 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3352016A41A for ; Fri, 17 Aug 2007 21:06:54 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.189]) by mx1.freebsd.org (Postfix) with ESMTP id ED84213C48E for ; Fri, 17 Aug 2007 21:06:53 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so512605rvb for ; Fri, 17 Aug 2007 14:06:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XlLphA1QQmZXJnKcpeVlfRzOSTC++n3Ms2QdjhQpfH8PEqs/Bkyy1ePR8o+WVSo25z5Uf7MgD50Ib7JNYe+5IHoSXwQVo/93a7umQ3qu8R9abg6Y/gn1iKmMnbsiEL7zKoXK7JHD3kZJWy6QtiVaa5HtITEY4s1kux8QUqIt9os= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oRFO5T1hYvd9bjm6zkmeKu1LF0ymQfjzB05Iv4TJwoH1vzKQDQnYIupgK+Dfl4NbyBn/gFYBogM1VXo1rq0V4Fo6P7jF0amDukiGC8YbgiVs9Lk1k7XIkOCDWvUnDKBA1OH32sbWfSY1O5WtnVGiurBpUWkp7cm+s1onX8fW7Ys= Received: by 10.114.61.1 with SMTP id j1mr2113691waa.1187384405801; Fri, 17 Aug 2007 14:00:05 -0700 (PDT) Received: by 10.114.76.7 with HTTP; Fri, 17 Aug 2007 14:00:05 -0700 (PDT) Message-ID: Date: Fri, 17 Aug 2007 17:00:05 -0400 From: "Scott Ullrich" To: FreeBSD_Net In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 21:06:54 -0000 On 8/17/07, Scott Ullrich wrote: > Hello! > > We are trying to track down a problem that involves a large number of > ipsec tunnels (in this case 80). Frequently racoon (ipsec-tools > 0.7rc1 and also 0.6) will deadlock into the sbwait state or will enter > a 100% cpu usage state and will not recover without killing the > process and restarting. > > # uname -a > FreeBSD pfsense.geekgod.com 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #0: > Sat Aug 4 18:35:24 EDT 2007 > sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 > i386 > > Kernel configuration file: > http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/builder_scripts/conf/pfSense.6?rev=1.65;content-type=text%2Fplain > > We where able to obtain a backtrace of what happens when the process > enters a 100% tail-spin: > > $ more /root/racoon.20070817.2112.txt > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-marcel-freebsd"... > Attaching to program: /usr/local/sbin/racoon, process 9144 > Reading symbols from /lib/libutil.so.5...done. > Loaded symbols for /lib/libutil.so.5 > Reading symbols from /lib/libcrypto.so.4...done. > Loaded symbols for /lib/libcrypto.so.4 > Reading symbols from /lib/libreadline.so.6...done. > Loaded symbols for /lib/libreadline.so.6 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /lib/libncurses.so.6...done. > Loaded symbols for /lib/libncurses.so.6 > Reading symbols from /libexec/ld-elf.so.1...done. > Loaded symbols for /libexec/ld-elf.so.1 > 0x2827a187 in recvfrom () from /lib/libc.so.6 > #0 0x2827a187 in recvfrom () from /lib/libc.so.6 > #1 0x28225904 in recv () from /lib/libc.so.6 > #2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826 > #3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314 > #4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1) > at isakmp_inf.c:1173 > #5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1) > at isakmp_inf.c:565 > #6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0, > local=0xbfbfe770) at isakmp.c:671 > #7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395 > #8 0x0804bf88 in session () at session.c:223 > #9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264 > #0 0x2827a187 in recvfrom () from /lib/libc.so.6 > #1 0x28225904 in recv () from /lib/libc.so.6 > #2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826 > #3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314 > #4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1) > at isakmp_inf.c:1173 > #5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1) > at isakmp_inf.c:565 > #6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0, > local=0xbfbfe770) at isakmp.c:671 > #7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395 > #8 0x0804bf88 in session () at session.c:223 > #9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264 > > Does anyone know what we can look at further to try and eliminate the > problem or does anyone have suggestions on how we can debug further? > Sorry, that title should have read RELENG_6_2. Freudian slip. Any help is appreciated. Scott From owner-freebsd-net@FreeBSD.ORG Fri Aug 17 21:20:00 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CBF216A418 for ; Fri, 17 Aug 2007 21:20:00 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by mx1.freebsd.org (Postfix) with ESMTP id 500EB13C4A8 for ; Fri, 17 Aug 2007 21:20:00 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by wa-out-1112.google.com with SMTP id m33so333153wag for ; Fri, 17 Aug 2007 14:20:00 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=CAWrDHrz+ZdsGXgBRMthNYZdBWi3fGn6pMA5l4I3KNNBHz4pHzTwipFy0kxMB/m5bGc2LYyyUdLVNN4ALvNan0R23KKenz3LhacCTgnAkLP3EHCdhXtZd70LzAaypx2SwQ8UyXMtdGkddXxdHKzVPmbZ8jzqs40F6g0Ycid3csg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=DLzCKDkCFiHxE3/1ihZrFg+Qb6N2dxYjbBBcKlYtxpfKtvyLUFWg62uLCWURXKXGt4fRfu7qCioiu6S/V4IZaHwSrtZSEL1WvN8+Isa9mhf7sWO9GJesrl+j6KurskT16Af8oEA6H0ht+PYTYP983fFkR8WQpmWoxEc08qyD4lU= Received: by 10.115.108.1 with SMTP id k1mr209175wam.1187384036592; Fri, 17 Aug 2007 13:53:56 -0700 (PDT) Received: by 10.114.76.7 with HTTP; Fri, 17 Aug 2007 13:53:56 -0700 (PDT) Message-ID: Date: Fri, 17 Aug 2007 16:53:56 -0400 From: "Scott Ullrich" To: FreeBSD_Net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 21:20:00 -0000 Hello! We are trying to track down a problem that involves a large number of ipsec tunnels (in this case 80). Frequently racoon (ipsec-tools 0.7rc1 and also 0.6) will deadlock into the sbwait state or will enter a 100% cpu usage state and will not recover without killing the process and restarting. # uname -a FreeBSD pfsense.geekgod.com 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #0: Sat Aug 4 18:35:24 EDT 2007 sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386 Kernel configuration file: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/builder_scripts/conf/pfSense.6?rev=1.65;content-type=text%2Fplain We where able to obtain a backtrace of what happens when the process enters a 100% tail-spin: $ more /root/racoon.20070817.2112.txt GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Attaching to program: /usr/local/sbin/racoon, process 9144 Reading symbols from /lib/libutil.so.5...done. Loaded symbols for /lib/libutil.so.5 Reading symbols from /lib/libcrypto.so.4...done. Loaded symbols for /lib/libcrypto.so.4 Reading symbols from /lib/libreadline.so.6...done. Loaded symbols for /lib/libreadline.so.6 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/libncurses.so.6...done. Loaded symbols for /lib/libncurses.so.6 Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 0x2827a187 in recvfrom () from /lib/libc.so.6 #0 0x2827a187 in recvfrom () from /lib/libc.so.6 #1 0x28225904 in recv () from /lib/libc.so.6 #2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826 #3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314 #4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1) at isakmp_inf.c:1173 #5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1) at isakmp_inf.c:565 #6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0, local=0xbfbfe770) at isakmp.c:671 #7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395 #8 0x0804bf88 in session () at session.c:223 #9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264 #0 0x2827a187 in recvfrom () from /lib/libc.so.6 #1 0x28225904 in recv () from /lib/libc.so.6 #2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826 #3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314 #4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1) at isakmp_inf.c:1173 #5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1) at isakmp_inf.c:565 #6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0, local=0xbfbfe770) at isakmp.c:671 #7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395 #8 0x0804bf88 in session () at session.c:223 #9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264 Does anyone know what we can look at further to try and eliminate the problem or does anyone have suggestions on how we can debug further? Thanks Scott From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 10:28:06 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA19616A41A for ; Sat, 18 Aug 2007 10:28:06 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 7D4EA13C457 for ; Sat, 18 Aug 2007 10:28:06 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id D27863F7A for ; Sat, 18 Aug 2007 12:28:04 +0200 (CEST) Received: by jayce.zen.inc (Postfix, from userid 1000) id 916052E5B5; Sat, 18 Aug 2007 12:28:03 +0200 (CEST) Date: Sat, 18 Aug 2007 12:28:03 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20070818102803.GA1319@jayce.zen.inc> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 10:28:07 -0000 On Fri, Aug 17, 2007 at 04:53:56PM -0400, Scott Ullrich wrote: > Hello! Hi. > We are trying to track down a problem that involves a large number of > ipsec tunnels (in this case 80). Frequently racoon (ipsec-tools > 0.7rc1 and also 0.6) will deadlock into the sbwait state or will enter > a 100% cpu usage state and will not recover without killing the > process and restarting. > [....] [backtrace] > #0 0x2827a187 in recvfrom () from /lib/libc.so.6 > #1 0x28225904 in recv () from /lib/libc.so.6 > #2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826 > #3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314 [....] > Does anyone know what we can look at further to try and eliminate the > problem or does anyone have suggestions on how we can debug further? It really looks like an old "known" (well, at least known by me...) problem with PFKey interface: it is quite impossible to set up more than 50-100 tunnels on a standard FreeBSD (and probably any other KAME based stack), because some kind of socket related problems will happen when racoon will try to get the SPD or the SADB entries. When the problem occurs withe the SPD, racoon won't be able to negociate some tunnels (because it doesn't have the SPD entries in it's own table), when the problems occurs with the SADB, it can lead to the 100% CPU usage you have.... Some workarounds are possible depending on your configuration, you may be able to reduce the number of used SAs (merge some phases2 with contiguous subnets, use REQUIRE instead of UNIQUE for some tunnels, etc...), but if you have 80 peers with each one only ONE phase2, that's another problem.... To solve that problem, the only solution we found is to do a big PFKey hack, to have only one request/response, and all the SPD/SAD entries exchanged via a single buffer shared by kernel and racoon. I also know an old bug in sbspace macro (found in FreeBSD 4.x), but it seems it has been fixed at least in FreeBSD 6. Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 11:58:50 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6390C16A418 for ; Sat, 18 Aug 2007 11:58:50 +0000 (UTC) (envelope-from emss@free.fr) Received: from kraid.nerim.net (kraid.ipv6.nerim.net [IPv6:2001:7a8:1:1::95]) by mx1.freebsd.org (Postfix) with ESMTP id E176813C461 for ; Sat, 18 Aug 2007 11:58:49 +0000 (UTC) (envelope-from emss@free.fr) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by kraid.nerim.net (Postfix) with ESMTP id A778BCF04A; Sat, 18 Aug 2007 13:58:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 0C844D6BE; Sat, 18 Aug 2007 13:58:47 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3MCZ3xa374T; Sat, 18 Aug 2007 13:58:43 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 65C78D667; Sat, 18 Aug 2007 13:58:43 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <86fy2mjsho.fsf@srvbsdnanssv.interne.kisoft-services.com> (Eric Masson's message of "Tue, 14 Aug 2007 12:54:59 +0200") References: <867inzn945.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070813091634.C87821@maildrop.int.zabbadoz.net> <86k5ryjutw.fsf@srvbsdnanssv.interne.kisoft-services.com> <20070814101809.Q87821@maildrop.int.zabbadoz.net> <86fy2mjsho.fsf@srvbsdnanssv.interne.kisoft-services.com> X-Operating-System: FreeBSD 6.2-RELEASE-p7 i386 Date: Sat, 18 Aug 2007 13:58:43 +0200 Message-ID: <867intkqa4.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: Mailing List FreeBSD Network Subject: Re: pf rdr statement & ipsec processing interaction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 11:58:50 -0000 Eric Masson writes: Hello, > So outgoing l2tp packets should be esp transformed, right ? I've been able to reproduce the problem on a -current box (sources from yesterday), should I file a PR ? Regards Éric Masson -- C'est vrai peut t'on renconter quelqu'un sur internet? Car moi je cherche l'ame soeur -+- SR in: - Neuneu a-t-il une âme ? -+- From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 14:21:19 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEC7016A417 for ; Sat, 18 Aug 2007 14:21:19 +0000 (UTC) (envelope-from ml@t-b-o-h.net) Received: from vjofn.tucs-beachin-obx-house.com (vjofn-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::5e5]) by mx1.freebsd.org (Postfix) with ESMTP id 0FB4C13C457 for ; Sat, 18 Aug 2007 14:21:17 +0000 (UTC) (envelope-from ml@t-b-o-h.net) Received: from himinbjorg.tucs-beachin-obx-house.com (cpe-68-175-8-11.hvc.res.rr.com [68.175.8.11]) (authenticated bits=0) by vjofn.tucs-beachin-obx-house.com (8.12.9/8.12.9) with ESMTP id l7IELDKv061193 for ; Sat, 18 Aug 2007 10:21:13 -0400 (EDT) Received: from himinbjorg.tucs-beachin-obx-house.com (localhost.tucs-beachin-obx-house.com [127.0.0.1]) by himinbjorg.tucs-beachin-obx-house.com (8.13.8/8.13.6) with ESMTP id l7IEL8Ep057506 for ; Sat, 18 Aug 2007 10:21:08 -0400 (EDT) (envelope-from ml@t-b-o-h.net) Received: (from tbohml@localhost) by himinbjorg.tucs-beachin-obx-house.com (8.13.8/8.13.6/Submit) id l7IEL8eG057505 for freebsd-net@freebsd.org; Sat, 18 Aug 2007 10:21:08 -0400 (EDT) (envelope-from tbohml) From: "Tuc at T-B-O-H.NET" Message-Id: <200708181421.l7IEL8eG057505@himinbjorg.tucs-beachin-obx-house.com> To: freebsd-net@freebsd.org Date: Sat, 18 Aug 2007 10:21:08 -0400 (EDT) X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Failover default route? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 14:21:19 -0000 Hi, I know its been talked about before, did 1/2 an hour of Google... In my case, as always, its a bit "special". I have 2 OPENVPN tunnels, which I sent over different transits to the same end host. On that host, I do my NAT. SO, without getting into all sorts of hot/heavy things, is there a simple program to install to ping something via the first tunnel, and if it can't then switch my default route to the second tunnel? Or, do I just use a script like here : http://www.freebsddiary.org/phorum/read.php?f=6&i=79&t=79 Thanks, Tuc From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 15:19:08 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9794816A41B for ; Sat, 18 Aug 2007 15:19:08 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 4939B13C4A6 for ; Sat, 18 Aug 2007 15:19:08 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-127-199.hsd1.pa.comcast.net [71.60.127.199]) (AUTH: LOGIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sat, 18 Aug 2007 11:19:06 -0400 id 00056419.46C70DEA.0000C071 Date: Sat, 18 Aug 2007 11:19:06 -0400 From: Bill Moran To: "Tuc at T-B-O-H.NET" Message-Id: <20070818111906.c3c8fee9.wmoran@collaborativefusion.com> In-Reply-To: <200708181421.l7IEL8eG057505@himinbjorg.tucs-beachin-obx-house.com> References: <200708181421.l7IEL8eG057505@himinbjorg.tucs-beachin-obx-house.com> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.4.4 (GTK+ 2.10.14; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Failover default route? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 15:19:08 -0000 "Tuc at T-B-O-H.NET" wrote: > > Hi, > > I know its been talked about before, did 1/2 an > hour of Google... > > In my case, as always, its a bit "special". I have > 2 OPENVPN tunnels, which I sent over different transits to > the same end host. On that host, I do my NAT. SO, without > getting into all sorts of hot/heavy things, is there a simple > program to install to ping something via the first tunnel, > and if it can't then switch my default route to the second > tunnel? Or, do I just use a script like here : The protocols designed to handle this are things like RIP and BGP. However, in a case like yours, where you control both ends of things, it's probably better to just use a script. -- Bill Moran Collaborative Fusion Inc. wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 18:06:10 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 270B716A418 for ; Sat, 18 Aug 2007 18:06:10 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.freebsd.org (Postfix) with ESMTP id F2EF613C45E for ; Sat, 18 Aug 2007 18:06:09 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 8CE2414BA9; Sat, 18 Aug 2007 14:06:09 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Sat, 18 Aug 2007 14:06:09 -0400 X-Sasl-enc: /GdvFJH1/9dd7oypmQXCie137U1pVf9kIOxdXSS7bf30 1187460369 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id 151EB19E4C; Sat, 18 Aug 2007 14:06:08 -0400 (EDT) Message-ID: <46C7350F.9020507@FreeBSD.org> Date: Sat, 18 Aug 2007 19:06:07 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.4 (X11/20070630) MIME-Version: 1.0 To: "Tuc at T-B-O-H.NET" References: <200708181421.l7IEL8eG057505@himinbjorg.tucs-beachin-obx-house.com> In-Reply-To: <200708181421.l7IEL8eG057505@himinbjorg.tucs-beachin-obx-house.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Failover default route? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 18:06:10 -0000 Tuc at T-B-O-H.NET wrote: > In my case, as always, its a bit "special". I have > 2 OPENVPN tunnels, which I sent over different transits to > the same end host. On that host, I do my NAT. SO, without > getting into all sorts of hot/heavy things, is there a simple > program to install to ping something via the first tunnel, > and if it can't then switch my default route to the second > tunnel? Or, do I just use a script like here : As Bill correctly points out, reachability detection using a routing protocol is often the preferred method, however this isn't always available. Pinging is NOT the best practice, see RFC 1122 3.3.1.4: http://www.freesoft.org/CIE/RFC/1122/56.htm You could use ifstated to detect changes in the tunnel interface status and switch default routes accordingly, though it doesn't significantly reduce the amount of manual scripting you have to do. Microsoft's TCP implementation performs dead gateway detection based on triggered reselection as per RFC 816, however, they have a multipath capable FIB which can hold the multiple next-hops and their state -- something to consider for later. An incrememntal piecemeal change which folks might find OK may be to add cost metrics back to the kernel radix trie, but that still has all the aggro of changing the API. regards BMS From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 19:58:17 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2986316A418 for ; Sat, 18 Aug 2007 19:58:17 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 008CC13C481 for ; Sat, 18 Aug 2007 19:58:16 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by wa-out-1112.google.com with SMTP id m33so300940wag for ; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NvhzaN7rGYxKVLzL7dN1s62k5fsJmbV3qCGJpRaAdKqTjFF58ascmQVYu/XSuJ3A+mBwfwfd/6YJBWBbPDJAgl8sY6vRnlPsBM1RNFSXFXU8Do4MY8a1jbn8MENVoGgQXWVRqrk/srGx4vZ6y6hgVIekks34dFj9TIlcRSlsv7o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=e7IBdvQSwanyQbbi/ba03zOQKIH7SB8nb5J8X43wF4xOCTuqraez3IEEapdLDwfO9SgKPUcntYp8q2kHyEyf3Vcb0tEQr773i6PTmXs4ZaWOR0+cRVZf/lOojfBLD2qPgZJSdQCstxykCNZBw58Z53hev+swTVyZjzjQfapr1Qg= Received: by 10.114.131.9 with SMTP id e9mr657443wad.1187467096198; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) Received: by 10.114.76.7 with HTTP; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) Message-ID: Date: Sat, 18 Aug 2007 15:58:16 -0400 From: "Scott Ullrich" To: "VANHULLEBUS Yvan" In-Reply-To: <20070818102803.GA1319@jayce.zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070818102803.GA1319@jayce.zen.inc> Cc: freebsd-net@freebsd.org Subject: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 19:58:17 -0000 On 8/18/07, VANHULLEBUS Yvan wrote: [snip] > It really looks like an old "known" (well, at least known by me...) > problem with PFKey interface: it is quite impossible to set up more > than 50-100 tunnels on a standard FreeBSD (and probably any other KAME > based stack), because some kind of socket related problems will happen > when racoon will try to get the SPD or the SADB entries. > > When the problem occurs withe the SPD, racoon won't be able to > negociate some tunnels (because it doesn't have the SPD entries in > it's own table), when the problems occurs with the SADB, it can lead > to the 100% CPU usage you have.... > > Some workarounds are possible depending on your configuration, you may > be able to reduce the number of used SAs (merge some phases2 with > contiguous subnets, use REQUIRE instead of UNIQUE for some tunnels, > etc...), but if you have 80 peers with each one only ONE phase2, > that's another problem.... > > To solve that problem, the only solution we found is to do a big PFKey > hack, to have only one request/response, and all the SPD/SAD entries > exchanged via a single buffer shared by kernel and racoon. > > I also know an old bug in sbspace macro (found in FreeBSD 4.x), but it > seems it has been fixed at least in FreeBSD 6. Thanks for the very detailed response. We have worked around the problem for now with a simple shell script that looks for racoon falling over and simply restarting it. Does anyone know if this is fixed in 7-CURRENT? If so we can easily wait until 7 arrives as we plan on releasing pfSense on the 7 platform as soon as it is released. George, would you like me to file a PR for this against 7-CURRENT? Thanks again for all the responses. Scott From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 22:40:57 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B00B16A418 for ; Sat, 18 Aug 2007 22:40:57 +0000 (UTC) (envelope-from cypheros@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.187]) by mx1.freebsd.org (Postfix) with ESMTP id E575E13C459 for ; Sat, 18 Aug 2007 22:40:56 +0000 (UTC) (envelope-from cypheros@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so688142rvb for ; Sat, 18 Aug 2007 15:40:56 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=g8n+HQuv6ODlDQAhOcHh1aCpEXp374zL2XEoT185H0I0TwXmdW4+NKygG8tK4/4cDrYNsfpYKclOk/KNCUHuUk/SlwDg4VnPJqWZYuyYR+oXRn9VwFQsQ2MV9+ziSGtl/fplJPsZfInPcNyhd7J3RTsS+NueYUJh3/t3Kq3CfjM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=DC2jcdwKauWhheXNyWCzg4jkvLRMCBoT7ORjZdkFYDR8mtm09fxYTlEo7vr4P5OgDlBwf6TVcjKed/QYxfHcNK1mMCHCYlvGDQa8t+l73Iky6Nkt5ClHZUyHu5gjq4QkyJq/e4XA8rc4HWyMhaOyZ/GOrhrrQO3HfhtJEd2jdcE= Received: by 10.142.215.5 with SMTP id n5mr247827wfg.1187475171794; Sat, 18 Aug 2007 15:12:51 -0700 (PDT) Received: by 10.143.31.10 with HTTP; Sat, 18 Aug 2007 15:12:51 -0700 (PDT) Message-ID: <9a7bbc700708181512u74edcc59j51c72baf20f80591@mail.gmail.com> Date: Sat, 18 Aug 2007 18:12:51 -0400 From: "Michael Hawkins" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: problems with networking... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 22:40:57 -0000 Sorry if this is sorta n00bish, but I have a problem that Google hasn't answered for me yet... I have a moderately-sized network that I am trying to run, with about 70 or so machines on it. The DHCP server (running FreeBSD 6.2, IPv4 address: 10.11.12.254, Subnet is 10.11.12.0/24) acts as a gateway server as well, and has ipnat running for traffic routing. So far, I have had no problems with ANY of the machines on this network connecting, save one--my File server (running FreeBSD 6.2 as well, IPv4 address: 10.11.12.253). For some reason, whenever I try to establish any connection to ANY network address (on any protocol), it will only connect to one address: 10.11.12.252 (and won't connect to anything when that machine is off). Here is a ping listing: #ping 10.11.12.254 PING 10.11.12.254 (10.11.12.254): 56 data bytes 64 bytes from 10.11.12.252: icmp_seq=0 ttl=64 time=0.852 ms ...and it continues precisely in that manner until I stop it. I have tried re-installing the OS on the file server, but with no change in results. I have removed the machine at 10.11.12.252 with the only change being that the file-server can obtain NO connection to ANY IP address. Any help would be appreciated. Thanks, Michael From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 23:14:48 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E6B416A417 for ; Sat, 18 Aug 2007 23:14:48 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id E6BF813C45A for ; Sat, 18 Aug 2007 23:14:47 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-127-199.hsd1.pa.comcast.net [71.60.127.199]) (AUTH: LOGIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sat, 18 Aug 2007 19:14:45 -0400 id 0005641B.46C77D65.0000E0EF Date: Sat, 18 Aug 2007 19:14:46 -0400 From: Bill Moran To: "Michael Hawkins" Message-Id: <20070818191446.d9d4d050.wmoran@collaborativefusion.com> In-Reply-To: <9a7bbc700708181512u74edcc59j51c72baf20f80591@mail.gmail.com> References: <9a7bbc700708181512u74edcc59j51c72baf20f80591@mail.gmail.com> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.4.4 (GTK+ 2.10.14; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: problems with networking... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 23:14:48 -0000 "Michael Hawkins" wrote: > > Sorry if this is sorta n00bish, but I have a problem that Google hasn't > answered for me yet... > I have a moderately-sized network that I am trying to run, with about 70 or > so machines on it. The DHCP server (running FreeBSD 6.2, IPv4 address: > 10.11.12.254, Subnet is 10.11.12.0/24) acts as a gateway server as well, and > has ipnat running for traffic routing. > > So far, I have had no problems with ANY of the machines on this network > connecting, save one--my File server (running FreeBSD 6.2 as well, IPv4 > address: 10.11.12.253). For some reason, whenever I try to establish any > connection to ANY network address (on any protocol), it will only connect to > one address: 10.11.12.252 (and won't connect to anything when that machine > is off). > Here is a ping listing: > #ping 10.11.12.254 > PING 10.11.12.254 (10.11.12.254): 56 data bytes > 64 bytes from 10.11.12.252: icmp_seq=0 ttl=64 time=0.852 ms > > > ...and it continues precisely in that manner until I stop it. > > I have tried re-installing the OS on the file server, but with no change in > results. I have removed the machine at 10.11.12.252 with the only change > being that the file-server can obtain NO connection to ANY IP address. > > Any help would be appreciated. Why don't your cut/paste the output of ifconfig -a and netstat -rn I suspect your network settings are incorrect. -- Bill Moran Collaborative Fusion Inc. wmoran@collaborativefusion.com Phone: 412-422-3463x4023