From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 10 02:11:12 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 863EA1065674 for ; Mon, 10 Mar 2008 02:11:12 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id 4134D8FC17 for ; Mon, 10 Mar 2008 02:11:11 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so507560anc.13 for ; Sun, 09 Mar 2008 19:11:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:reply-to:organization:user-agent:mime-version:to:cc:subject:x-enigmail-version:openpgp:content-type:from; bh=IBCMiAUw+i4PVibkcU7uR0St+TKIhY+GxLYtmJjkUtc=; b=MKDR9Jf3Qou2R16815N4MGOpK/4x8/bN/pwYY4w6vXwiwMLDIMiwuJNYexyrT397UoeH6SLsljZcXA75qlY2R5Pv1Br611I9XxiiWGAICylGI93kUj8Zrf/su+XOeOO8EilzuykbzRpjl/9Rll6s/GysU5W+ys/fZqds2kQLwKI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:reply-to:organization:user-agent:mime-version:to:cc:subject:x-enigmail-version:openpgp:content-type:from; b=jI5BthKI3PDP49KK27XNBtoXS6Y5gQPx2xqjt/vyC5fcaaxFTyH+j1WKEZCH8cjpmvoFpD9nOv460qXqIwlC1E9wpBr+SLkeb+Of08Ta7Z9FXII0iewDXinJdwlD5JmZYdQQEzh7C/PKDB6Ldwxa3QySwebrOXjsvrk1epYCngE= Received: by 10.100.173.18 with SMTP id v18mr9875668ane.101.1205115071344; Sun, 09 Mar 2008 19:11:11 -0700 (PDT) Received: from island.freebsd.org ( [201.47.46.197]) by mx.google.com with ESMTPS id b32sm12838499ana.33.2008.03.09.19.11.08 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 09 Mar 2008 19:11:10 -0700 (PDT) Message-ID: <47D498BD.9060702@FreeBSD.org> Date: Sun, 09 Mar 2008 23:11:09 -0300 Organization: FreeBSD User-Agent: Thunderbird 2.0.0.0 (X11/20070521) MIME-Version: 1.0 To: "Andrey V. Elsukov" X-Enigmail-Version: 0.95.0 OpenPGP: id=53E4CFA8 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9F6A38EB869DB60F4788D144" From: Marcelo Araujo Cc: stas@mbsd.msk.ru, Luigi Rizzo , novel@FreeBSD.org, Oleg Bulyzhin , freebsd-ipfw@freebsd.org, Julian Elischer , Ion-Mihai Tetcu , "Bruce M. Simpson" Subject: ipfw modip X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: araujo@FreeBSD.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 02:11:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9F6A38EB869DB60F4788D144 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi all, In this weekend I worked again in modip function and I added the patchs sent by novel@, but I've a some doubt around an error. When I add within ip_fw.h: 162 O_TAGGED, /* arg1=3Dtag number */ 163 164 O_SET_IPDF, 165 O_SETIPTOSPRE, The O_SET_IPDF running right, but O_SETIPTOSPRE no as below: island# ipfw add modip df:0 ip from any to any 65100 setdf 0 ip from any to any island# ipfw add modip ippre:flash ip from any to any ipfw: getsockopt(IP_FW_ADD): Invalid argument island# When I change the sequence and put the O_IPTOSPRE in first location within ip_fw.h: 162 O_TAGGED, /* arg1=3Dtag number */ 163 164 O_SETIPTOSPRE, 165 O_SET_IPDF, island# ipfw add modip ippre:flash ip from any to any 65300 iptospre flash ip from any to any island# ipfw add modip df:0 ip from any to any ipfw: getsockopt(IP_FW_ADD): Invalid argument Somebody can close look and point where I did an error. The patch are at: http://people.freebsd.org/~araujo/logs/modip.diff Best Regards, --=20 Marcelo Araujo (__) araujo@FreeBSD.org \\\'',) http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_) --------------enig9F6A38EB869DB60F4788D144 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFH1JjEovxJd1Pkz6gRApeIAJ9b+59aIhIcWwMZK+4WfohH/ltOEwCeL/pL vG9xZk6D8zoPVxQqONitXeo= =qnYK -----END PGP SIGNATURE----- --------------enig9F6A38EB869DB60F4788D144-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 10 11:07:04 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 252B21065733 for ; Mon, 10 Mar 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2A2528FC25 for ; Mon, 10 Mar 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2AB732w086575 for ; Mon, 10 Mar 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2AB73gP086571 for freebsd-ipfw@FreeBSD.org; Mon, 10 Mar 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Mar 2008 11:07:03 GMT Message-Id: <200803101107.m2AB73gP086571@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 11:07:04 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummeynet]: 6.3-RELEASE-p1 page fault in dummynet (co 28 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 12 18:00:02 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 970561065673 for ; Wed, 12 Mar 2008 18:00:02 +0000 (UTC) (envelope-from wadeklaver@itiva.com) Received: from mail.crossflux.com (a2.9.1243.static.theplanet.com [67.18.9.162]) by mx1.freebsd.org (Postfix) with SMTP id 5EBA88FC14 for ; Wed, 12 Mar 2008 18:00:02 +0000 (UTC) (envelope-from wadeklaver@itiva.com) Received: (qmail 25955 invoked by uid 522); 12 Mar 2008 12:22:25 -0500 Received: from 69.10.147.2 by mog (envelope-from , uid 508) with qmail-scanner-1.25 (clamdscan: 0.87/2614. spamassassin: 3.1.8. Clear:RC:0(69.10.147.2):SA:0(-2.6/5.0):. Processed in 1.198514 secs); 12 Mar 2008 17:22:25 -0000 X-Spam-Status: No, hits=-2.6 required=5.0 Received: from unknown (HELO ?192.168.7.50?) (wadeklaver@itiva.com@69.10.147.2) by mail.crossflux.com with SMTP; 12 Mar 2008 12:22:24 -0500 From: Wade Klaver To: freebsd-hackers@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-L/S4LNxbzLpvKH3MrrIG" Date: Wed, 12 Mar 2008 10:33:04 -0700 Message-Id: <1205343184.4032.44.camel@wade-linux.itiva.com> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6) Cc: freebsd-ipfw@freebsd.org Subject: On the trail of a dummynet/bridge/ipfw bug. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2008 18:00:02 -0000 --=-L/S4LNxbzLpvKH3MrrIG Content-Type: text/plain Content-Transfer-Encoding: quoted-printable PROBLEM DESCRIPTION I have a bridge set up on a 7.0 box and am attempting to use it to limit HTTP connections outgoing from a box behind it to 192Kbit/s for testing. During this testing I ran into some problems. At first, I found that the number of simultaneous pipes was limited to 1024, allowing only 1024 192Kbit/s clients. Additional clients were simply blocked. I am using a very simple firewall config: ipfw pipe 1 config bw 192Kbits/s mask all ipfw add 00051 skipto 99 ip from 192.168.0.0/16 to 192.168.0.0/16 ipfw add 00052 skipto 1000 ip from any to any ipfw add 00100 pipe 1 ip from 192.168.10.88 80 to any via bridge0 ipfw add 00200 pipe 1 ip from any 25111 to any via bridge Regardless of how many clients I threw at the box, I had the limit: [root@ibm3550b ~]# ipfw pipe show | wc -l 1028 We managed to track this down to a problem in the ipfw2 userland app. The following patch to /usr/src/sbin/ipfw/ipfw2.c allowed this limit to be surpassed. It would appear that ipfw does not dynamically resize the pipe array beyond the initial 1024 elements allocated. # diff ipfw2.c ipfw2.c.orig=20 2507c2507 < int nalloc =3D 8192; /* start somewhere... */ --- > int nalloc =3D 1024; /* start somewhere... */ However, this just revealed a bigger problem, potentially do to the above patch, potentially due to something worse. Now the bridge will allow more connections, up to around 2300 where the bridge just dies. and no more traffic passes. It is worth noting that I can still connect to the bridge itself if it has an IP assigned to it, but traffic through the bridge ceases. It is also remedied by a /etc/rc.d/netif restart. ADDITIONAL NOTES Please let me know if there is any additional information I can provide. In the kernel options below, HZ=3D2000 was just something I was trying. The problem exhibits itself with HZ=3D1000 as well. I posted this to -hackers and to -ipfw. Please direct me and future corresp= ondence=20 on this issue to the most appropriate list. I just felt it was not solid enough to go to -bugs yet. SYSTEM INFORMATION IBM 3550 XEON 5345 4GB Memory [root@ibm3550b /usr/src/sys]# uname -a FreeBSD ibm3550b.itivalabs.net 7.0-STABLE FreeBSD 7.0-STABLE #13: Wed Mar 12 03:26:08 PDT 2008 root@ibm3550b.itivalabs.net:/usr/obj/usr/src/sys/WADE amd64 Bridge members: bce0: mem 0xc8000000-0xc9ffffff irq 18 at device 0.0 on pci4 bce1: mem 0xce000000-0xcfffffff irq 16 at device 0.0 on pci6 Kernel options: # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel options LIBALIAS options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets #options IPFILTER #ipfilter support #options IPFILTER_LOG #ipfilter logging #options IPFILTER_LOOKUP #ipfilter pools #options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding options MBUF_STRESS_TEST options DUMMYNET options HZ=3D2000 options EXT2FS /etc/sysctl.conf net.inet.ip.fw.dyn_max=3D8192 net.inet.ip.dummynet.hash_size=3D4096 net.inet.ip.fw.dyn_buckets=3D1024 net.inet.ip.dummynet.max_chain_len=3D64 kern.ipc.nmbclusters=3D32768 --=-L/S4LNxbzLpvKH3MrrIG Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBH2BPKne3UhGESRwURAkMVAKCVjfXweg6+gXn1c9kAM2v07o4+JgCfXZga Ebsj07bJ4wcROQhzdqVcBOQ= =B200 -----END PGP SIGNATURE----- --=-L/S4LNxbzLpvKH3MrrIG-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 12 21:00:55 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F136B1065674; Wed, 12 Mar 2008 21:00:55 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CEA8C8FC12; Wed, 12 Mar 2008 21:00:55 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2CL0tdA088959; Wed, 12 Mar 2008 21:00:55 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2CL0t7V088955; Wed, 12 Mar 2008 21:00:55 GMT (envelope-from vwe) Date: Wed, 12 Mar 2008 21:00:55 GMT Message-Id: <200803122100.m2CL0t7V088955@freefall.freebsd.org> To: bu7cher@yandex.ru, vwe@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2008 21:00:56 -0000 Synopsis: [ipfw] [patch] ipfw small patch - new RULE OPTION State-Changed-From-To: open->suspended State-Changed-By: vwe State-Changed-When: Wed Mar 12 20:58:32 UTC 2008 State-Changed-Why: Awaiting maintainer interest. This may be useful for one, so we're not just closing this silently. http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 12 22:11:00 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AB811065676 for ; Wed, 12 Mar 2008 22:11:00 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id F0C738FC22 for ; Wed, 12 Mar 2008 22:10:59 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from nbc.matik.com.br (nbc.matik.com.br [200.152.88.34] (may be forged)) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id m2CL5kgi019838; Wed, 12 Mar 2008 18:05:46 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 12 Mar 2008 18:05:19 -0300 User-Agent: KMail/1.9.9 References: <1205343184.4032.44.camel@wade-linux.itiva.com> In-Reply-To: <1205343184.4032.44.camel@wade-linux.itiva.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803121805.19918.asstec@matik.com.br> X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on msrv.matik.com.br X-Virus-Status: Clean Cc: Wade Klaver Subject: Re: On the trail of a dummynet/bridge/ipfw bug. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2008 22:11:00 -0000 On Wednesday 12 March 2008 14:33:04 Wade Klaver wrote: > PROBLEM DESCRIPTION > > I have a bridge set up on a 7.0 box and am attempting to use it to limit > HTTP connections outgoing from a box behind it to 192Kbit/s for testing. > During this testing I ran into some problems. At first, I found that > the number of simultaneous pipes was limited to 1024, allowing only 1024 > 192Kbit/s clients. Additional clients were simply blocked. I am using > a very simple firewall config: > > ipfw pipe 1 config bw 192Kbits/s mask all > ipfw add 00051 skipto 99 ip from 192.168.0.0/16 to 192.168.0.0/16 > ipfw add 00052 skipto 1000 ip from any to any > ipfw add 00100 pipe 1 ip from 192.168.10.88 80 to any via bridge0 > ipfw add 00200 pipe 1 ip from any 25111 to any via bridge > > Regardless of how many clients I threw at the box, I had the limit: > > [root@ibm3550b ~]# ipfw pipe show | wc -l > 1028 > you must have something wrong there, I just checked on one of my boxes: # ipfw pipe show | wc -l 1797 =2D-=20 Atenciosamente, J.M. Respons=E1vel Plant=E3o Site Support Matik Infomatik Internet Technology (18)3551.8155 =A0(18)8112.7007 http://info.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 13 09:21:21 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 065EB106566B for ; Thu, 13 Mar 2008 09:21:21 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id BA7388FC1A for ; Thu, 13 Mar 2008 09:21:20 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JZjck-0003ZB-Su for freebsd-ipfw@freebsd.org; Thu, 13 Mar 2008 09:21:18 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 13 Mar 2008 09:21:18 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 13 Mar 2008 09:21:18 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Vadim Goncharov Date: Thu, 13 Mar 2008 09:21:11 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 22 Message-ID: References: <200803122100.m2CL0t7V088955@freefall.freebsd.org> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: vwe@FreeBSD.org User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 09:21:21 -0000 Hi vwe@FreeBSD.org! On Wed, 12 Mar 2008 21:00:55 GMT; vwe@FreeBSD.org wrote about 'Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION': > State-Changed-From-To: open->suspended > State-Changed-By: vwe > State-Changed-When: Wed Mar 12 20:58:32 UTC 2008 > State-Changed-Why: > Awaiting maintainer interest. > This may be useful for one, so we're not just closing this silently. > http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 Yes, this is useful, but some minor changes are needed, I think. First, rename it to "bytelimit" or somewhat. Second, allow this to use tablearg and possibly ability to reference a counter to corresponding dynamic rule, to allow this to act for a specific IP or connection without need to write many rules. Third, add packet counter as well. That's all possible with one opcode, though... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 13 09:40:19 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FE641065671 for ; Thu, 13 Mar 2008 09:40:19 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from mail.oltrelinux.com (krisma.oltrelinux.com [194.242.226.43]) by mx1.freebsd.org (Postfix) with ESMTP id D25218FC22 for ; Thu, 13 Mar 2008 09:40:18 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from southcross.wired.org (host-84-221-232-101.cust-adsl.tiscali.it [84.221.232.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.oltrelinux.com (Postfix) with ESMTP id 178F011AE7E; Thu, 13 Mar 2008 10:40:14 +0100 (CET) Received: (from piso@localhost) by southcross.wired.org (8.14.2/8.14.1/Submit) id m2D9hvfR009288; Thu, 13 Mar 2008 10:43:57 +0100 (CET) (envelope-from piso) Date: Thu, 13 Mar 2008 10:43:56 +0100 From: Paolo Pisati To: Vadim Goncharov Message-ID: <20080313094356.GA9219@tin.it> References: <200803122100.m2CL0t7V088955@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com Cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 09:40:19 -0000 On Thu, Mar 13, 2008 at 09:21:11AM +0000, Vadim Goncharov wrote: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 > > Yes, this is useful, but some minor changes are needed, I think. First, rename > it to "bytelimit" or somewhat. Second, allow this to use tablearg and possibly > ability to reference a counter to corresponding dynamic rule, to allow this to > act for a specific IP or connection without need to write many rules. Third, > add packet counter as well. That's all possible with one opcode, though... if anyone post an updated patch, i'll commit it. -- bye, P. From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 13 11:26:35 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB829106566B for ; Thu, 13 Mar 2008 11:26:35 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 4C8908FC26 for ; Thu, 13 Mar 2008 11:26:35 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from anb.p.matik.com.br (anb.p.matik.com.br [200.152.83.34] (may be forged)) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id m2DBQX2e082656; Thu, 13 Mar 2008 08:26:33 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org, vadim_nuclight@mail.ru Date: Thu, 13 Mar 2008 08:26:07 -0300 User-Agent: KMail/1.9.7 References: <200803122100.m2CL0t7V088955@freefall.freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803130826.07875.asstec@matik.com.br> X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on msrv.matik.com.br X-Virus-Status: Clean Cc: Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 11:26:35 -0000 On Thursday 13 March 2008 06:21:11 Vadim Goncharov wrote: > Hi vwe@FreeBSD.org! > > On Wed, 12 Mar 2008 21:00:55 GMT; vwe@FreeBSD.org wrote about 'Re:=20 kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION': > > State-Changed-From-To: open->suspended > > State-Changed-By: vwe > > State-Changed-When: Wed Mar 12 20:58:32 UTC 2008 > > State-Changed-Why: > > Awaiting maintainer interest. > > This may be useful for one, so we're not just closing this silently. > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D80642 > > Yes, this is useful, but some minor changes are needed, I think. First, > rename it to "bytelimit" or somewhat. Second, allow this to use tablearg > and possibly ability to reference a counter to corresponding dynamic rule, > to allow this to act for a specific IP or connection without need to write > many rules. Third, add packet counter as well. That's all possible with o= ne > opcode, though... I think the best would be that it works as "limit src-ip N" does, using=20 perhaps the limit keyword as well but as in ".... limit max-bytes N" what=20 would give sufficient possibilities for pass and skipto etc=20 =2D-=20 Atenciosamente, J.M. Respons=E1vel Plant=E3o Site Support Matik Infomatik Internet Technology (18)3551.8155 =A0(18)8112.7007 http://info.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 13 13:24:38 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A30551065674 for ; Thu, 13 Mar 2008 13:24:38 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 54A768FC1D for ; Thu, 13 Mar 2008 13:24:32 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JZnQ0-0005uG-3a for freebsd-ipfw@freebsd.org; Thu, 13 Mar 2008 13:24:24 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 13 Mar 2008 13:24:24 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 13 Mar 2008 13:24:24 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Vadim Goncharov Date: Thu, 13 Mar 2008 13:24:13 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 30 Message-ID: References: <200803122100.m2CL0t7V088955@freefall.freebsd.org> <200803130826.07875.asstec@matik.com.br> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: AT Matik User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 13:24:38 -0000 Hi AT Matik! On Thu, 13 Mar 2008 08:26:07 -0300; AT Matik wrote about 'Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION': > kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION': >>> State-Changed-From-To: open->suspended >>> State-Changed-By: vwe >>> State-Changed-When: Wed Mar 12 20:58:32 UTC 2008 >>> State-Changed-Why: >>> Awaiting maintainer interest. >>> This may be useful for one, so we're not just closing this silently. >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 >> >> Yes, this is useful, but some minor changes are needed, I think. First, >> rename it to "bytelimit" or somewhat. Second, allow this to use tablearg >> and possibly ability to reference a counter to corresponding dynamic rule, >> to allow this to act for a specific IP or connection without need to write >> many rules. Third, add packet counter as well. That's all possible with one >> opcode, though... > I think the best would be that it works as "limit src-ip N" does, using > perhaps the limit keyword as well but as in ".... limit max-bytes N" what > would give sufficient possibilities for pass and skipto etc Dynamic rules should be reworked in more general way than this. I'll write a proposal with ideas to discuss later... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 13 21:07:10 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7905E1065677 for ; Thu, 13 Mar 2008 21:07:10 +0000 (UTC) (envelope-from wadeklaver@itiva.com) Received: from mail.crossflux.com (a2.9.1243.static.theplanet.com [67.18.9.162]) by mx1.freebsd.org (Postfix) with SMTP id 373E18FC15 for ; Thu, 13 Mar 2008 21:07:10 +0000 (UTC) (envelope-from wadeklaver@itiva.com) Received: (qmail 9032 invoked by uid 522); 13 Mar 2008 15:56:07 -0500 Received: from 69.10.147.2 by mog (envelope-from , uid 508) with qmail-scanner-1.25 (clamdscan: 0.87/2614. spamassassin: 3.1.8. Clear:RC:0(69.10.147.2):SA:0(-2.6/5.0):. Processed in 1.177356 secs); 13 Mar 2008 20:56:07 -0000 X-Spam-Status: No, hits=-2.6 required=5.0 Received: from unknown (HELO ?192.168.7.50?) (wadeklaver@itiva.com@69.10.147.2) by mail.crossflux.com with SMTP; 13 Mar 2008 15:56:06 -0500 From: Wade Klaver To: AT Matik In-Reply-To: <200803131441.36597.asstec@matik.com.br> References: <1205343184.4032.44.camel@wade-linux.itiva.com> <200803131323.34208.asstec@matik.com.br> <1205428297.4032.51.camel@wade-linux.itiva.com> <200803131441.36597.asstec@matik.com.br> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-F4jIDZdkECoKeZUwJHBT" Date: Thu, 13 Mar 2008 14:06:40 -0700 Message-Id: <1205442400.4349.18.camel@wade-linux.itiva.com> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6) Cc: freebsd-ipfw@freebsd.org Subject: Re: On the trail of a dummynet/bridge/ipfw bug. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 21:07:10 -0000 --=-F4jIDZdkECoKeZUwJHBT Content-Type: text/plain Content-Transfer-Encoding: quoted-printable OK, here's something weird then. ipfw pipe show | wc -l has reported higher numbers: [root@ibm3550b ~]# ipfw pipe show | wc -l 3453 This was reported after the bridge "died" attempting 2600 simultaneous connections... it had been running at 2400 before I added 200 more. Now, immediately after the above crash, I do a /etc/rc.d/netif restart, and then: [root@ibm3550b ~]# ipfw pipe show | wc -l 3900 Then as long as I add additional connections very slowly, I can manage to get more established until it dies at 2800 with: [root@ibm3550b ~]# ipfw pipe show | wc -l 4160 At this point I am only using these numbers as a general indication of pipe activity as the output is not 1 pipe per line. In fact there is more often than not two lines per pipe. However, the end problem remains the same. After a point, the bridge doesn't get saturated, it crashes and requires that the network be restarted before continuing. The fact that it is necessary only to restart the network and not to flush ipfw's pipes (which has no effect without a network restart) perhaps suggests the problem lies in a different subsystem? The broadcom driver perhaps? This image: http://www.archeron.ca/pics/bridgecrash.jpg (see the indicated section on the right) shows the crash from the network side as additional requesters are added across the bridge. Any hints on how I can track down this problem, be it configuration, hardware, OS or otherwise?' Cheers, -Wade On Thu, 2008-03-13 at 14:41 -0300, AT Matik wrote: > On Thursday 13 March 2008 14:11:37 you wrote: > > Out of curiosity, what is the largest number of pipes you have had in a > > system? I would really like to be approaching the 4500 mark to simulat= e > > that number of 192kb connections. >=20 > I really don know because I never had necessity to check because never ha= d=20 > problems, but the largest subnet what goes through one gw is a /20=20 > I guess I have 60-70% of users max online so there should be roundabout t= hat=20 > 2.8-3.0k active pipes=20 >=20 >=20 >=20 > > -Wade > > > > On Thu, 2008-03-13 at 13:23 -0300, AT Matik wrote: > > > On Thursday 13 March 2008 13:09:05 you wrote: > > > > This is not entirely helpful. Perhaps a suggestion of where to loo= k > > > > for a misconfiguration? I have not done anything particularly exot= ic > > > > to this system. I also mentioned that I was able to overcome the 1= 024 > > > > pipe limit. What I am more interested in tracking down is why the > > > > bridging functionality crashes once I exceed around 2300 pipes. > > > > > > I agree, but I only wanted to show that this is not the pattern, also > > > some of my server make it up to 2.8 -2.9k pipes and I have no crash/= hang > > > problem > > > > > > but I have a different fw configuration, may be you like to try: > > > > > > ${fwpipe} 1 config bw ${bwd_max_lan}${uni} > > > ${fwpipe} 2 config bw ${bwu_max_lan}${uni} > > > ${fwqueue} 1 config pipe 1 weight ${prior_net_lan} > > > ${fwqueue} 2 config pipe 2 weight ${prior_net_lan} > > > ${fwadd} queue 1 ip from any to ${net_lan} out xmit ${if_lan} > > > ${fwadd} queue 2 ip from ${net_lan} to any in recv ${if_lan} > > > > > > > > > for better understanding > > > > > > fwadd=3D"/sbin/ipfw -q add" > > > fwpipe=3D"/sbin/ipfw pipe" > > > fwqueue=3D"/sbin/ipfw queue" > > > uni=3D"Kbit/s" > > > > > > > -Wade > > > > > > > > On Wed, 2008-03-12 at 18:05 -0300, AT Matik wrote: > > > > > On Wednesday 12 March 2008 14:33:04 Wade Klaver wrote: > > > > > > PROBLEM DESCRIPTION > > > > > > > > > > > > I have a bridge set up on a 7.0 box and am attempting to use it= to > > > > > > limit HTTP connections outgoing from a box behind it to 192Kbit= /s > > > > > > for testing. During this testing I ran into some problems. At > > > > > > first, I found that the number of simultaneous pipes was limite= d to > > > > > > 1024, allowing only 1024 192Kbit/s clients. Additional clients > > > > > > were simply blocked. I am using a very simple firewall config: > > > > > > > > > > > > ipfw pipe 1 config bw 192Kbits/s mask all > > > > > > ipfw add 00051 skipto 99 ip from 192.168.0.0/16 to 192.168.0.= 0/16 > > > > > > ipfw add 00052 skipto 1000 ip from any to any > > > > > > ipfw add 00100 pipe 1 ip from 192.168.10.88 80 to any via bri= dge0 > > > > > > ipfw add 00200 pipe 1 ip from any 25111 to any via bridge > > > > > > > > > > > > Regardless of how many clients I threw at the box, I had the li= mit: > > > > > > > > > > > > [root@ibm3550b ~]# ipfw pipe show | wc -l > > > > > > 1028 > > > > > > > > > > you must have something wrong there, I just checked on one of my > > > > > boxes: > > > > > > > > > > # ipfw pipe show | wc -l > > > > > 1797 >=20 >=20 --=-F4jIDZdkECoKeZUwJHBT Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBH2ZdWne3UhGESRwURArNwAJwJz1oAEKPzOvVMMKrSYG/EWr85JQCfb30w AWfrlAbK6K+eXlk57A1Y1TM= =jCoj -----END PGP SIGNATURE----- --=-F4jIDZdkECoKeZUwJHBT-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 07:40:44 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C2601065676; Fri, 14 Mar 2008 07:40:44 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7913F8FC2C; Fri, 14 Mar 2008 07:40:44 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2E7ei0x085355; Fri, 14 Mar 2008 07:40:44 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2E7ei3W085351; Fri, 14 Mar 2008 07:40:44 GMT (envelope-from remko) Date: Fri, 14 Mar 2008 07:40:44 GMT Message-Id: <200803140740.m2E7ei3W085351@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: bin/121683: [ipfw]: ipfw2 show_nat regression on 7.0-STABLE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 07:40:44 -0000 Old Synopsis: ipfw2 show_nat regression on 7.0-STABLE New Synopsis: [ipfw]: ipfw2 show_nat regression on 7.0-STABLE Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Fri Mar 14 07:40:32 UTC 2008 Responsible-Changed-Why: reassign to ipfw team http://www.freebsd.org/cgi/query-pr.cgi?pr=121683 From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 07:46:30 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC48C106566B for ; Fri, 14 Mar 2008 07:46:30 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 611158FC1A for ; Fri, 14 Mar 2008 07:46:29 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.p.matik.com.br [200.152.83.36] (may be forged)) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id m2E7kRvU075931; Fri, 14 Mar 2008 04:46:28 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Fri, 14 Mar 2008 04:47:18 -0300 User-Agent: KMail/1.9.7 References: <1205343184.4032.44.camel@wade-linux.itiva.com> <200803131441.36597.asstec@matik.com.br> <1205442400.4349.18.camel@wade-linux.itiva.com> In-Reply-To: <1205442400.4349.18.camel@wade-linux.itiva.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803140447.18646.asstec@matik.com.br> X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on msrv.matik.com.br X-Virus-Status: Clean Cc: Wade Klaver Subject: Re: On the trail of a dummynet/bridge/ipfw bug. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 07:46:31 -0000 On Thursday 13 March 2008 18:06:40 Wade Klaver wrote: > OK, here's something weird then. ipfw pipe show | wc -l has reported > higher numbers: > [root@ibm3550b ~]# ipfw pipe show | wc -l > 3453 > This was reported after the bridge "died" attempting 2600 simultaneous > connections... it had been running at 2400 before I added 200 more. > Now, immediately after the above crash, I do a /etc/rc.d/netif restart, > and then: > [root@ibm3550b ~]# ipfw pipe show | wc -l > 3900 > Then as long as I add additional connections very slowly, I can manage > to get more established until it dies at 2800 with: > [root@ibm3550b ~]# ipfw pipe show | wc -l > 4160 > At this point I am only using these numbers as a general indication of > pipe activity as the output is not 1 pipe per line. In fact there is > more often than not two lines per pipe. However, the end problem > remains the same. After a point, the bridge doesn't get saturated, it > crashes and requires that the network be restarted before continuing. > The fact that it is necessary only to restart the network and not to > flush ipfw's pipes (which has no effect without a network restart) > perhaps suggests the problem lies in a different subsystem? The > broadcom driver perhaps? hard to say because you do not tell so very much about your machine, it mig= ht=20 be too weak for so many pipes (mem or cpu?), I do not know your setup or th= e=20 nics you use you say it crash but can restart the network? probably you have some error = in=20 your script or since you run bridge some mac issue? =2D-=20 Participe no BAIXO ASSINADO SCM: http://info.matik.com.br =2D- Atenciosamente, J.M. Respons=E1vel Plant=E3o Site Support Matik Infomatik Internet Technology (18)3551.8155 =A0(18)8112.7007 A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 09:49:36 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD6D41065673; Fri, 14 Mar 2008 09:49:36 +0000 (UTC) (envelope-from piso@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C75CA8FC18; Fri, 14 Mar 2008 09:49:36 +0000 (UTC) (envelope-from piso@FreeBSD.org) Received: from freefall.freebsd.org (piso@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2E9nald097202; Fri, 14 Mar 2008 09:49:36 GMT (envelope-from piso@freefall.freebsd.org) Received: (from piso@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2E9naIU097198; Fri, 14 Mar 2008 09:49:36 GMT (envelope-from piso) Date: Fri, 14 Mar 2008 09:49:36 GMT Message-Id: <200803140949.m2E9naIU097198@freefall.freebsd.org> To: gael.roualland@dial.oleane.com, piso@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: piso@FreeBSD.org Cc: Subject: Re: bin/121683: [ipfw]: ipfw2 show_nat regression on 7.0-STABLE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 09:49:36 -0000 Synopsis: [ipfw]: ipfw2 show_nat regression on 7.0-STABLE State-Changed-From-To: open->closed State-Changed-By: piso State-Changed-When: Fri Mar 14 09:48:02 UTC 2008 State-Changed-Why: Fix submitted to RELENG_7 (rev. 1.108.2.4). http://www.freebsd.org/cgi/query-pr.cgi?pr=121683 From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 09:50:03 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3468F1065674 for ; Fri, 14 Mar 2008 09:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 480798FC26 for ; Fri, 14 Mar 2008 09:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2E9o3bF097332 for ; Fri, 14 Mar 2008 09:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2E9o3l3097331; Fri, 14 Mar 2008 09:50:03 GMT (envelope-from gnats) Date: Fri, 14 Mar 2008 09:50:03 GMT Message-Id: <200803140950.m2E9o3l3097331@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.org (dfilter service) Cc: Subject: Re: bin/121683: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 09:50:03 -0000 The following reply was made to PR bin/121683; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/121683: commit references a PR Date: Fri, 14 Mar 2008 09:41:54 +0000 (UTC) piso 2008-03-14 09:41:46 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) sbin/ipfw ipfw2.c Log: Fix showing nat rules. Bug spotted by: Gael Roualland PR: bin/121683 Revision Changes Path 1.108.2.4 +1 -0 src/sbin/ipfw/ipfw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 11:12:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC69B106567A for ; Fri, 14 Mar 2008 11:12:19 +0000 (UTC) (envelope-from vlad@prokk.net) Received: from smtp.prokk.net (smtp.prokk.net [195.16.77.5]) by mx1.freebsd.org (Postfix) with ESMTP id 1C90B8FC23 for ; Fri, 14 Mar 2008 11:12:06 +0000 (UTC) (envelope-from vlad@prokk.net) Received: from base (base.prokk.net [195.16.77.7]) by smtp.prokk.net (8.13.8/8.13.8) with ESMTP id m2EAmdgm056995 for ; Fri, 14 Mar 2008 12:48:44 +0200 (EET) (envelope-from vlad@prokk.net) From: "Vladimir V. Kobal" To: Date: Fri, 14 Mar 2008 12:48:43 +0200 Organization: ProKK SE Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00BC_01C885D1.BFA54E80" X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 Thread-Index: AciFwPjqLEDLluTPTv+Xcw0jIo1EWA== X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.prokk.net [195.16.77.5]); Fri, 14 Mar 2008 12:48:44 +0200 (EET) X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on smtp.prokk.net X-Virus-Status: Clean Subject: Dummynet causes kernel trap and system freeze X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 11:12:19 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_00BC_01C885D1.BFA54E80 Content-Type: text/plain; charset="koi8-u" Content-Transfer-Encoding: 7bit The system is PPTP NAS (mpd5) with NAT (ng_nat), firewall (ipfw2) and shaping (dummynet). FreeBSD 7.0-RELEASE, Quad-Core AMD Phenom, AMD 690V chipset, two em interfaces (EXPI9400PT 82572GI). On high load there are about 500 simultaneous PPTP users snd 50Mbps/15Mbps of downlink/uplink traffic going through. Kernel is patched against rtfree problem. We've replaced rtfree to RTFREE_LOCKED at net/route.c netinet/if_ether.c Sometimes immediately after boot, sometimes after 10 hours of work, we get a kernel trap because of the page fault and system freeze. The first few seconds or minutes after the trap there is a possibility to Scroll Lock and go through debug console. Then the system hangs totally and can be rebooted only by hardware reset. The current process on kernel trap is always dummynet. Rarely we get a series of four sequential kernel traps and automatic reboots. Today the following happened: the dummynet pipes just stoped working but other traffic flows worked well and the system console had been freezed. Without a load the system runs for days. We've tryed to: apply patch-2 from kern/113548 apply patch-3 from kern/113548 change NICs to bge, mks, rl change processor to Dual-Core AMD 64 x2 use motherboard with Nvidia chipset We always get the same symptoms. Backtrace and appropriate dummynet source file are attached. We have in production the same system on FreeBSD 6.1-RELEASE. We have never had traps on it, but the load on it wasn't more than 400 PPTP users and 30Mbps/10Mbps because of lack of CPU resources. The problem looks rather like mentioned in kern/118128, kern/113548, kern/106534 but there are no working solutions. Could someone help to solve the problem with dummynet? Best regards, Vladimir Kobal ------=_NextPart_000_00BC_01C885D1.BFA54E80 Content-Type: text/plain; name="backtrace.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="backtrace.txt" [GDB will not be able to debug user-mode threads: = /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you = are welcome to change it and/or distribute copies of it under certain = conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for = details. This GDB was configured as "amd64-marcel-freebsd". Unread portion of the kernel message buffer: Copyright (c) 1992-2008 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-RELEASE #12: Thu Mar 13 12:27:02 EET 2008 natalie@firewall.prokk.net:/usr/src/sys/amd64/compile/FIREWALL Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD Phenom(tm) 9600 Quad-Core Processor (2305.24-MHz K8-class CPU) Origin =3D "AuthenticAMD" Id =3D 0x100f22 Stepping =3D 2 = Features=3D0x178bfbff Features2=3D0x802009> AMD = Features=3D0xee500800,RDTSCP,LM,3DNow!+,3DNow= !> AMD = Features2=3D0x7ff,,,Prefetch,,<= b10>> Cores per package: 4 usable memory =3D 2105335808 (2007 MB) avail memory =3D 2031869952 (1937 MB) ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP): APIC ID: 3 ioapic0: Changing APIC ID to 2 ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 acpi0: on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a0000 (3) failed acpi0: reservation of 100000, 7dde0000 (3) failed Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 acpi_hpet0: iomem 0xfed00000-0xfed003ff on = acpi0 acpi_hpet0: HPET never increments, disabling device_attach: acpi_hpet0 attach returned 6 cpu0: on acpi0 cpu1: on acpi0 cpu2: on acpi0 cpu3: on acpi0 acpi_button0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 1.0 on pci0 pci1: on pcib1 vgapci0: port 0xce00-0xceff mem = 0xfa000000-0xfbffffff,0xfdcf0000-0xfdcfffff,0xfdb00000-0xfdbfffff irq 18 = at device 5.0 on pci1 pcib2: at device 2.0 on pci0 pci2: on pcib2 em0: port = 0xef00-0xef1f mem 0xfdae0000-0xfdafffff,0xfdac0000-0xfdadffff irq 18 at = device 0.0 on pci2 em0: Using MSI interrupt em0: Ethernet address: 00:15:17:68:58:84 em0: [FILTER] pcib3: at device 4.0 on pci0 pci3: on pcib3 em1: port = 0xdf00-0xdf1f mem 0xfdee0000-0xfdefffff,0xfdec0000-0xfdedffff irq 16 at = device 0.0 on pci3 em1: Using MSI interrupt em1: Ethernet address: 00:15:17:67:49:49 em1: [FILTER] atapci0: port = 0xff00-0xff07,0xfe00-0xfe03,0xfd00-0xfd07,0xfc00-0xfc03,0xfb00-0xfb0f = mem 0xfe02f000-0xfe02f3ff irq 22 at device 18.0 on pci0 atapci0: [ITHREAD] ata2: on atapci0 ata2: [ITHREAD] ata3: on atapci0 ata3: [ITHREAD] pci0: at device 20.0 (no driver attached) atapci1: port = 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf900-0xf90f at device 20.1 on pci0 ata0: on atapci1 ata0: [ITHREAD] isab0: at device 20.3 on pci0 isa0: on isab0 pcib4: at device 20.4 on pci0 pci4: on pcib4 re0: port = 0xbe00-0xbeff mem 0xfd9ff000-0xfd9ff0ff irq 23 at device 15.0 on pci4 miibus0: on re0 rgephy0: PHY 1 on miibus0 rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, = 1000baseT-FDX, auto re0: Ethernet address: 00:1a:4d:f6:aa:4a re0: [FILTER] atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: [ITHREAD] psm0: model Generic PS/2 mouse, device ID 0 acpi_hpet0: iomem 0xfed00000-0xfed003ff on = acpi0 acpi_hpet0: HPET never increments, disabling device_attach: acpi_hpet0 attach returned 6 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on = isa0 Timecounters tick every 1.000 msec ipfw2 initialized, divert enabled, rule-based forwarding enabled, = default to accept, logging limited to 100 packets/entry by default ad4: 76318MB at ata2-master UDMA33 SMP: AP CPU #3 Launched! SMP: AP CPU #1 Launched! SMP: AP CPU #2 Launched! Trying to mount root from ufs:/dev/ad4s1a <118>Loading configuration files. <118>kernel dumps on /dev/ad4s1b <118>Entropy harvesting: <118> interrupts <118> ethernet <118> point_to_point <118> kickstart <118>. <118>swapon: adding /dev/ad4s1b as swap device <118>Starting file system checks: <118>/dev/ad4s1a: FILE SYSTEM CLEAN; SKIPPING CHECKS <118>/dev/ad4s1a: clean, 35547366 free (100502 frags, 4430858 blocks, = 0.3% fragmentation) <118>Setting hostuuid: 42c32a0e-ef7a-11dc-b498-001517685884. <118>Setting hostid: 0x5e99e61e. <118>Mounting local file systems: <118>. <118>Setting hostname: firewall.prokk.net. <118>net.inet.ip.fastforwarding:=20 <118>0 <118> ->=20 <118>1 <118> <118>lo0: flags=3D8049 metric 0 mtu 16384 <118>inet 127.0.0.1 netmask 0xff000000=20 <118>em0: flags=3D8843 metric 0 = mtu 1500 <118>options=3D19b <118>ether 00:15:17:68:58:84 <118>inet 195.16.76.6 netmask 0xfffffff8 broadcast 195.16.76.7 <118>inet 195.16.77.2 netmask 0xfffffff0 broadcast 195.16.77.15 <118>inet 10.100.1.1 netmask 0xfffffffc broadcast 10.100.1.3 <118>inet 10.100.2.1 netmask 0xfffffff0 broadcast 10.100.2.15 <118>inet 217.119.114.186 netmask 0xfffffffc broadcast 217.119.114.187 <118>inet 195.16.77.33 netmask 0xfffffff8 broadcast 195.16.77.39 <118>inet 10.110.1.17 netmask 0xfffffff0 broadcast 10.110.1.31 <118>media: Ethernet autoselect <118>status: no carrier <118>em1: flags=3D8843 metric 0 = mtu 1500 <118>options=3D19b <118>ether 00:15:17:67:49:49 <118>inet 192.168.99.1 netmask 0xffffc000 broadcast 192.168.127.255 <118>inet 195.16.76.129 netmask 0xffffffe0 broadcast 195.16.76.159 <118>inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 <118>inet 192.168.4.33 netmask 0xfffffffc broadcast 192.168.4.35 <118>inet 192.168.5.1 netmask 0xfffffff8 broadcast 192.168.5.7 <118>inet 192.168.11.1 netmask 0xfffffff8 broadcast 192.168.11.7 <118>inet 192.168.129.1 netmask 0xffffff00 broadcast 192.168.129.255 <118>inet 192.168.250.1 netmask 0xfffffff8 broadcast 192.168.250.7 <118>inet 192.168.231.1 netmask 0xffffff00 broadcast 192.168.231.255 <118>inet 195.16.76.225 netmask 0xffffffe0 broadcast 195.16.76.255 <118>inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 <118>inet 195.16.76.29 netmask 0xfffffffc broadcast 195.16.76.31 <118>inet 195.16.76.9 netmask 0xfffffff8 broadcast 195.16.76.15 <118>inet 195.16.76.17 netmask 0xfffffffc broadcast 195.16.76.19 <118>inet 10.2.1.1 netmask 0xfffffff0 broadcast 10.2.1.15 <118>inet 10.2.2.1 netmask 0xffffff00 broadcast 10.2.2.255 <118>inet 195.16.76.93 netmask 0xfffffffc broadcast 195.16.76.95 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan2: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.11.241 netmask 0xfffffff8 broadcast 192.168.11.247 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 2 parent interface: em1 <118>vlan3: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.11.20 netmask 0xfffffff0 broadcast 192.168.11.31 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 3 parent interface: em1 <118>vlan4: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.11.249 netmask 0xfffffff8 broadcast 192.168.11.255 <118>inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 4 parent interface: em1 <118>vlan5: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.19.1 netmask 0xffffff00 broadcast 192.168.19.255 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 5 parent interface: em1 <118>vlan6: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.11.33 netmask 0xffffffe0 broadcast 192.168.11.63 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 6 parent interface: em1 <118>vlan7: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 192.168.230.1 netmask 0xffffff00 broadcast 192.168.230.255 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 7 parent interface: em1 <118>vlan8: flags=3D8843 metric = 0 mtu 1500 <118>options=3D3 <118>ether 00:15:17:67:49:49 <118>inet 195.16.76.209 netmask 0xfffffff0 broadcast 195.16.76.223 <118>inet 10.1.5.1 netmask 0xffffff00 broadcast 10.1.5.255 <118>inet 10.2.5.1 netmask 0xffffff00 broadcast 10.2.5.255 <118>media: Ethernet autoselect <118>status: no carrier <118>vlan: 8 parent interface: em1 <118>add net default: gateway 217.119.114.185 <118>Additional routing options: <118> IP gateway=3DYES <118> ARP proxyall=3DYES <118>. <118>Starting devd. <118>re0: flags=3D8843 metric 0 = mtu 1500 <118>options=3D9b <118>ether 00:1a:4d:f6:aa:4a <118>inet 195.16.77.4 netmask 0xfffffff0 broadcast 195.16.77.15 <118>media: Ethernet autoselect (none) <118>status: no carrier <118>route:=20 <118>writing to routing socket <118>:=20 <118>File exists <118>add net default: gateway 217.119.114.185: route already in table <118>hw.acpi.cpu.cx_lowest:=20 <118>C1 <118> ->=20 <118>C1 <118> <118>Flushed all rules. <118>Flushed all pipes. <118>00020 deny tcp from any 2022,2023 to any <118>00020 deny tcp from any to any dst-port 2022,2023 <118>00047 deny ip from 10.5.0.0/24 to any <118>00047 deny ip from any to 10.5.0.0/24 <118>00049 deny ip from 60.48.0.0/13 to any <118>00049 deny ip from 60.240.195.0/24 to any <118>00049 deny ip from 192.168.0.0/24 to any <118>00049 deny ip from any to 169.254.0.0/16 <118>00049 deny ip from 169.254.0.0/16 to any <118>00050 allow ip from 195.16.77.5 to any dst-port 25 via em0 <118>00050 allow ip from any 25 to 195.16.77.5 via em0 <118>00050 pipe 5362 ip from any 25 to { 195.16.76.32/27 or dst-ip = 195.16.76.64/30 or dst-ip 195.16.76.68/30 } <118>00050 pipe 5367 ip from { 195.16.76.32/27 or 195.16.76.64/30 or = 195.16.76.68/30 } to any dst-port 25 <118>00050 pipe 5212 ip from any 25 to 194.60.77.0/24 <118>00050 pipe 5217 ip from 194.60.77.0/24 to any dst-port 25 <118>00050 allow ip from 195.16.76.208/28 to any dst-port 25 <118>00050 allow ip from any 25 to 195.16.76.208/28 <118>00050 allow ip from 195.16.76.86 to any dst-port 25 <118>00050 allow ip from any 25 to 195.16.76.86 <118>00050 pipe 5172 ip from 195.16.76.232 to any dst-port 25 <118>00050 pipe 5177 ip from any 25 to 195.16.76.232 <118>00050 pipe 5552 ip from 195.16.76.253 to any dst-port 25 <118>00050 pipe 5557 ip from any 25 to 195.16.76.253 <118>00050 pipe 5152 ip from 195.16.76.137 to any dst-port 25 <118>00050 pipe 5157 ip from any 25 to 195.16.76.137 <118>00050 pipe 5182 ip from 195.16.76.140 to any dst-port 25 <118>00050 pipe 5187 ip from any 25 to 195.16.76.140 <118>00050 pipe 5492 ip from 195.16.76.134 to any dst-port 25 <118>00050 pipe 5497 ip from any 25 to 195.16.76.134 <118>00050 pipe 5212 ip from 194.0.157.100 to any dst-port 25 <118>00050 pipe 5217 ip from any 25 to 194.0.157.100 <118>00050 pipe 5212 ip from 194.0.157.1 to any dst-port 25 <118>00050 pipe 5217 ip from any 25 to 194.0.157.1 <118>00050 pipe 5212 ip from 194.60.77.0/24 to any dst-port 25 <118>00050 pipe 5217 ip from any 25 to 194.60.77.0/24 <118>00051 deny ip from not table(1) 25 to any <118>00051 deny ip from any to not table(1) dst-port 25 <118>00053 allow icmp from 195.16.77.7 to any <118>00053 allow icmp from any to 195.16.77.7 <118>00053 allow icmp from 195.16.77.2 to any <118>00053 allow icmp from any to 195.16.77.2 <118>00054 allow udp from 195.16.77.0/28 to me dst-port = 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 <118>00054 allow tcp from 195.16.76.0/23 to me dst-port = 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 <118>00054 allow tcp from 192.168.0.0/16 to me dst-port = 53,123,137,138,139,161,199,445,514,953,1723,8668,57030 <118>00054 allow tcp from 10.0.0.0/8 to me dst-port = 53,123,137,138,139,161,199,445,514,953,1723,8668,57030 <118>00055 deny tcp from any to me dst-port = 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 <118>00056 allow tcp from 192.168.0.0/16 to 195.16.77.3 dst-port 20,21 <118>00056 allow tcp from 172.16.0.0/16 to 195.16.77.3 dst-port 20,21 <118>00056 allow tcp from 195.16.76.0/23 to 195.16.77.3 dst-port 20,21 <118>00056 allow ip from 194.88.220.30 to 195.16.77.3 dst-port 20,21 <118>00056 allow ip from 195.16.77.3 20,21 to 194.88.220.30 <118>00056 deny tcp from any to 195.16.77.3 dst-port 20,21 <118>00057 allow tcp from 192.168.0.0/16 to 195.16.77.1 dst-port 53 <118>00057 allow udp from 192.168.0.0/16 to 195.16.77.1 dst-port 53 <118>00057 allow tcp from 195.16.77.1 53 to 192.168.0.0/16 <118>00057 allow udp from 195.16.77.1 53 to 192.168.0.0/16 <118>00058 allow udp from 195.16.77.0/28 to me dst-port 5005 <118>00059 deny udp from any to me dst-port 5005 <118>00062 count ip from 195.16.76.208/30 to any <118>00063 count ip from any to 195.16.76.208/30 <118>00065 allow ip from 10.100.2.0/24 to 195.16.77.0/28 <118>00065 allow ip from 195.16.77.0/28 to 10.100.2.0/24 <118>00065 allow ip from 10.100.2.0/24 to me <118>00065 allow ip from me to 10.100.2.0/24 <118>00065 allow ip from 10.2.5.0/24 to 195.16.77.0/28 <118>00065 allow ip from 195.16.77.0/28 to 10.2.5.0/24 <118>00066 allow ip from 195.16.77.7 69 to 192.168.230.0/24 <118>00066 allow ip from 192.168.230.0/24 to 195.16.77.7 dst-port 69 <118>00075 allow tcp from 195.16.76.212 to 195.16.77.7 dst-port 3389 <118>00075 allow tcp from 195.16.77.7 3389 to 195.16.76.212 <118>00076 allow tcp from 192.168.2.65 to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00076 allow tcp from 192.168.99.65 to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00076 allow tcp from 195.16.76.152 to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to = 192.168.2.65 <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to = 192.168.99.65 <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to = 195.16.76.152 <118>00076 allow tcp from 195.16.76.152 to 195.16.77.2 <118>00076 allow tcp from 195.16.77.2 to 195.16.76.152 <118>00076 allow tcp from 195.16.76.99 to 195.16.77.2 <118>00076 allow tcp from 195.16.77.2 to 195.16.76.99 <118>00076 allow tcp from 195.16.76.99 to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to = 195.16.76.99 <118>00076 allow tcp from 195.234.148.238 to 195.16.77.7 <118>00076 allow tcp from 195.16.77.7 to 195.234.148.238 <118>00077 allow tcp from 192.168.99.235 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 172.16.1.235 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.99.235 <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.1.235 <118>00077 allow tcp from 192.168.97.91 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 172.16.3.91 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 192.168.96.2 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.96.2 <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.97.91 <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.3.91 <118>00077 allow tcp from 192.168.99.61 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 172.16.1.61 to 195.16.77.7 dst-port 3389 <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.99.61 <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.1.61 <118>00079 allow tcp from 195.16.76.144 to 195.16.77.7 dst-port 3389 <118>00079 allow tcp from 195.16.77.7 3389 to 195.16.76.144 <118>00080 allow tcp from 195.16.76.145 to 195.16.77.7 dst-port 3389 <118>00080 allow tcp from 195.16.77.7 3389 to 195.16.76.145 <118>00080 allow tcp from 192.168.94.165 to 195.16.77.7 dst-port 3389 <118>00080 allow tcp from 195.16.77.7 3389 to 192.168.94.165 <118>00080 allow tcp from 192.168.92.49 to 195.16.77.7 dst-port 3389 <118>00080 allow tcp from 195.16.77.7 3389 to 192.168.92.49 <118>00081 allow tcp from 192.168.99.252 to 195.16.77.7 dst-port 3389 <118>00081 allow tcp from 172.16.1.252 to 195.16.77.7 dst-port 3389 <118>00081 allow tcp from 195.16.76.146 to 195.16.77.7 dst-port 3389 <118>00081 allow tcp from 195.16.76.98 to 195.16.77.7 dst-port 3389 <118>00081 allow tcp from 195.16.77.7 3389 to 192.168.99.252 <118>00081 allow tcp from 195.16.77.7 3389 to 172.16.1.252 <118>00081 allow tcp from 195.16.77.7 3389 to 195.16.76.146 <118>00081 allow tcp from 195.16.77.7 3389 to 195.16.76.98 <118>00081 allow tcp from 195.16.76.146 to 195.16.77.0/28 dst-port 22 <118>00081 allow tcp from 192.168.99.252 to 195.16.77.0/28 dst-port 22 <118>00081 allow tcp from 172.16.1.252 to 195.16.77.0/28 dst-port 22 <118>00081 allow tcp from 195.16.76.98 to 195.16.77.0/28 dst-port 22 <118>00081 allow tcp from 195.16.77.0/28 22 to 195.16.76.146 <118>00081 allow tcp from 195.16.77.0/28 22 to 192.168.99.252 <118>00081 allow tcp from 195.16.77.0/28 22 to 172.16.1.252 <118>00081 allow tcp from 195.16.77.0/28 22 to 195.16.76.98 <118>00082 allow tcp from 192.168.96.1 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 172.16.4.1 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 195.16.77.7 3389 to 192.168.96.1 <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.4.1 <118>00082 allow tcp from 192.168.91.60 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 195.16.77.7 3389 to 192.168.91.60 <118>00082 allow tcp from 172.16.9.60 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.9.60 <118>00082 allow tcp from 10.10.133.3 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 172.16.6.8 to 195.16.77.7 dst-port 3389 <118>00082 allow tcp from 195.16.77.7 3389 to 10.10.133.3 <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.6.8 <118>00083 allow tcp from 192.168.92.160 to 195.16.77.7 dst-port 3389 <118>00083 allow tcp from 195.16.77.7 3389 to 192.168.92.160 <118>00083 allow tcp from 172.16.8.160 to 195.16.77.7 dst-port 3389 <118>00083 allow tcp from 195.16.77.7 3389 to 172.16.8.160 <118>00086 allow tcp from 192.168.97.116 to 195.16.77.7 dst-port 3389 <118>00086 allow tcp from 195.16.77.7 3389 to 192.168.97.116 <118>00086 allow tcp from 172.16.3.116 to 195.16.77.7 dst-port 3389 <118>00086 allow tcp from 195.16.77.7 3389 to 172.16.3.116 <118>00087 allow tcp from 192.168.99.2 to 195.16.77.7 dst-port 3389 <118>00087 allow tcp from 192.168.96.1 to 195.16.77.7 dst-port 3389 <118>00087 allow tcp from 192.168.99.9 to 195.16.77.7 dst-port 3389 <118>00087 allow tcp from 192.168.97.7 to 195.16.77.7 dst-port 3389 <118>00087 allow tcp from 192.168.99.2 to 195.16.77.7 dst-port 3389 <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.99.9 <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.97.7 <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.99.2 <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.96.1 <118>00088 deny tcp from any to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00088 deny udp from any to 195.16.77.7 dst-port = 3389,137,138,139,445 <118>00088 deny tcp from 195.16.77.7 3389,137,138,139,445 to any <118>00088 deny udp from 195.16.77.7 3389,137,138,139,445 to any <118>00088 deny udp from any 1433,1434 to not 195.16.76.34 <118>00088 deny udp from any to not 195.16.76.34 dst-port 1433,1434 <118>00089 allow ip from 10.0.0.0/8 to 195.16.77.0/24 <118>00089 allow ip from 195.16.76.0/22 to 195.16.77.7 <118>00089 allow icmp from any to 195.16.77.7 icmptypes 0 <118>00090 pipe 7 ip from 195.16.76.0/22 to 195.16.77.7 in recv em0 <118>00090 pipe 90 ip from any to 195.16.77.7 in recv em0 <118>00091 count ip from 195.16.77.7 to any out via em0 <118>00092 pipe 92 ip from 195.16.77.3 to any out via em0 <118>00096 pipe 96 ip from 10.100.2.6 to 10.100.2.1 <118>00096 pipe 96 ip from 10.100.2.7 to 10.100.2.1 <118>00096 pipe 96 ip from 10.100.2.1 to 10.100.2.6 <118>00096 pipe 96 ip from 10.100.2.1 to 10.100.2.7 <118>00096 pipe 96 ip from 192.168.98.169 to 10.100.2.6 <118>00096 pipe 96 ip from 192.168.98.169 to 10.100.2.7 <118>00096 pipe 96 ip from 10.100.2.6 to 192.168.98.169 <118>00096 pipe 96 ip from 10.100.2.7 to 192.168.98.169 <118>00096 pipe 96 ip from 172.16.2.169 to 10.100.2.6 <118>00096 pipe 96 ip from 172.16.2.169 to 10.100.2.7 <118>00096 pipe 96 ip from 10.100.2.6 to 172.16.2.169 <118>00096 pipe 96 ip from 10.100.2.7 to 172.16.2.169 <118>00096 pipe 96 ip from 10.100.2.6 to 10.100.2.7 <118>00096 pipe 96 ip from 10.100.2.7 to 10.100.2.6 <118>00097 deny ip from any to 10.100.2.6 <118>00097 deny ip from any to 10.100.2.7 <118>00097 deny ip from 10.100.2.6 to any <118>00097 deny ip from 10.100.2.7 to any <118>00098 netgraph 60 ip from 192.168.200.0/24 to any out recv em0 xmit = em0 <118>00098 allow ip from any to 192.168.200.0/24 recv em0 <118>00099 allow ip from me to 10.110.1.0/27 <118>00100 deny ip from any to 10.0.0.0/8 out via em0 <118>00101 deny ip from any to 172.16.0.0/16 out via em0 <118>00102 deny ip from any to 192.168.0.0/16 out via em0 <118>00109 allow ip from any to 195.16.77.3 <118>00109 allow ip from 195.16.77.3 to any <118>00120 allow tcp from 195.16.77.7 to me dst-port 22 <118>00120 allow tcp from 195.16.77.12 to me dst-port 22 <118>00120 allow tcp from 195.16.76.144 to me dst-port 22 <118>00120 allow tcp from 195.16.76.99 to me dst-port 22 <118>00120 allow tcp from 195.16.77.11 to me dst-port 22 <118>00121 deny tcp from any to 195.16.77.0/28 dst-port 22 <118>00123 deny ip from any to 195.16.78.0/24 <118>00123 deny ip from any to 195.16.79.0/24 <118>00123 deny ip from any to 195.16.77.128/25 <118>00123 deny ip from any to 195.16.77.64/26 <118>00123 deny ip from any to 195.16.77.48/28 <118>00123 deny ip from any to 195.16.77.40/29 <118>00123 deny ip from any to 195.16.77.16/28 <118>00129 allow udp from any to any dst-port 137,138,139,445 via em1 <118>00129 allow udp from any 137,138,139,445 to any via em1 <118>00130 allow tcp from any to any dst-port 137,138,139,445 via em1 <118>00130 allow tcp from any 137,138,139,445 to any via em1 <118>00131 deny tcp from any to any dst-port 69,135,136,137,138,139,445 <118>00131 deny udp from any to any dst-port 69,135,136,445 <118>00131 deny tcp from any 69,135,136,137,138,139,445 to any <118>00131 deny udp from any 69,135,136,445 to any <118>00142 deny ip from any to 224.0.0.0/12 <118>00143 deny ip from 224.0.0.0/12 to any <118>00144 deny ip from any to 225.0.0.0/12 <118>00145 deny ip from 225.0.0.0/12 to any <118>00146 deny ip from any to 255.0.0.0/8 <118>00147 deny ip from 255.0.0.0/8 to any <118>00148 deny ip from any to 255.255.255.255 <118>00149 deny ip from 255.255.255.255 to any <118>00159 deny igmp from any to any <118>00192 pipe 192 icmp from 195.16.77.0/28 to any <118>00192 pipe 192 icmp from any to 195.16.77.0/28 <118>00200 count ip from 192.168.19.0/24 to any <118>00210 count ip from any to 192.168.19.0/24 <118>00220 count ip from 192.168.20.0/24 to any <118>00230 count ip from any to 192.168.20.0/24 <118>04000 netgraph 60 ip from 172.16.0.0/18 to any out xmit em0 <118>04010 netgraph 61 ip from any to me in via em0 <118>04100 skipto 20000 ip from 172.16.0.0/18 to any <118>04100 skipto 20000 ip from any to 172.16.0.0/18 <118>64500 pipe 192 icmp from any to any via em0 <118>65000 pipe 65000 log ip from any to 172.16.0.0/18 <118>65050 skipto 65500 ip from any to any <118>65100 pipe 65100 ip from any to any <118>65101 skipto 65500 ip from any to any <118>65110 pipe 65110 ip from any to any <118>65111 skipto 65500 ip from any to any <118>00196 deny ip from 192.168.64.0/18 to any via em0 <118>00196 deny ip from any to 192.168.64.0/18 via em0 <118>00199 deny ip from 192.168.152.0/22 to any <118>00199 deny ip from any to 192.168.152.0/22 <118>00202 count ip from any to 192.168.2.0/24 via em1 <118>00521 deny udp from any 520 to 195.16.76.0/22 <118>65530 allow ip from any to 192.168.2.0/24 via em1 <118>65530 allow ip from 192.168.2.0/24 to any via em1 <118>65530 allow ip from any to 192.168.3.0/24 via em1 <118>65530 allow ip from 192.168.3.0/24 to any via em1 <118>65530 allow ip from any to 192.168.4.0/24 via em1 <118>65530 allow ip from 192.168.4.0/24 to any via em1 <118>65530 allow ip from any to 192.168.5.0/29 via em1 <118>65530 allow ip from 192.168.5.0/29 to any via em1 <118>65530 allow ip from any to 192.168.11.0/24 via em1 <118>65530 allow ip from 192.168.11.0/24 to any via em1 <118>65530 allow ip from any to 192.168.129.0/24 via em1 <118>65530 allow ip from 192.168.129.0/24 to any via em1 <118>65530 allow ip from any to 192.168.230.0/24 via em1 <118>65530 allow ip from 192.168.230.0/24 to any via em1 <118>65530 allow ip from any to 192.168.231.0/24 via em1 <118>65530 allow ip from 192.168.231.0/24 to any via em1 <118>65530 allow ip from any to 10.1.1.0/24 via em1 <118>65530 allow ip from 10.1.1.0/24 to any via em1 <118>65530 allow ip from any to 192.168.13.0/24 via em1 <118>65530 allow ip from 192.168.13.0/24 to any via em1 <118>65531 allow ip from any to 195.16.76.0/22 via em1 <118>65531 allow ip from 195.16.76.0/22 to any via em1 <118>65532 allow ip from any to 195.16.77.32/29 via em1 <118>65532 allow ip from 195.16.77.32/29 to any via em1 <118>65533 allow ip from any to 192.168.64.0/18 via em1 <118>65533 allow ip from 192.168.64.0/18 to any via em1 <118>65534 deny ip from any to any via em1 <118>15032 pipe 15032 ip from any to 192.168.2.4 via em1 <118>15033 skipto 65100 ip from any to 192.168.2.4 via em1 <118>15037 netgraph 60 ip from 192.168.2.4 to any out recv em1 xmit em0 <118>15038 pipe 15037 ip from 192.168.2.4 to any via em1 <118>15039 skipto 65110 ip from 192.168.2.4 to any via em1 <118>15042 pipe 15042 ip from any to 192.168.2.31 via em1 <118>15043 skipto 65100 ip from any to 192.168.2.31 via em1 <118>15047 netgraph 60 ip from 192.168.2.31 to any out recv em1 xmit em0 <118>15048 pipe 15047 ip from 192.168.2.31 to any via em1 <118>15049 skipto 65110 ip from 192.168.2.31 to any via em1 <118>15052 pipe 15052 ip from any to 192.168.2.32 via em1 <118>15053 skipto 65100 ip from any to 192.168.2.32 via em1 <118>15057 netgraph 60 ip from 192.168.2.32 to any out recv em1 xmit em0 <118>15058 pipe 15057 ip from 192.168.2.32 to any via em1 <118>15059 skipto 65110 ip from 192.168.2.32 to any via em1 <118>15062 pipe 15062 ip from any to 192.168.2.35 via em1 <118>15063 skipto 65500 ip from any to 192.168.2.35 via em1 <118>15067 netgraph 60 ip from 192.168.2.35 to any out recv em1 xmit em0 <118>15068 pipe 15067 ip from 192.168.2.35 to any via em1 <118>15069 skipto 65510 ip from 192.168.2.35 to any via em1 <118>15072 pipe 15072 ip from any to 192.168.2.37 via em1 <118>15073 skipto 65100 ip from any to 192.168.2.37 via em1 <118>15077 netgraph 60 ip from 192.168.2.37 to any out recv em1 xmit em0 <118>15078 pipe 15077 ip from 192.168.2.37 to any via em1 <118>15079 skipto 65110 ip from 192.168.2.37 to any via em1 <118>15092 pipe 15092 ip from any to 192.168.2.7 via em1 <118>15093 skipto 65500 ip from any to 192.168.2.7 via em1 <118>15097 netgraph 60 ip from 192.168.2.7 to any out recv em1 xmit em0 <118>15098 pipe 15097 ip from 192.168.2.7 to any via em1 <118>15099 skipto 65510 ip from 192.168.2.7 to any via em1 <118>15102 pipe 15102 ip from any to 192.168.2.8 via em1 <118>15103 skipto 65100 ip from any to 192.168.2.8 via em1 <118>15107 netgraph 60 ip from 192.168.2.8 to any out recv em1 xmit em0 <118>15108 pipe 15107 ip from 192.168.2.8 to any via em1 <118>15109 skipto 65110 ip from 192.168.2.8 to any via em1 <118>15112 pipe 15112 ip from any to 192.168.2.52 via em1 <118>15113 skipto 65100 ip from any to 192.168.2.52 via em1 <118>15117 netgraph 60 ip from 192.168.2.52 to any out recv em1 xmit em0 <118>15118 pipe 15117 ip from 192.168.2.52 to any via em1 <118>15119 skipto 65110 ip from 192.168.2.52 to any via em1 <118>15122 pipe 15122 ip from any to 192.168.2.9 via em1 <118>15123 skipto 65100 ip from any to 192.168.2.9 via em1 <118>15127 netgraph 60 ip from 192.168.2.9 to any out recv em1 xmit em0 <118>15128 pipe 15127 ip from 192.168.2.9 to any via em1 <118>15129 skipto 65110 ip from 192.168.2.9 to any via em1 <118>15132 pipe 15132 ip from any to 192.168.2.12 via em1 <118>15133 skipto 65100 ip from any to 192.168.2.12 via em1 <118>15137 netgraph 60 ip from 192.168.2.12 to any out recv em1 xmit em0 <118>15138 pipe 15137 ip from 192.168.2.12 to any via em1 <118>15139 skipto 65110 ip from 192.168.2.12 to any via em1 <118>15142 pipe 15142 ip from any to 192.168.2.13 via em1 <118>15143 skipto 65100 ip from any to 192.168.2.13 via em1 <118>15147 netgraph 60 ip from 192.168.2.13 to any out recv em1 xmit em0 <118>15148 pipe 15147 ip from 192.168.2.13 to any via em1 <118>15149 skipto 65110 ip from 192.168.2.13 to any via em1 <118>15152 pipe 15152 ip from any to 192.168.2.14 via em1 <118>15153 skipto 65100 ip from any to 192.168.2.14 via em1 <118>15157 netgraph 60 ip from 192.168.2.14 to any out recv em1 xmit em0 <118>15158 pipe 15157 ip from 192.168.2.14 to any via em1 <118>15159 skipto 65110 ip from 192.168.2.14 to any via em1 <118>15162 pipe 15162 ip from any to 192.168.2.62 via em1 <118>15163 skipto 65100 ip from any to 192.168.2.62 via em1 <118>15167 netgraph 60 ip from 192.168.2.62 to any out recv em1 xmit em0 <118>15168 pipe 15167 ip from 192.168.2.62 to any via em1 <118>15169 skipto 65110 ip from 192.168.2.62 to any via em1 <118>15172 pipe 15172 ip from any to 192.168.2.65 via em1 <118>15173 skipto 65100 ip from any to 192.168.2.65 via em1 <118>15177 netgraph 60 ip from 192.168.2.65 to any out recv em1 xmit em0 <118>15178 pipe 15177 ip from 192.168.2.65 to any via em1 <118>15179 skipto 65110 ip from 192.168.2.65 to any via em1 <118>15182 pipe 15182 ip from any to 192.168.2.74 via em1 <118>15183 skipto 65100 ip from any to 192.168.2.74 via em1 <118>15187 netgraph 60 ip from 192.168.2.74 to any out recv em1 xmit em0 <118>15188 pipe 15187 ip from 192.168.2.74 to any via em1 <118>15189 skipto 65110 ip from 192.168.2.74 to any via em1 <118>15192 pipe 15192 ip from any to 192.168.2.27 via em1 <118>15193 skipto 65100 ip from any to 192.168.2.27 via em1 <118>15197 netgraph 60 ip from 192.168.2.27 to any out recv em1 xmit em0 <118>15198 pipe 15197 ip from 192.168.2.27 to any via em1 <118>15199 skipto 65110 ip from 192.168.2.27 to any via em1 <118>15202 pipe 15202 ip from any to 192.168.2.15 via em1 <118>15203 skipto 65100 ip from any to 192.168.2.15 via em1 <118>15207 netgraph 60 ip from 192.168.2.15 to any out recv em1 xmit em0 <118>15208 pipe 15207 ip from 192.168.2.15 to any via em1 <118>15209 skipto 65110 ip from 192.168.2.15 to any via em1 <118>15212 pipe 15212 ip from any to 192.168.2.16 via em1 <118>15213 skipto 65100 ip from any to 192.168.2.16 via em1 <118>15217 netgraph 60 ip from 192.168.2.16 to any out recv em1 xmit em0 <118>15218 pipe 15217 ip from 192.168.2.16 to any via em1 <118>15219 skipto 65110 ip from 192.168.2.16 to any via em1 <118>tokar4: not found <118>15222 pipe 15222 ip from any to 192.168.2.17 via em1 <118>15223 skipto 65100 ip from any to 192.168.2.17 via em1 <118>15227 netgraph 60 ip from 192.168.2.17 to any out recv em1 xmit em0 <118>15228 pipe 15227 ip from 192.168.2.17 to any via em1 <118>15229 skipto 65110 ip from 192.168.2.17 to any via em1 <118>15232 pipe 15232 ip from any to 192.168.2.18 via em1 <118>15233 skipto 65100 ip from any to 192.168.2.18 via em1 <118>15237 netgraph 60 ip from 192.168.2.18 to any out recv em1 xmit em0 <118>15238 pipe 15237 ip from 192.168.2.18 to any via em1 <118>15239 skipto 65110 ip from 192.168.2.18 to any via em1 <118>15252 pipe 15252 ip from any to 192.168.2.20 via em1 <118>15253 skipto 65100 ip from any to 192.168.2.20 via em1 <118>15257 netgraph 60 ip from 192.168.2.20 to any out recv em1 xmit em0 <118>15258 pipe 15257 ip from 192.168.2.20 to any via em1 <118>15259 skipto 65110 ip from 192.168.2.20 to any via em1 <118>15262 pipe 15262 ip from any to 192.168.2.19 via em1 <118>15263 skipto 65100 ip from any to 192.168.2.19 via em1 <118>15267 netgraph 60 ip from 192.168.2.19 to any out recv em1 xmit em0 <118>15268 pipe 15267 ip from 192.168.2.19 to any via em1 <118>15269 skipto 65110 ip from 192.168.2.19 to any via em1 <118>15272 pipe 15272 ip from any to 192.168.2.21 via em1 <118>15273 skipto 65100 ip from any to 192.168.2.21 via em1 <118>15277 netgraph 60 ip from 192.168.2.21 to any out recv em1 xmit em0 <118>15278 pipe 15277 ip from 192.168.2.21 to any via em1 <118>15279 skipto 65110 ip from 192.168.2.21 to any via em1 <118>15282 pipe 15282 ip from any to 192.168.2.115 via em1 <118>15283 skipto 65100 ip from any to 192.168.2.115 via em1 <118>15287 netgraph 60 ip from 192.168.2.115 to any out recv em1 xmit = em0 <118>15288 pipe 15287 ip from 192.168.2.115 to any via em1 <118>15289 skipto 65110 ip from 192.168.2.115 to any via em1 <118>15292 pipe 15292 ip from any to 192.168.2.116 via em1 <118>15293 skipto 65100 ip from any to 192.168.2.116 via em1 <118>15297 netgraph 60 ip from 192.168.2.116 to any out recv em1 xmit = em0 <118>15298 pipe 15297 ip from 192.168.2.116 to any via em1 <118>15299 skipto 65110 ip from 192.168.2.116 to any via em1 <118>15302 pipe 15302 ip from any to 192.168.2.22 via em1 <118>15303 skipto 65100 ip from any to 192.168.2.22 via em1 <118>15307 netgraph 60 ip from 192.168.2.22 to any out recv em1 xmit em0 <118>15308 pipe 15307 ip from 192.168.2.22 to any via em1 <118>15309 skipto 65110 ip from 192.168.2.22 to any via em1 <118>15312 pipe 15312 ip from any to 192.168.2.23 via em1 <118>15313 skipto 65100 ip from any to 192.168.2.23 via em1 <118>15317 netgraph 60 ip from 192.168.2.23 to any out recv em1 xmit em0 <118>15318 pipe 15317 ip from 192.168.2.23 to any via em1 <118>15319 skipto 65110 ip from 192.168.2.23 to any via em1 <118>15322 pipe 15322 ip from any to 192.168.2.24 via em1 <118>15323 skipto 65100 ip from any to 192.168.2.24 via em1 <118>15327 netgraph 60 ip from 192.168.2.24 to any out recv em1 xmit em0 <118>15328 pipe 15327 ip from 192.168.2.24 to any via em1 <118>15329 skipto 65110 ip from 192.168.2.24 to any via em1 <118>15332 pipe 15332 ip from any to 192.168.2.25 via em1 <118>15333 skipto 65100 ip from any to 192.168.2.25 via em1 <118>15337 netgraph 60 ip from 192.168.2.25 to any out recv em1 xmit em0 <118>15338 pipe 15337 ip from 192.168.2.25 to any via em1 <118>15339 skipto 65110 ip from 192.168.2.25 to any via em1 <118>15342 pipe 15342 ip from any to 192.168.2.90 via em1 <118>15343 skipto 65100 ip from any to 192.168.2.90 via em1 <118>15347 netgraph 60 ip from 192.168.2.90 to any out recv em1 xmit em0 <118>15348 pipe 15347 ip from 192.168.2.90 to any via em1 <118>15349 skipto 65110 ip from 192.168.2.90 to any via em1 <118>15352 pipe 15352 ip from any to 192.168.2.245 via em1 <118>15353 skipto 65500 ip from any to 192.168.2.245 via em1 <118>15357 netgraph 60 ip from 192.168.2.245 to any out recv em1 xmit = em0 <118>15358 pipe 15357 ip from 192.168.2.245 to any via em1 <118>15359 skipto 65510 ip from 192.168.2.245 to any via em1 <118>15362 pipe 15362 ip from any to 192.168.4.0/27 via em1 <118>15363 skipto 65100 ip from any to 192.168.4.0/27 via em1 <118>15367 netgraph 60 ip from 192.168.4.0/27 to any out recv em1 xmit = em0 <118>15368 pipe 15367 ip from 192.168.4.0/27 to any via em1 <118>15369 skipto 65110 ip from 192.168.4.0/27 to any via em1 <118>15372 pipe 15372 ip from any to 192.168.5.2 via em1 <118>15373 skipto 65100 ip from any to 192.168.5.2 via em1 <118>15377 netgraph 60 ip from 192.168.5.2 to any out recv em1 xmit em0 <118>15378 pipe 15377 ip from 192.168.5.2 to any via em1 <118>15379 skipto 65110 ip from 192.168.5.2 to any via em1 <118>15662 pipe 15372 ip from any to 192.168.5.3 via em1 <118>15663 skipto 65100 ip from any to 192.168.5.3 via em1 <118>15667 netgraph 60 ip from 192.168.5.3 to any out recv em1 xmit em0 <118>15668 pipe 15377 ip from 192.168.5.3 to any via em1 <118>15669 skipto 65110 ip from 192.168.5.3 to any via em1 <118>15402 pipe 15412 ip from any to 192.168.11.21 via vlan3 <118>15403 skipto 65100 ip from any to 192.168.11.21 via vlan3 <118>15407 netgraph 60 ip from 192.168.11.21 to any out recv vlan3 xmit = em0 <118>15408 pipe 15417 ip from 192.168.11.21 to any via vlan3 <118>15409 skipto 65110 ip from 192.168.11.21 to any via vlan3 <118>15412 pipe 15412 ip from any to 192.168.11.18 via vlan3 <118>15413 skipto 65100 ip from any to 192.168.11.18 via vlan3 <118>15417 netgraph 60 ip from 192.168.11.18 to any out recv vlan3 xmit = em0 <118>15418 pipe 15417 ip from 192.168.11.18 to any via vlan3 <118>15419 skipto 65110 ip from 192.168.11.18 to any via vlan3 <118>15432 pipe 15432 ip from any to 192.168.11.36 via em1 <118>15433 skipto 65100 ip from any to 192.168.11.36 via em1 <118>15437 netgraph 60 ip from 192.168.11.36 to any out recv em1 xmit = em0 <118>15438 pipe 15437 ip from 192.168.11.36 to any via em1 <118>15439 skipto 65110 ip from 192.168.11.36 to any via em1 <118>15452 pipe 15452 ip from any to 192.168.129.4 via em1 <118>15453 skipto 65100 ip from any to 192.168.129.4 via em1 <118>15457 netgraph 60 ip from 192.168.129.4 to any out recv em1 xmit = em0 <118>15458 pipe 15457 ip from 192.168.129.4 to any via em1 <118>15459 skipto 65110 ip from 192.168.129.4 to any via em1 <118>15462 pipe 15462 ip from any to 192.168.129.10 via em1 <118>15463 skipto 65100 ip from any to 192.168.129.10 via em1 <118>15467 netgraph 60 ip from 192.168.129.10 to any out recv em1 xmit = em0 <118>15468 pipe 15467 ip from 192.168.129.10 to any via em1 <118>15469 skipto 65110 ip from 192.168.129.10 to any via em1 <118>15502 pipe 15502 ip from any to 192.168.129.205 via em1 <118>15503 skipto 65100 ip from any to 192.168.129.205 via em1 <118>15507 netgraph 60 ip from 192.168.129.205 to any out recv em1 xmit = em0 <118>15508 pipe 15507 ip from 192.168.129.205 to any via em1 <118>15509 skipto 65110 ip from 192.168.129.205 to any via em1 <118>15552 pipe 15552 ip from any to 192.168.129.26 via em1 <118>15553 skipto 65100 ip from any to 192.168.129.26 via em1 <118>15557 netgraph 60 ip from 192.168.129.26 to any out recv em1 xmit = em0 <118>15558 pipe 15557 ip from 192.168.129.26 to any via em1 <118>15559 skipto 65110 ip from 192.168.129.26 to any via em1 <118>15562 pipe 15562 ip from any to 192.168.129.85 via em1 <118>15563 skipto 65100 ip from any to 192.168.129.85 via em1 <118>15567 netgraph 60 ip from 192.168.129.85 to any out recv em1 xmit = em0 <118>15568 pipe 15567 ip from 192.168.129.85 to any via em1 <118>15569 skipto 65110 ip from 192.168.129.85 to any via em1 <118>15572 pipe 15572 ip from any to 192.168.129.173 via em1 <118>15573 skipto 65100 ip from any to 192.168.129.173 via em1 <118>15577 netgraph 60 ip from 192.168.129.173 to any out recv em1 xmit = em0 <118>15578 pipe 15577 ip from 192.168.129.173 to any via em1 <118>15579 skipto 65110 ip from 192.168.129.173 to any via em1 <118>15582 pipe 15582 ip from any to 192.168.11.19 via vlan3 <118>15583 skipto 65100 ip from any to 192.168.11.19 via vlan3 <118>15587 netgraph 60 ip from 192.168.11.19 to any out recv vlan3 xmit = em0 <118>15588 pipe 15587 ip from 192.168.11.19 to any via vlan3 <118>15589 skipto 65110 ip from 192.168.11.19 to any via vlan3 <118>15592 pipe 15592 ip from any to 192.168.129.215 via em1 <118>15593 skipto 65100 ip from any to 192.168.129.215 via em1 <118>15597 netgraph 60 ip from 192.168.129.215 to any out recv em1 xmit = em0 <118>15598 pipe 15597 ip from 192.168.129.215 to any via em1 <118>15599 skipto 65110 ip from 192.168.129.215 to any via em1 <118>15622 pipe 15622 ip from any to 192.168.2.239 via em1 <118>15623 skipto 65100 ip from any to 192.168.2.239 via em1 <118>15627 netgraph 60 ip from 192.168.2.239 to any out recv em1 xmit = em0 <118>15628 pipe 15627 ip from 192.168.2.239 to any via em1 <118>15629 skipto 65110 ip from 192.168.2.239 to any via em1 <118>15632 pipe 5232 ip from any to 192.168.2.10 via em1 <118>15633 skipto 65100 ip from any to 192.168.2.10 via em1 <118>15637 netgraph 60 ip from 192.168.2.10 to any out recv em1 xmit em0 <118>15638 pipe 5237 ip from 192.168.2.10 to any via em1 <118>15639 skipto 65110 ip from 192.168.2.10 to any via em1 <118>15652 pipe 15652 ip from any to 192.168.2.100 via em1 <118>15653 skipto 65100 ip from any to 192.168.2.100 via em1 <118>15657 netgraph 60 ip from 192.168.2.100 to any out recv em1 xmit = em0 <118>15658 pipe 15657 ip from 192.168.2.100 to any via em1 <118>15659 skipto 65110 ip from 192.168.2.100 to any via em1 <118>15672 pipe 15672 ip from any to 192.168.2.5 via em1 <118>15673 skipto 65500 ip from any to 192.168.2.5 via em1 <118>15677 netgraph 60 ip from 192.168.2.5 to any out recv em1 xmit em0 <118>15678 pipe 15677 ip from 192.168.2.5 to any via em1 <118>15679 skipto 65510 ip from 192.168.2.5 to any via em1 <118>15682 pipe 15682 ip from any to 192.168.129.112 via em1 <118>15683 skipto 65100 ip from any to 192.168.129.112 via em1 <118>15687 netgraph 60 ip from 192.168.129.112 to any out recv em1 xmit = em0 <118>15688 pipe 15687 ip from 192.168.129.112 to any via em1 <118>15689 skipto 65110 ip from 192.168.129.112 to any via em1 <118>15692 pipe 15692 ip from any to 192.168.129.55 via em1 <118>15693 skipto 65100 ip from any to 192.168.129.55 via em1 <118>15697 netgraph 60 ip from 192.168.129.55 to any out recv em1 xmit = em0 <118>15698 pipe 15697 ip from 192.168.129.55 to any via em1 <118>15699 skipto 65110 ip from 192.168.129.55 to any via em1 <118>15702 pipe 15702 ip from any to 192.168.129.129 via em1 <118>15703 skipto 65100 ip from any to 192.168.129.129 via em1 <118>15707 netgraph 60 ip from 192.168.129.129 to any out recv em1 xmit = em0 <118>15708 pipe 15707 ip from 192.168.129.129 to any via em1 <118>15709 skipto 65110 ip from 192.168.129.129 to any via em1 <118>15712 pipe 15712 ip from any to 192.168.2.26 via em1 <118>15713 skipto 65100 ip from any to 192.168.2.26 via em1 <118>15717 netgraph 60 ip from 192.168.2.26 to any out recv em1 xmit em0 <118>15718 pipe 15717 ip from 192.168.2.26 to any via em1 <118>15719 skipto 65110 ip from 192.168.2.26 to any via em1 <118>17002 pipe 17002 ip from any to 192.168.2.30 via em1 <118>17003 skipto 65100 ip from any to 192.168.2.30 via em1 <118>17007 netgraph 60 ip from 192.168.2.30 to any out recv em1 xmit em0 <118>17008 pipe 17009 ip from 192.168.2.30 to any via em1 <118>17009 skipto 65110 ip from 192.168.2.30 to any via em1 <118>05002 pipe 5002 ip from any to 195.16.76.10 in via em0 <118>05003 skipto 65500 ip from any to 195.16.76.10 in via em0 <118>05007 pipe 5007 ip from 195.16.76.10 to any out via em0 <118>05008 skipto 65510 ip from 195.16.76.10 to any out via em0 <118>05012 pipe 5012 ip from any to 195.16.76.14 in via em0 <118>05013 skipto 65500 ip from any to 195.16.76.14 in via em0 <118>05017 pipe 5017 ip from 195.16.76.14 to any out via em0 <118>05018 skipto 65510 ip from 195.16.76.14 to any out via em0 <118>05022 pipe 5022 ip from any to { 195.16.76.30 or dst-ip = 195.16.76.18 } in via em0 <118>05023 skipto 65500 ip from any to { 195.16.76.30 or dst-ip = 195.16.76.18 } in via em0 <118>05027 pipe 5027 ip from { 195.16.76.30 or 195.16.76.18 } to any out = via em0 <118>05028 skipto 65510 ip from { 195.16.76.30 or 195.16.76.18 } to any = out via em0 <118>05032 count ip from 213.70.83.33 to 195.16.76.32/27{34} in via em0 <118>05033 skipto 65500 ip from 213.70.83.33 to 195.16.76.32/27{34} in = via em0 <118>05037 count ip from 195.16.76.32/27{34} to 213.70.83.33 out via em0 <118>05038 skipto 65510 ip from 195.16.76.32/27{34} to 213.70.83.33 out = via em0 <118>05042 pipe 5042 ip from any to 195.16.76.156 in via em0 <118>05043 skipto 65500 ip from any to 195.16.76.156 in via em0 <118>05047 pipe 5047 ip from 195.16.76.156 to any out via em0 <118>05048 skipto 65510 ip from 195.16.76.156 to any out via em0 <118>05062 pipe 5062 ip from any to 195.16.76.12 in via em0 <118>05063 skipto 65500 ip from any to 195.16.76.12 in via em0 <118>05067 count ip from 195.16.76.12 to any out via em0 <118>05069 pipe 5067 ip from 195.16.76.12 to any out via em0 <118>05068 skipto 65510 ip from 195.16.76.12 to any out via em0 <118>05072 pipe 5072 ip from any to 195.16.76.143 in via em0 <118>05073 skipto 65100 ip from any to 195.16.76.143 in via em0 <118>05077 pipe 5077 ip from 195.16.76.143 to any out via em0 <118>05078 skipto 65110 ip from 195.16.76.143 to any out via em0 <118>05082 pipe 5082 ip from any to 195.16.76.13 in via em0 <118>05083 skipto 65500 ip from any to 195.16.76.13 in via em0 <118>05087 pipe 5087 ip from 195.16.76.13 to any out via em0 <118>05088 skipto 65510 ip from 195.16.76.13 to any out via em0 <118>05092 pipe 5092 ip from any to 195.16.76.130 in via em0 <118>05093 skipto 65500 ip from any to 195.16.76.130 in via em0 <118>05097 pipe 5097 ip from 195.16.76.130 to any out via em0 <118>05098 skipto 65510 ip from 195.16.76.130 to any out via em0 <118>05102 pipe 5102 ip from any to 195.16.76.132 in via em0 <118>05103 skipto 65100 ip from any to 195.16.76.132 in via em0 <118>05107 pipe 5107 ip from 195.16.76.132 to any out via em0 <118>05108 skipto 65110 ip from 195.16.76.132 to any out via em0 <118>05112 pipe 5112 ip from any to 195.16.76.133 in via em0 <118>05113 skipto 65100 ip from any to 195.16.76.133 in via em0 <118>05117 pipe 5117 ip from 195.16.76.133 to any out via em0 <118>05118 skipto 65110 ip from 195.16.76.133 to any out via em0 <118>05122 pipe 5122 ip from any to 195.16.77.34 <118>05123 skipto 65100 ip from any to 195.16.77.34 <118>05127 pipe 5127 ip from 195.16.77.34 to any <118>05128 skipto 65110 ip from 195.16.77.34 to any <118>05132 pipe 5132 ip from any to 195.16.76.135 in via em0 <118>05133 skipto 65100 ip from any to 195.16.76.135 in via em0 <118>05137 pipe 5137 ip from 195.16.76.135 to any out via em0 <118>05138 skipto 65110 ip from 195.16.76.135 to any out via em0 <118>05142 pipe 5142 ip from any to 195.16.76.136 in via em0 <118>05143 skipto 65500 ip from any to 195.16.76.136 in via em0 <118>05147 pipe 5147 ip from 195.16.76.136 to any out via em0 <118>05148 skipto 65510 ip from 195.16.76.136 to any out via em0 <118>05152 pipe 5152 ip from any to 195.16.76.137 in via em0 <118>05153 skipto 65500 ip from any to 195.16.76.137 in via em0 <118>05157 pipe 5157 ip from 195.16.76.137 to any out via em0 <118>05158 skipto 65510 ip from 195.16.76.137 to any out via em0 <118>05162 pipe 5162 ip from any to 195.16.76.138 in via em0 <118>05163 skipto 65500 ip from any to 195.16.76.138 in via em0 <118>05167 pipe 5167 ip from 195.16.76.138 to any out via em0 <118>05168 skipto 65510 ip from 195.16.76.138 to any out via em0 <118>05172 pipe 5172 ip from any to 195.16.76.232 in via em0 <118>05173 skipto 65500 ip from any to 195.16.76.232 in via em0 <118>05177 pipe 5177 ip from 195.16.76.232 to any out via em0 <118>05178 skipto 65510 ip from 195.16.76.232 to any out via em0 <118>05182 pipe 5182 ip from any to 195.16.76.140 in via em0 <118>05183 skipto 65500 ip from any to 195.16.76.140 in via em0 <118>05187 pipe 5187 ip from 195.16.76.140 to any out via em0 <118>05188 skipto 65510 ip from 195.16.76.140 to any out via em0 <118>05212 count ip from any to 192.168.157.10 <118>05213 pipe 5212 ip from { 192.168.11.0/30 or 195.16.76.0/29 or = 195.16.77.0/28 } to 192.168.157.10 <118>05214 skipto 65500 ip from { 192.168.11.0/30 or 195.16.76.0/29 or = 195.16.77.0/28 } to 192.168.157.10 <118>05217 count ip from 192.168.157.10 to any <118>05218 pipe 5217 ip from 192.168.157.10 to { 192.168.11.0/30 or = dst-ip 195.16.76.0/29 or dst-ip 195.16.77.0/28 } <118>05219 skipto 65510 ip from 192.168.157.10 to { 192.168.11.0/30 or = dst-ip 195.16.76.0/29 or dst-ip 195.16.77.0/28 } <118>05222 pipe 5222 ip from any to 195.16.76.144 in via em0 <118>05223 skipto 65500 ip from any to 195.16.76.144 in via em0 <118>05227 pipe 5227 ip from 195.16.76.144 to any out via em0 <118>05228 skipto 65510 ip from 195.16.76.144 to any out via em0 <118>05232 pipe 5232 ip from any to 195.16.76.147 in via em0 <118>05233 skipto 65100 ip from any to 195.16.76.147 in via em0 <118>05237 pipe 5237 ip from 195.16.76.147 to any out via em0 <118>05238 skipto 65110 ip from 195.16.76.147 to any out via em0 <118>05252 pipe 5252 ip from any to 195.16.76.148 in via em0 <118>05253 skipto 65100 ip from any to 195.16.76.148 in via em0 <118>05257 pipe 5257 ip from 195.16.76.148 to any out via em0 <118>05258 skipto 65110 ip from 195.16.76.148 to any out via em0 <118>05262 pipe 5262 ip from any to 195.16.76.149 in via em0 <118>05263 skipto 65100 ip from any to 195.16.76.149 in via em0 <118>05267 pipe 5267 ip from 195.16.76.149 to any out via em0 <118>05268 skipto 65110 ip from 195.16.76.149 to any out via em0 <118>05272 pipe 5272 ip from any to 195.16.76.150 in via em0 <118>05273 skipto 65100 ip from any to 195.16.76.150 in via em0 <118>05277 pipe 5277 ip from 195.16.76.150 to any out via em0 <118>05278 skipto 65110 ip from 195.16.76.150 to any out via em0 <118>05282 pipe 5282 ip from any to 195.16.76.151 in via em0 <118>05283 skipto 65100 ip from any to 195.16.76.151 in via em0 <118>05287 pipe 5287 ip from 195.16.76.151 to any out via em0 <118>05288 skipto 65110 ip from 195.16.76.151 to any out via em0 <118>05292 pipe 5292 ip from any to 195.16.76.154 in via em0 <118>05293 skipto 65100 ip from any to 195.16.76.154 in via em0 <118>05297 pipe 5297 ip from 195.16.76.154 to any out via em0 <118>05298 skipto 65110 ip from 195.16.76.154 to any out via em0 <118>05302 pipe 5302 ip from any to 195.16.76.155 in via em0 <118>05303 skipto 65500 ip from any to 195.16.76.155 in via em0 <118>05307 pipe 5307 ip from 195.16.76.155 to any out via em0 <118>05308 skipto 65510 ip from 195.16.76.155 to any out via em0 <118>05312 pipe 5312 ip from any to 195.16.76.235 in via em0 <118>05313 skipto 65500 ip from any to 195.16.76.235 in via em0 <118>05317 pipe 5317 ip from 195.16.76.235 to any out via em0 <118>05318 skipto 65510 ip from 195.16.76.235 to any out via em0 <118>05322 pipe 5322 ip from any to 195.16.76.222 in via em0 <118>05323 skipto 65500 ip from any to 195.16.76.222 in via em0 <118>05327 pipe 5327 ip from 195.16.76.222 to any out via em0 <118>05328 skipto 65510 ip from 195.16.76.222 to any out via em0 <118>05332 pipe 5332 ip from any to 195.16.76.142 via em0 <118>05333 skipto 65100 ip from any to 195.16.76.142 via em0 <118>05337 pipe 5337 ip from 195.16.76.142 to any via em0 <118>05338 skipto 65110 ip from 195.16.76.142 to any via em0 <118>05342 pipe 5342 ip from any to 195.16.76.145 via em0 <118>05343 skipto 65100 ip from any to 195.16.76.145 via em0 <118>05347 count ip from 195.16.76.145 to any via em0 <118>05348 pipe 5347 ip from 195.16.76.145 to any via em0 <118>05349 skipto 65110 ip from 195.16.76.145 to any via em0 <118>05352 pipe 5352 ip from any to 195.16.76.157 via em0 <118>05353 skipto 65100 ip from any to 195.16.76.157 via em0 <118>05357 pipe 5357 ip from 195.16.76.157 to any via em0 <118>05358 skipto 65110 ip from 195.16.76.157 to any via em0 <118>05362 pipe 5362 ip from any to { 195.16.76.32/27{33,35-63} or = dst-ip 195.16.76.64/30 or dst-ip 195.16.76.68/30 } in via em0 <118>05363 skipto 65500 ip from any to { 195.16.76.32/27{33,35-63} or = dst-ip 195.16.76.64/30 or dst-ip 195.16.76.68/30 } in via em0 <118>05367 pipe 5367 ip from { 195.16.76.32/27{33,35-63} or = 195.16.76.64/30 or 195.16.76.68/30 } to any out via em0 <118>05368 skipto 65510 ip from { 195.16.76.32/27{33,35-63} or = 195.16.76.64/30 or 195.16.76.68/30 } to any out via em0 <118>05372 pipe 5372 ip from any to 195.16.76.153 in via em0 <118>05373 skipto 65100 ip from any to 195.16.76.153 in via em0 <118>05377 pipe 5377 ip from 195.16.76.153 to any out via em0 <118>05378 skipto 65110 ip from 195.16.76.153 to any out via em0 <118>05382 pipe 15372 ip from any to 195.16.76.158 in via em0 <118>05383 skipto 65100 ip from any to 195.16.76.158 in via em0 <118>05387 pipe 15377 ip from 195.16.76.158 to any out via em0 <118>05388 skipto 65110 ip from 195.16.76.158 to any out via em0 <118>05392 pipe 5392 ip from 62.64.120.62 to 195.16.76.141 in via em0 <118>05393 skipto 65500 ip from 62.64.120.62 to 195.16.76.141 in via em0 <118>05394 deny ip from any to 195.16.76.141 in via em0 <118>05397 pipe 5397 ip from 195.16.76.141 to 62.64.120.62 out via em0 <118>05398 skipto 65510 ip from 195.16.76.141 to 62.64.120.62 out via = em0 <118>05399 deny ip from 195.16.76.141 to any out via em0 <118>05402 pipe 5402 ip from any to 195.16.76.152 in via em0 <118>05403 skipto 65100 ip from any to 195.16.76.152 in via em0 <118>05407 pipe 5407 ip from 195.16.76.152 to any out via em0 <118>05408 skipto 65110 ip from 195.16.76.152 to any out via em0 <118>05412 pipe 5412 ip from any to 195.16.76.226 in via em0 <118>05413 skipto 65500 ip from any to 195.16.76.226 in via em0 <118>05417 pipe 5417 ip from 195.16.76.226 to any out via em0 <118>05418 skipto 65510 ip from 195.16.76.226 to any out via em0 <118>05432 pipe 5432 ip from any to 195.16.76.139 in via em0 <118>05433 skipto 65500 ip from any to 195.16.76.139 in via em0 <118>05437 pipe 5437 ip from 195.16.76.139 to any out via em0 <118>05438 skipto 65510 ip from 195.16.76.139 to any out via em0 <118>05462 pipe 5412 ip from any to 195.16.76.228 in via em0 <118>05463 skipto 65100 ip from any to 195.16.76.228 in via em0 <118>05467 pipe 5417 ip from 195.16.76.228 to any out via em0 <118>05468 skipto 65110 ip from 195.16.76.228 to any out via em0 <118>05482 pipe 5412 ip from any to 195.16.76.230 in via em0 <118>05483 skipto 65100 ip from any to 195.16.76.230 in via em0 <118>05487 pipe 5417 ip from 195.16.76.230 to any out via em0 <118>05488 skipto 65110 ip from 195.16.76.230 to any out via em0 <118>05492 pipe 5492 ip from any to 195.16.76.134 in via em0 <118>05493 skipto 65500 ip from any to 195.16.76.134 in via em0 <118>05497 pipe 5497 ip from 195.16.76.134 to any out via em0 <118>05498 skipto 65510 ip from 195.16.76.134 to any out via em0 <118>05512 pipe 5512 ip from any to 195.16.76.231 in via em0 <118>05513 skipto 65100 ip from any to 195.16.76.231 in via em0 <118>05517 pipe 5517 ip from 195.16.76.231 to any out via em0 <118>05518 skipto 65110 ip from 195.16.76.231 to any out via em0 <118>05522 pipe 5522 ip from any to 195.16.76.233 in via em0 <118>05523 skipto 65500 ip from any to 195.16.76.233 in via em0 <118>05527 pipe 5527 ip from 195.16.76.233 to any out via em0 <118>05528 skipto 65510 ip from 195.16.76.233 to any out via em0 <118>05532 pipe 5532 ip from any to 195.16.76.254 in via em0 <118>05533 skipto 65500 ip from any to 195.16.76.254 in via em0 <118>05537 pipe 5537 ip from 195.16.76.254 to any out via em0 <118>05538 skipto 65510 ip from 195.16.76.254 to any out via em0 <118>05542 pipe 5542 ip from any to 195.16.76.86 in via em0 <118>05543 skipto 65500 ip from any to 195.16.76.86 in via em0 <118>05547 pipe 5547 ip from 195.16.76.86 to any out via em0 <118>05548 skipto 65510 ip from 195.16.76.86 to any out via em0 <118>05552 pipe 5552 ip from any to 195.16.76.253 in via em0 <118>05553 skipto 65500 ip from any to 195.16.76.253 in via em0 <118>05557 pipe 5557 ip from 195.16.76.253 to any out via em0 <118>05558 skipto 65510 ip from 195.16.76.253 to any out via em0 <118>05562 pipe 5552 ip from any to 195.16.76.131 in via em0 <118>05563 skipto 65100 ip from any to 195.16.76.131 in via em0 <118>05567 pipe 5557 ip from 195.16.76.131 to any out via em0 <118>05568 skipto 65110 ip from 195.16.76.131 to any out via em0 <118>05572 pipe 5532 ip from any to 195.16.76.252 in via em0 <118>05573 skipto 65200 ip from any to 195.16.76.252 in via em0 <118>05577 pipe 5537 ip from 195.16.76.252 to any out via em0 <118>05578 skipto 65210 ip from 195.16.76.252 to any out via em0 <118>05582 pipe 5582 ip from any to 195.16.76.229 in via em0 <118>05583 skipto 65100 ip from any to 195.16.76.229 in via em0 <118>05587 pipe 5587 ip from 195.16.76.229 to any out via em0 <118>05588 skipto 65110 ip from 195.16.76.229 to any out via em0 <118>05592 pipe 5592 ip from any to 195.16.76.236 in via em0 <118>05593 skipto 65100 ip from any to 195.16.76.236 in via em0 <118>05597 pipe 5597 ip from 195.16.76.236 to any out via em0 <118>05598 skipto 65110 ip from 195.16.76.236 to any out via em0 <118>05602 pipe 5602 ip from any to 195.16.76.227 in via em0 <118>05603 skipto 65500 ip from any to 195.16.76.227 in via em0 <118>05607 pipe 5607 ip from 195.16.76.227 to any out via em0 <118>05608 skipto 65510 ip from 195.16.76.227 to any out via em0 <118>05612 pipe 5612 ip from any to 195.16.76.237 in via em0 <118>05613 skipto 65100 ip from any to 195.16.76.237 in via em0 <118>05617 pipe 5617 ip from 195.16.76.237 to any out via em0 <118>05618 skipto 65110 ip from 195.16.76.237 to any out via em0 <118>05622 pipe 5622 ip from any to 195.16.76.239 in via em0 <118>05623 skipto 65500 ip from any to 195.16.76.239 in via em0 <118>05627 pipe 5627 ip from 195.16.76.239 to any out via em0 <118>05628 skipto 65510 ip from 195.16.76.239 to any out via em0 <118>05632 pipe 5632 ip from any to 195.16.76.238 in via em0 <118>05633 skipto 65100 ip from any to 195.16.76.238 in via em0 <118>05637 pipe 5637 ip from 195.16.76.238 to any out via em0 <118>05638 skipto 65110 ip from 195.16.76.238 to any out via em0 <118>Firewall rules loaded. <118>net.inet.ip.fw.enable:=20 <118>1 <118> ->=20 <118>1 <118> <118>Additional IP options: <118>. <118>Mounting NFS file systems: <118>. Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address=3D 0x28 fault code=3D supervisor write data, page not present instruction pointer=3D 0x8:0xffffffff803430b3 stack pointer =3D 0x10:0xffffffffac0d6af0 frame pointer =3D 0x10:0xffffff0001b7ba00 code segment=3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags=3D interrupt enabled, resume, IOPL =3D 0 current process=3D 29 (dummynet) trap number=3D 12 panic: page fault cpuid =3D 1 Uptime: 6s Physical memory: 2007 MB Dumping 101 MB: 86 70 54 38 22 6 #0 doadump () at pcpu.h:194 194pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:194 #1 0xffffff0001925000 in ?? () #2 0xffffffff8024c659 in boot (howto=3D260) at = ../../../kern/kern_shutdown.c:409 #3 0xffffffff8024ca5d in panic (fmt=3D0x104
) at ../../../kern/kern_shutdown.c:563 #4 0xffffffff803ea974 in trap_fatal (frame=3D0xffffff0001925000, = eva=3D18446742974216222928) at ../../../amd64/amd64/trap.c:724 #5 0xffffffff803ead45 in trap_pfault (frame=3D0xffffffffac0d6a40, = usermode=3D0) at ../../../amd64/amd64/trap.c:641 #6 0xffffffff803eb688 in trap (frame=3D0xffffffffac0d6a40) at = ../../../amd64/amd64/trap.c:410 #7 0xffffffff803d12ee in calltrap () at = ../../../amd64/amd64/exception.S:169 #8 0xffffffff803430b3 in move_pkt (pkt=3D0xffffff0001b7ba00, = q=3D0xffffff0001dd2000, p=3D0xffffff0001f67a00, len=3D191) at = ../../../netinet/ip_dummynet.c:517 #9 0xffffffff80343ae9 in ready_event (q=3D0xffffff0001dd2000, = head=3D0xffffffffac0d6b88, tail=3D0xffffffffac0d6b80) at = ../../../netinet/ip_dummynet.c:564 #10 0xffffffff80345593 in dummynet_task (context=3DVariable "context" is = not available. ) at ../../../netinet/ip_dummynet.c:802 #11 0xffffffff8027cabf in taskqueue_run (queue=3D0xffffff0001948d80) at = ../../../kern/subr_taskqueue.c:255 #12 0xffffffff8027cd64 in taskqueue_thread_loop (arg=3DVariable "arg" is = not available. ) at ../../../kern/subr_taskqueue.c:374 #13 0xffffffff8022dd73 in fork_exit (callout=3D0xffffffff8027cd00 = , arg=3D0xffffffff805d7598, = frame=3D0xffffffffac0d6c80) at ../../../kern/kern_fork.c:781 #14 0xffffffff803d16be in fork_trampoline () at = ../../../amd64/amd64/exception.S:415 #15 0x0000000000000000 in ?? () #16 0x0000000000000000 in ?? () #17 0x0000000000000001 in ?? () #18 0x0000000000000000 in ?? () #19 0x0000000000000000 in ?? () #20 0x0000000000000000 in ?? () #21 0x0000000000000000 in ?? () #22 0x0000000000000000 in ?? () #23 0x0000000000000000 in ?? () #24 0x0000000000000000 in ?? () #25 0x0000000000000000 in ?? () #26 0x0000000000000000 in ?? () #27 0x0000000000000000 in ?? () #28 0x0000000000000000 in ?? () #29 0x0000000000000000 in ?? () #30 0x0000000000000000 in ?? () #31 0x0000000000000000 in ?? () #32 0x0000000000000000 in ?? () #33 0x0000000000000000 in ?? () #34 0x0000000000000000 in ?? () #35 0x0000000000000000 in ?? () #36 0x0000000000000000 in ?? () #37 0x0000000000000000 in ?? () #38 0x0000000000000000 in ?? () #39 0x00000000007a5000 in ?? () #40 0x0000000000000002 in ?? () #41 0x0000000000000000 in ?? () #42 0xffffff00011738d0 in ?? () #43 0xffffff00010c9000 in ?? () #44 0xffffff0001925000 in ?? () #45 0xffffffffac0d66e8 in ?? () #46 0xffffff0001925000 in ?? () #47 0xffffffff8026a319 in sched_switch (td=3D0xffffffff805d7598, = newtd=3D0xffffffff8027cd00, flags=3D0) at ../../../kern/sched_4bsd.c:905 #48 0x0000000000000000 in ?? () #49 0x0000000000000000 in ?? () #50 0x0000000000000000 in ?? () #51 0x0000000000000000 in ?? () #52 0x0000000000000000 in ?? () #53 0x0000000000000000 in ?? () #54 0x0000000000000000 in ?? () #55 0x0000000000000000 in ?? () #56 0x0000000000000000 in ?? () #57 0x0000000000000000 in ?? () #58 0x0000000000000000 in ?? () #59 0x0000000000000000 in ?? () #60 0x0000000000000000 in ?? () #61 0x0000000000000000 in ?? () #62 0x0000000000000000 in ?? () #63 0x0000000000000000 in ?? () #64 0x0000000000000000 in ?? () #65 0x0000000000000000 in ?? () #66 0x0000000000000000 in ?? () #67 0x0000000000000000 in ?? () #68 0x0000000000000000 in ?? () #69 0x0000000000000000 in ?? () #70 0x0000000000000000 in ?? () #71 0x0000000000000000 in ?? () #72 0x0000000000000000 in ?? () #73 0x0000000000000000 in ?? () #74 0x0000000000000000 in ?? () #75 0x0000000000000000 in ?? () #76 0x0000000000000000 in ?? () #77 0x0000000000000000 in ?? () #78 0x0000000000000000 in ?? () #79 0x0000000000000000 in ?? () #80 0x0000000000000000 in ?? () #81 0x0000000000000000 in ?? () #82 0x0000000000000000 in ?? () #83 0x0000000000000000 in ?? () #84 0x0000000000000000 in ?? () #85 0x0000000000000000 in ?? () #86 0x0000000000000000 in ?? () #87 0x0000000000000000 in ?? () #88 0x0000000000000000 in ?? () #89 0x0000000000000000 in ?? () #90 0x0000000000000000 in ?? () #91 0x0000000000000000 in ?? () #92 0x0000000000000000 in ?? () #93 0x0000000000000000 in ?? () #94 0x0000000000000000 in ?? () #95 0x0000000000000000 in ?? () #96 0x0000000000000000 in ?? () #97 0x0000000000000000 in ?? () #98 0x0000000000000000 in ?? () #99 0x0000000000000000 in ?? () #100 0x0000000000000000 in ?? () #101 0x0000000000000000 in ?? () #102 0x0000000000000000 in ?? () #103 0x0000000000000000 in ?? () #104 0x0000000000000000 in ?? () #105 0x0000000000000000 in ?? () #106 0x0000000000000000 in ?? () #107 0x0000000000000000 in ?? () #108 0x0000000000000000 in ?? () #109 0x0000000000000000 in ?? () #110 0x0000000000000000 in ?? () #111 0x0000000000000000 in ?? () #112 0x0000000000000000 in ?? () #113 0x0000000000000000 in ?? () #114 0x0000000000000000 in ?? () #115 0x0000000000000000 in ?? () #116 0x0000000000000000 in ?? () #117 0x0000000000000000 in ?? () #118 0x0000000000000000 in ?? () #119 0x0000000000000000 in ?? () Cannot access memory at address 0xffffffffac0d7000 (kgdb) bt full #0 doadump () at pcpu.h:194 No locals. #1 0xffffff0001925000 in ?? () No symbol table info available. #2 0xffffffff8024c659 in boot (howto=3D260) at = ../../../kern/kern_shutdown.c:409 _ep =3D (struct eventhandler_entry *) 0xffffff0001925000 _el =3D Variable "_el" is not available. (kgdb) ------=_NextPart_000_00BC_01C885D1.BFA54E80 Content-Type: application/octet-stream; name="ip_dummynet.c" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ip_dummynet.c" /*-=0A= * Copyright (c) 1998-2002 Luigi Rizzo, Universita` di Pisa=0A= * Portions Copyright (c) 2000 Akamba Corp.=0A= * All rights reserved=0A= *=0A= * Redistribution and use in source and binary forms, with or without=0A= * modification, are permitted provided that the following conditions=0A= * are met:=0A= * 1. Redistributions of source code must retain the above copyright=0A= * notice, this list of conditions and the following disclaimer.=0A= * 2. Redistributions in binary form must reproduce the above copyright=0A= * notice, this list of conditions and the following disclaimer in the=0A= * documentation and/or other materials provided with the = distribution.=0A= *=0A= * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND=0A= * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE=0A= * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR = PURPOSE=0A= * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE = LIABLE=0A= * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR = CONSEQUENTIAL=0A= * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE = GOODS=0A= * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)=0A= * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, = STRICT=0A= * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY = WAY=0A= * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF=0A= * SUCH DAMAGE.=0A= */=0A= =0A= #include =0A= __FBSDID("$FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.110 2007/10/07 = 20:44:22 silby Exp $");=0A= =0A= #define DUMMYNET_DEBUG=0A= =0A= #include "opt_inet6.h"=0A= =0A= /*=0A= * This module implements IP dummynet, a bandwidth limiter/delay emulator=0A= * used in conjunction with the ipfw package.=0A= * Description of the data structures used is in ip_dummynet.h=0A= * Here you mainly find the following blocks of code:=0A= * + variable declarations;=0A= * + heap management functions;=0A= * + scheduler and dummynet functions;=0A= * + configuration and initialization.=0A= *=0A= * NOTA BENE: critical sections are protected by the "dummynet lock".=0A= *=0A= * Most important Changes:=0A= *=0A= * 011004: KLDable=0A= * 010124: Fixed WF2Q behaviour=0A= * 010122: Fixed spl protection.=0A= * 000601: WF2Q support=0A= * 000106: large rewrite, use heaps to handle very many pipes.=0A= * 980513: initial release=0A= *=0A= * include files marked with XXX are probably not needed=0A= */=0A= =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= #include =0A= =0A= #include /* for struct arpcom */=0A= =0A= #include /* for ip6_input, ip6_output prototypes */=0A= #include =0A= =0A= /*=0A= * We keep a private variable for the simulation time, but we could=0A= * probably use an existing one ("softticks" in sys/kern/kern_timeout.c)=0A= */=0A= static dn_key curr_time =3D 0 ; /* current simulation time */=0A= =0A= static int dn_hash_size =3D 64 ; /* default hash size */=0A= =0A= /* statistics on number of queue searches and search steps */=0A= static long searches, search_steps ;=0A= static int pipe_expire =3D 1 ; /* expire queue if empty */=0A= static int dn_max_ratio =3D 16 ; /* max queues/buckets ratio */=0A= =0A= static int red_lookup_depth =3D 256; /* RED - default lookup table depth = */=0A= static int red_avg_pkt_size =3D 512; /* RED - default medium packet = size */=0A= static int red_max_pkt_size =3D 1500; /* RED - default max packet = size */=0A= =0A= static struct timeval prev_t, t;=0A= static long tick_last; /* Last tick duration (usec). */=0A= static long tick_delta; /* Last vs standard tick diff (usec). */=0A= static long tick_delta_sum; /* Accumulated tick difference (usec).*/=0A= static long tick_adjustment; /* Tick adjustments done. */=0A= static long tick_lost; /* Lost(coalesced) ticks number. */=0A= /* Adjusted vs non-adjusted curr_time difference (ticks). */=0A= static long tick_diff;=0A= =0A= /*=0A= * Three heaps contain queues and pipes that the scheduler handles:=0A= *=0A= * ready_heap contains all dn_flow_queue related to fixed-rate pipes.=0A= *=0A= * wfq_ready_heap contains the pipes associated with WF2Q flows=0A= *=0A= * extract_heap contains pipes associated with delay lines.=0A= *=0A= */=0A= =0A= MALLOC_DEFINE(M_DUMMYNET, "dummynet", "dummynet heap");=0A= =0A= static struct dn_heap ready_heap, extract_heap, wfq_ready_heap ;=0A= =0A= static int heap_init(struct dn_heap *h, int size);=0A= static int heap_insert (struct dn_heap *h, dn_key key1, void *p);=0A= static void heap_extract(struct dn_heap *h, void *obj);=0A= static void transmit_event(struct dn_pipe *pipe, struct mbuf **head,=0A= struct mbuf **tail);=0A= static void ready_event(struct dn_flow_queue *q, struct mbuf **head,=0A= struct mbuf **tail);=0A= static void ready_event_wfq(struct dn_pipe *p, struct mbuf **head,=0A= struct mbuf **tail);=0A= =0A= #define HASHSIZE 16=0A= #define HASH(num) ((((num) >> 8) ^ ((num) >> 4) ^ (num)) & 0x0f)=0A= static struct dn_pipe_head pipehash[HASHSIZE]; /* all pipes */=0A= static struct dn_flow_set_head flowsethash[HASHSIZE]; /* all flowsets */=0A= =0A= static struct callout dn_timeout;=0A= =0A= extern void (*bridge_dn_p)(struct mbuf *, struct ifnet *);=0A= =0A= #ifdef SYSCTL_NODE=0A= SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, "Dummynet");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, hash_size,=0A= CTLFLAG_RW, &dn_hash_size, 0, "Default hash table size");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, curr_time,=0A= CTLFLAG_RD, &curr_time, 0, "Current tick");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, ready_heap,=0A= CTLFLAG_RD, &ready_heap.size, 0, "Size of ready heap");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, extract_heap,=0A= CTLFLAG_RD, &extract_heap.size, 0, "Size of extract heap");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, searches,=0A= CTLFLAG_RD, &searches, 0, "Number of queue searches");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, search_steps,=0A= CTLFLAG_RD, &search_steps, 0, "Number of queue search steps");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, expire,=0A= CTLFLAG_RW, &pipe_expire, 0, "Expire queue if empty");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, max_chain_len,=0A= CTLFLAG_RW, &dn_max_ratio, 0,=0A= "Max ratio between dynamic queues and buckets");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_lookup_depth,=0A= CTLFLAG_RD, &red_lookup_depth, 0, "Depth of RED lookup table");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_avg_pkt_size,=0A= CTLFLAG_RD, &red_avg_pkt_size, 0, "RED Medium packet size");=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_max_pkt_size,=0A= CTLFLAG_RD, &red_max_pkt_size, 0, "RED Max packet size");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_delta,=0A= CTLFLAG_RD, &tick_delta, 0, "Last vs standard tick difference = (usec).");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_delta_sum,=0A= CTLFLAG_RD, &tick_delta_sum, 0, "Accumulated tick difference = (usec).");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_adjustment,=0A= CTLFLAG_RD, &tick_adjustment, 0, "Tick adjustments done.");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_diff,=0A= CTLFLAG_RD, &tick_diff, 0,=0A= "Adjusted vs non-adjusted curr_time difference (ticks).");=0A= SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_lost,=0A= CTLFLAG_RD, &tick_lost, 0,=0A= "Number of ticks coalesced by dummynet taskqueue.");=0A= #endif=0A= =0A= #ifdef DUMMYNET_DEBUG=0A= int dummynet_debug =3D 0;=0A= #ifdef SYSCTL_NODE=0A= SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, debug, CTLFLAG_RW, = &dummynet_debug,=0A= 0, "control debugging printfs");=0A= #endif=0A= #define DPRINTF(X) if (dummynet_debug) printf X=0A= #else=0A= #define DPRINTF(X)=0A= #endif=0A= =0A= static struct task dn_task;=0A= static struct taskqueue *dn_tq =3D NULL;=0A= static void dummynet_task(void *, int);=0A= =0A= static struct mtx dummynet_mtx;=0A= #define DUMMYNET_LOCK_INIT() \=0A= mtx_init(&dummynet_mtx, "dummynet", NULL, MTX_DEF)=0A= #define DUMMYNET_LOCK_DESTROY() mtx_destroy(&dummynet_mtx)=0A= #define DUMMYNET_LOCK() mtx_lock(&dummynet_mtx)=0A= #define DUMMYNET_UNLOCK() mtx_unlock(&dummynet_mtx)=0A= #define DUMMYNET_LOCK_ASSERT() mtx_assert(&dummynet_mtx, MA_OWNED)=0A= =0A= static int config_pipe(struct dn_pipe *p);=0A= static int ip_dn_ctl(struct sockopt *sopt);=0A= =0A= static void dummynet(void *);=0A= static void dummynet_flush(void);=0A= static void dummynet_send(struct mbuf *);=0A= void dummynet_drain(void);=0A= static ip_dn_io_t dummynet_io;=0A= static void dn_rule_delete(void *);=0A= =0A= /*=0A= * Heap management functions.=0A= *=0A= * In the heap, first node is element 0. Children of i are 2i+1 and 2i+2.=0A= * Some macros help finding parent/children so we can optimize them.=0A= *=0A= * heap_init() is called to expand the heap when needed.=0A= * Increment size in blocks of 16 entries.=0A= * XXX failure to allocate a new element is a pretty bad failure=0A= * as we basically stall a whole queue forever!!=0A= * Returns 1 on error, 0 on success=0A= */=0A= #define HEAP_FATHER(x) ( ( (x) - 1 ) / 2 )=0A= #define HEAP_LEFT(x) ( 2*(x) + 1 )=0A= #define HEAP_IS_LEFT(x) ( (x) & 1 )=0A= #define HEAP_RIGHT(x) ( 2*(x) + 2 )=0A= #define HEAP_SWAP(a, b, buffer) { buffer =3D a ; a =3D b ; b =3D buffer = ; }=0A= #define HEAP_INCREMENT 15=0A= =0A= static int=0A= heap_init(struct dn_heap *h, int new_size)=0A= {=0A= struct dn_heap_entry *p;=0A= =0A= if (h->size >=3D new_size ) {=0A= printf("dummynet: %s, Bogus call, have %d want %d\n", __func__,=0A= h->size, new_size);=0A= return 0 ;=0A= }=0A= new_size =3D (new_size + HEAP_INCREMENT ) & ~HEAP_INCREMENT ;=0A= p =3D malloc(new_size * sizeof(*p), M_DUMMYNET, M_NOWAIT);=0A= if (p =3D=3D NULL) {=0A= printf("dummynet: %s, resize %d failed\n", __func__, new_size );=0A= return 1 ; /* error */=0A= }=0A= if (h->size > 0) {=0A= bcopy(h->p, p, h->size * sizeof(*p) );=0A= free(h->p, M_DUMMYNET);=0A= }=0A= h->p =3D p ;=0A= h->size =3D new_size ;=0A= return 0 ;=0A= }=0A= =0A= /*=0A= * Insert element in heap. Normally, p !=3D NULL, we insert p in=0A= * a new position and bubble up. If p =3D=3D NULL, then the element is=0A= * already in place, and key is the position where to start the=0A= * bubble-up.=0A= * Returns 1 on failure (cannot allocate new heap entry)=0A= *=0A= * If offset > 0 the position (index, int) of the element in the heap is=0A= * also stored in the element itself at the given offset in bytes.=0A= */=0A= #define SET_OFFSET(heap, node) \=0A= if (heap->offset > 0) \=0A= *((int *)((char *)(heap->p[node].object) + heap->offset)) =3D node ;=0A= /*=0A= * RESET_OFFSET is used for sanity checks. It sets offset to an invalid = value.=0A= */=0A= #define RESET_OFFSET(heap, node) \=0A= if (heap->offset > 0) \=0A= *((int *)((char *)(heap->p[node].object) + heap->offset)) =3D -1 ;=0A= static int=0A= heap_insert(struct dn_heap *h, dn_key key1, void *p)=0A= {=0A= int son =3D h->elements ;=0A= =0A= if (p =3D=3D NULL) /* data already there, set starting point */=0A= son =3D key1 ;=0A= else { /* insert new element at the end, possibly resize */=0A= son =3D h->elements ;=0A= if (son =3D=3D h->size) /* need resize... */=0A= if (heap_init(h, h->elements+1) )=0A= return 1 ; /* failure... */=0A= h->p[son].object =3D p ;=0A= h->p[son].key =3D key1 ;=0A= h->elements++ ;=0A= }=0A= while (son > 0) { /* bubble up */=0A= int father =3D HEAP_FATHER(son) ;=0A= struct dn_heap_entry tmp ;=0A= =0A= if (DN_KEY_LT( h->p[father].key, h->p[son].key ) )=0A= break ; /* found right position */=0A= /* son smaller than father, swap and repeat */=0A= HEAP_SWAP(h->p[son], h->p[father], tmp) ;=0A= SET_OFFSET(h, son);=0A= son =3D father ;=0A= }=0A= SET_OFFSET(h, son);=0A= return 0 ;=0A= }=0A= =0A= /*=0A= * remove top element from heap, or obj if obj !=3D NULL=0A= */=0A= static void=0A= heap_extract(struct dn_heap *h, void *obj)=0A= {=0A= int child, father, max =3D h->elements - 1 ;=0A= =0A= if (max < 0) {=0A= printf("dummynet: warning, extract from empty heap 0x%p\n", h);=0A= return ;=0A= }=0A= father =3D 0 ; /* default: move up smallest child */=0A= if (obj !=3D NULL) { /* extract specific element, index is at offset = */=0A= if (h->offset <=3D 0)=0A= panic("dummynet: heap_extract from middle not supported on this = heap!!!\n");=0A= father =3D *((int *)((char *)obj + h->offset)) ;=0A= if (father < 0 || father >=3D h->elements) {=0A= printf("dummynet: heap_extract, father %d out of bound 0..%d\n",=0A= father, h->elements);=0A= panic("dummynet: heap_extract");=0A= }=0A= }=0A= RESET_OFFSET(h, father);=0A= child =3D HEAP_LEFT(father) ; /* left child */=0A= while (child <=3D max) { /* valid entry */=0A= if (child !=3D max && DN_KEY_LT(h->p[child+1].key, h->p[child].key) )=0A= child =3D child+1 ; /* take right child, otherwise left */=0A= h->p[father] =3D h->p[child] ;=0A= SET_OFFSET(h, father);=0A= father =3D child ;=0A= child =3D HEAP_LEFT(child) ; /* left child for next loop */=0A= }=0A= h->elements-- ;=0A= if (father !=3D max) {=0A= /*=0A= * Fill hole with last entry and bubble up, reusing the insert code=0A= */=0A= h->p[father] =3D h->p[max] ;=0A= heap_insert(h, father, NULL); /* this one cannot fail */=0A= }=0A= }=0A= =0A= #if 0=0A= /*=0A= * change object position and update references=0A= * XXX this one is never used!=0A= */=0A= static void=0A= heap_move(struct dn_heap *h, dn_key new_key, void *object)=0A= {=0A= int temp;=0A= int i ;=0A= int max =3D h->elements-1 ;=0A= struct dn_heap_entry buf ;=0A= =0A= if (h->offset <=3D 0)=0A= panic("cannot move items on this heap");=0A= =0A= i =3D *((int *)((char *)object + h->offset));=0A= if (DN_KEY_LT(new_key, h->p[i].key) ) { /* must move up */=0A= h->p[i].key =3D new_key ;=0A= for (; i>0 && DN_KEY_LT(new_key, h->p[(temp =3D HEAP_FATHER(i))].key) ;=0A= i =3D temp ) { /* bubble up */=0A= HEAP_SWAP(h->p[i], h->p[temp], buf) ;=0A= SET_OFFSET(h, i);=0A= }=0A= } else { /* must move down */=0A= h->p[i].key =3D new_key ;=0A= while ( (temp =3D HEAP_LEFT(i)) <=3D max ) { /* found left child */=0A= if ((temp !=3D max) && DN_KEY_GT(h->p[temp].key, h->p[temp+1].key))=0A= temp++ ; /* select child with min key */=0A= if (DN_KEY_GT(new_key, h->p[temp].key)) { /* go down */=0A= HEAP_SWAP(h->p[i], h->p[temp], buf) ;=0A= SET_OFFSET(h, i);=0A= } else=0A= break ;=0A= i =3D temp ;=0A= }=0A= }=0A= SET_OFFSET(h, i);=0A= }=0A= #endif /* heap_move, unused */=0A= =0A= /*=0A= * heapify() will reorganize data inside an array to maintain the=0A= * heap property. It is needed when we delete a bunch of entries.=0A= */=0A= static void=0A= heapify(struct dn_heap *h)=0A= {=0A= int i ;=0A= =0A= for (i =3D 0 ; i < h->elements ; i++ )=0A= heap_insert(h, i , NULL) ;=0A= }=0A= =0A= /*=0A= * cleanup the heap and free data structure=0A= */=0A= static void=0A= heap_free(struct dn_heap *h)=0A= {=0A= if (h->size >0 )=0A= free(h->p, M_DUMMYNET);=0A= bzero(h, sizeof(*h) );=0A= }=0A= =0A= /*=0A= * --- end of heap management functions ---=0A= */=0A= =0A= /*=0A= * Return the mbuf tag holding the dummynet state. As an optimization=0A= * this is assumed to be the first tag on the list. If this turns out=0A= * wrong we'll need to search the list.=0A= */=0A= static struct dn_pkt_tag *=0A= dn_tag_get(struct mbuf *m)=0A= {=0A= struct m_tag *mtag =3D m_tag_first(m);=0A= KASSERT(mtag !=3D NULL &&=0A= mtag->m_tag_cookie =3D=3D MTAG_ABI_COMPAT &&=0A= mtag->m_tag_id =3D=3D PACKET_TAG_DUMMYNET,=0A= ("packet on dummynet queue w/o dummynet tag!"));=0A= return (struct dn_pkt_tag *)(mtag+1);=0A= }=0A= =0A= /*=0A= * Scheduler functions:=0A= *=0A= * transmit_event() is called when the delay-line needs to enter=0A= * the scheduler, either because of existing pkts getting ready,=0A= * or new packets entering the queue. The event handled is the delivery=0A= * time of the packet.=0A= *=0A= * ready_event() does something similar with fixed-rate queues, and the=0A= * event handled is the finish time of the head pkt.=0A= *=0A= * wfq_ready_event() does something similar with WF2Q queues, and the=0A= * event handled is the start time of the head pkt.=0A= *=0A= * In all cases, we make sure that the data structures are consistent=0A= * before passing pkts out, because this might trigger recursive=0A= * invocations of the procedures.=0A= */=0A= static void=0A= transmit_event(struct dn_pipe *pipe, struct mbuf **head, struct mbuf = **tail)=0A= {=0A= struct mbuf *m;=0A= struct dn_pkt_tag *pkt;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= while ((m =3D pipe->head) !=3D NULL) {=0A= pkt =3D dn_tag_get(m);=0A= if (!DN_KEY_LEQ(pkt->output_time, curr_time))=0A= break;=0A= =0A= pipe->head =3D m->m_nextpkt;=0A= if (*tail !=3D NULL)=0A= (*tail)->m_nextpkt =3D m;=0A= else=0A= *head =3D m;=0A= *tail =3D m;=0A= }=0A= if (*tail !=3D NULL)=0A= (*tail)->m_nextpkt =3D NULL;=0A= =0A= /* If there are leftover packets, put into the heap for next event. */=0A= if ((m =3D pipe->head) !=3D NULL) {=0A= pkt =3D dn_tag_get(m);=0A= /*=0A= * XXX: Should check errors on heap_insert, by draining the=0A= * whole pipe p and hoping in the future we are more successful.=0A= */=0A= heap_insert(&extract_heap, pkt->output_time, pipe);=0A= }=0A= }=0A= =0A= /*=0A= * the following macro computes how many ticks we have to wait=0A= * before being able to transmit a packet. The credit is taken from=0A= * either a pipe (WF2Q) or a flow_queue (per-flow queueing)=0A= */=0A= #define SET_TICKS(_m, q, p) \=0A= ((_m)->m_pkthdr.len*8*hz - (q)->numbytes + p->bandwidth - 1 ) / \=0A= p->bandwidth ;=0A= =0A= /*=0A= * extract pkt from queue, compute output time (could be now)=0A= * and put into delay line (p_queue)=0A= */=0A= static void=0A= move_pkt(struct mbuf *pkt, struct dn_flow_queue *q, struct dn_pipe *p,=0A= int len)=0A= {=0A= struct dn_pkt_tag *dt =3D dn_tag_get(pkt);=0A= =0A= q->head =3D pkt->m_nextpkt ;=0A= q->len-- ;=0A= q->len_bytes -=3D len ;=0A= =0A= dt->output_time =3D curr_time + p->delay ;=0A= =0A= if (p->head =3D=3D NULL)=0A= p->head =3D pkt;=0A= else=0A= p->tail->m_nextpkt =3D pkt;=0A= p->tail =3D pkt;=0A= p->tail->m_nextpkt =3D NULL;=0A= }=0A= =0A= /*=0A= * ready_event() is invoked every time the queue must enter the=0A= * scheduler, either because the first packet arrives, or because=0A= * a previously scheduled event fired.=0A= * On invokation, drain as many pkts as possible (could be 0) and then=0A= * if there are leftover packets reinsert the pkt in the scheduler.=0A= */=0A= static void=0A= ready_event(struct dn_flow_queue *q, struct mbuf **head, struct mbuf = **tail)=0A= {=0A= struct mbuf *pkt;=0A= struct dn_pipe *p =3D q->fs->pipe ;=0A= int p_was_empty ;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= if (p =3D=3D NULL) {=0A= printf("dummynet: ready_event- pipe is gone\n");=0A= return ;=0A= }=0A= p_was_empty =3D (p->head =3D=3D NULL) ;=0A= =0A= /*=0A= * schedule fixed-rate queues linked to this pipe:=0A= * Account for the bw accumulated since last scheduling, then=0A= * drain as many pkts as allowed by q->numbytes and move to=0A= * the delay line (in p) computing output time.=0A= * bandwidth=3D=3D0 (no limit) means we can drain the whole queue,=0A= * setting len_scaled =3D 0 does the job.=0A= */=0A= q->numbytes +=3D ( curr_time - q->sched_time ) * p->bandwidth;=0A= while ( (pkt =3D q->head) !=3D NULL ) {=0A= int len =3D pkt->m_pkthdr.len;=0A= int len_scaled =3D p->bandwidth ? len*8*hz : 0 ;=0A= if (len_scaled > q->numbytes )=0A= break ;=0A= q->numbytes -=3D len_scaled ;=0A= move_pkt(pkt, q, p, len);=0A= }=0A= /*=0A= * If we have more packets queued, schedule next ready event=0A= * (can only occur when bandwidth !=3D 0, otherwise we would have=0A= * flushed the whole queue in the previous loop).=0A= * To this purpose we record the current time and compute how many=0A= * ticks to go for the finish time of the packet.=0A= */=0A= if ( (pkt =3D q->head) !=3D NULL ) { /* this implies bandwidth !=3D = 0 */=0A= dn_key t =3D SET_TICKS(pkt, q, p); /* ticks i have to wait */=0A= q->sched_time =3D curr_time ;=0A= heap_insert(&ready_heap, curr_time + t, (void *)q );=0A= /* XXX should check errors on heap_insert, and drain the whole=0A= * queue on error hoping next time we are luckier.=0A= */=0A= } else { /* RED needs to know when the queue becomes empty */=0A= q->q_time =3D curr_time;=0A= q->numbytes =3D 0;=0A= }=0A= /*=0A= * If the delay line was empty call transmit_event() now.=0A= * Otherwise, the scheduler will take care of it.=0A= */=0A= if (p_was_empty)=0A= transmit_event(p, head, tail);=0A= }=0A= =0A= /*=0A= * Called when we can transmit packets on WF2Q queues. Take pkts out of=0A= * the queues at their start time, and enqueue into the delay line.=0A= * Packets are drained until p->numbytes < 0. As long as=0A= * len_scaled >=3D p->numbytes, the packet goes into the delay line=0A= * with a deadline p->delay. For the last packet, if p->numbytes<0,=0A= * there is an additional delay.=0A= */=0A= static void=0A= ready_event_wfq(struct dn_pipe *p, struct mbuf **head, struct mbuf = **tail)=0A= {=0A= int p_was_empty =3D (p->head =3D=3D NULL) ;=0A= struct dn_heap *sch =3D &(p->scheduler_heap);=0A= struct dn_heap *neh =3D &(p->not_eligible_heap) ;=0A= int64_t p_numbytes =3D p->numbytes;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= if (p->if_name[0] =3D=3D 0) /* tx clock is simulated */=0A= p_numbytes +=3D (curr_time - p->sched_time) * p->bandwidth;=0A= else { /* tx clock is for real, the ifq must be empty or this is a = NOP */=0A= if (p->ifp && p->ifp->if_snd.ifq_head !=3D NULL)=0A= return ;=0A= else {=0A= DPRINTF(("dummynet: pipe %d ready from %s --\n",=0A= p->pipe_nr, p->if_name));=0A= }=0A= }=0A= =0A= /*=0A= * While we have backlogged traffic AND credit, we need to do=0A= * something on the queue.=0A= */=0A= while ( p_numbytes >=3D0 && (sch->elements>0 || neh->elements >0) ) {=0A= if (sch->elements > 0) { /* have some eligible pkts to send out */=0A= struct dn_flow_queue *q =3D sch->p[0].object ;=0A= struct mbuf *pkt =3D q->head;=0A= struct dn_flow_set *fs =3D q->fs;=0A= u_int64_t len =3D pkt->m_pkthdr.len;=0A= int len_scaled =3D p->bandwidth ? len*8*hz : 0 ;=0A= =0A= heap_extract(sch, NULL); /* remove queue from heap */=0A= p_numbytes -=3D len_scaled ;=0A= move_pkt(pkt, q, p, len);=0A= =0A= p->V +=3D (len<sum ; /* update V */=0A= q->S =3D q->F ; /* update start time */=0A= if (q->len =3D=3D 0) { /* Flow not backlogged any more */=0A= fs->backlogged-- ;=0A= heap_insert(&(p->idle_heap), q->F, q);=0A= } else { /* still backlogged */=0A= /*=0A= * update F and position in backlogged queue, then=0A= * put flow in not_eligible_heap (we will fix this later).=0A= */=0A= len =3D (q->head)->m_pkthdr.len;=0A= q->F +=3D (len<weight ;=0A= if (DN_KEY_LEQ(q->S, p->V))=0A= heap_insert(neh, q->S, q);=0A= else=0A= heap_insert(sch, q->F, q);=0A= }=0A= }=0A= /*=0A= * now compute V =3D max(V, min(S_i)). Remember that all elements in sch=0A= * have by definition S_i <=3D V so if sch is not empty, V is surely=0A= * the max and we must not update it. Conversely, if sch is empty=0A= * we only need to look at neh.=0A= */=0A= if (sch->elements =3D=3D 0 && neh->elements > 0)=0A= p->V =3D MAX64 ( p->V, neh->p[0].key );=0A= /* move from neh to sch any packets that have become eligible */=0A= while (neh->elements > 0 && DN_KEY_LEQ(neh->p[0].key, p->V) ) {=0A= struct dn_flow_queue *q =3D neh->p[0].object ;=0A= heap_extract(neh, NULL);=0A= heap_insert(sch, q->F, q);=0A= }=0A= =0A= if (p->if_name[0] !=3D '\0') {/* tx clock is from a real thing */=0A= p_numbytes =3D -1 ; /* mark not ready for I/O */=0A= break ;=0A= }=0A= }=0A= if (sch->elements =3D=3D 0 && neh->elements =3D=3D 0 && p_numbytes = >=3D 0=0A= && p->idle_heap.elements > 0) {=0A= /*=0A= * no traffic and no events scheduled. We can get rid of idle-heap.=0A= */=0A= int i ;=0A= =0A= for (i =3D 0 ; i < p->idle_heap.elements ; i++) {=0A= struct dn_flow_queue *q =3D p->idle_heap.p[i].object ;=0A= =0A= q->F =3D 0 ;=0A= q->S =3D q->F + 1 ;=0A= }=0A= p->sum =3D 0 ;=0A= p->V =3D 0 ;=0A= p->idle_heap.elements =3D 0 ;=0A= }=0A= /*=0A= * If we are getting clocks from dummynet (not a real interface) and=0A= * If we are under credit, schedule the next ready event.=0A= * Also fix the delivery time of the last packet.=0A= */=0A= if (p->if_name[0]=3D=3D0 && p_numbytes < 0) { /* this implies = bandwidth >0 */=0A= dn_key t=3D0 ; /* number of ticks i have to wait */=0A= =0A= if (p->bandwidth > 0)=0A= t =3D (p->bandwidth - 1 - p_numbytes) / p->bandwidth;=0A= dn_tag_get(p->tail)->output_time +=3D t ;=0A= p->sched_time =3D curr_time ;=0A= heap_insert(&wfq_ready_heap, curr_time + t, (void *)p);=0A= /* XXX should check errors on heap_insert, and drain the whole=0A= * queue on error hoping next time we are luckier.=0A= */=0A= }=0A= =0A= if (p_numbytes > INT_MAX)=0A= p->numbytes =3D INT_MAX;=0A= else if (p_numbytes < INT_MIN)=0A= p->numbytes =3D INT_MIN;=0A= else=0A= p->numbytes =3D p_numbytes;=0A= =0A= /*=0A= * If the delay line was empty call transmit_event() now.=0A= * Otherwise, the scheduler will take care of it.=0A= */=0A= if (p_was_empty)=0A= transmit_event(p, head, tail);=0A= }=0A= =0A= /*=0A= * This is called one tick, after previous run. It is used to=0A= * schedule next run.=0A= */=0A= static void=0A= dummynet(void * __unused unused)=0A= {=0A= =0A= taskqueue_enqueue(dn_tq, &dn_task);=0A= }=0A= =0A= /*=0A= * The main dummynet processing function.=0A= */=0A= static void=0A= dummynet_task(void *context, int pending)=0A= {=0A= struct mbuf *head =3D NULL, *tail =3D NULL;=0A= struct dn_pipe *pipe;=0A= struct dn_heap *heaps[3];=0A= struct dn_heap *h;=0A= void *p; /* generic parameter to handler */=0A= int i;=0A= =0A= DUMMYNET_LOCK();=0A= =0A= heaps[0] =3D &ready_heap; /* fixed-rate queues */=0A= heaps[1] =3D &wfq_ready_heap; /* wfq queues */=0A= heaps[2] =3D &extract_heap; /* delay line */=0A= =0A= /* Update number of lost(coalesced) ticks. */=0A= tick_lost +=3D pending - 1;=0A= =0A= getmicrouptime(&t);=0A= /* Last tick duration (usec). */=0A= tick_last =3D (t.tv_sec - prev_t.tv_sec) * 1000000 +=0A= (t.tv_usec - prev_t.tv_usec);=0A= /* Last tick vs standard tick difference (usec). */=0A= tick_delta =3D (tick_last * hz - 1000000) / hz;=0A= /* Accumulated tick difference (usec). */=0A= tick_delta_sum +=3D tick_delta;=0A= =0A= prev_t =3D t;=0A= =0A= /*=0A= * Adjust curr_time if accumulated tick difference greater than=0A= * 'standard' tick. Since curr_time should be monotonically increasing,=0A= * we do positive adjustment as required and throttle curr_time in=0A= * case of negative adjustment.=0A= */=0A= curr_time++;=0A= if (tick_delta_sum - tick >=3D 0) {=0A= int diff =3D tick_delta_sum / tick;=0A= =0A= curr_time +=3D diff;=0A= tick_diff +=3D diff;=0A= tick_delta_sum %=3D tick;=0A= tick_adjustment++;=0A= } else if (tick_delta_sum + tick <=3D 0) {=0A= curr_time--;=0A= tick_diff--;=0A= tick_delta_sum +=3D tick;=0A= tick_adjustment++;=0A= }=0A= =0A= for (i =3D 0; i < 3; i++) {=0A= h =3D heaps[i];=0A= while (h->elements > 0 && DN_KEY_LEQ(h->p[0].key, curr_time)) {=0A= if (h->p[0].key > curr_time)=0A= printf("dummynet: warning, "=0A= "heap %d is %d ticks late\n",=0A= i, (int)(curr_time - h->p[0].key));=0A= /* store a copy before heap_extract */=0A= p =3D h->p[0].object;=0A= /* need to extract before processing */=0A= heap_extract(h, NULL);=0A= if (i =3D=3D 0)=0A= ready_event(p, &head, &tail);=0A= else if (i =3D=3D 1) {=0A= struct dn_pipe *pipe =3D p;=0A= if (pipe->if_name[0] !=3D '\0')=0A= printf("dummynet: bad ready_event_wfq "=0A= "for pipe %s\n", pipe->if_name);=0A= else=0A= ready_event_wfq(p, &head, &tail);=0A= } else=0A= transmit_event(p, &head, &tail);=0A= }=0A= }=0A= =0A= /* Sweep pipes trying to expire idle flow_queues. */=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(pipe, &pipehash[i], next)=0A= if (pipe->idle_heap.elements > 0 &&=0A= DN_KEY_LT(pipe->idle_heap.p[0].key, pipe->V)) {=0A= struct dn_flow_queue *q =3D=0A= pipe->idle_heap.p[0].object;=0A= =0A= heap_extract(&(pipe->idle_heap), NULL);=0A= /* Mark timestamp as invalid. */=0A= q->S =3D q->F + 1;=0A= pipe->sum -=3D q->fs->weight;=0A= }=0A= =0A= DUMMYNET_UNLOCK();=0A= =0A= if (head !=3D NULL)=0A= dummynet_send(head);=0A= =0A= callout_reset(&dn_timeout, 1, dummynet, NULL);=0A= }=0A= =0A= static void=0A= dummynet_send(struct mbuf *m)=0A= {=0A= struct dn_pkt_tag *pkt;=0A= struct mbuf *n;=0A= struct ip *ip;=0A= =0A= for (; m !=3D NULL; m =3D n) {=0A= n =3D m->m_nextpkt;=0A= m->m_nextpkt =3D NULL;=0A= pkt =3D dn_tag_get(m);=0A= switch (pkt->dn_dir) {=0A= case DN_TO_IP_OUT:=0A= ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);=0A= break ;=0A= case DN_TO_IP_IN :=0A= ip =3D mtod(m, struct ip *);=0A= ip->ip_len =3D htons(ip->ip_len);=0A= ip->ip_off =3D htons(ip->ip_off);=0A= netisr_dispatch(NETISR_IP, m);=0A= break;=0A= #ifdef INET6=0A= case DN_TO_IP6_IN:=0A= netisr_dispatch(NETISR_IPV6, m);=0A= break;=0A= =0A= case DN_TO_IP6_OUT:=0A= ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);=0A= break;=0A= #endif=0A= case DN_TO_IFB_FWD:=0A= if (bridge_dn_p !=3D NULL)=0A= ((*bridge_dn_p)(m, pkt->ifp));=0A= else=0A= printf("dummynet: if_bridge not loaded\n");=0A= =0A= break;=0A= case DN_TO_ETH_DEMUX:=0A= /*=0A= * The Ethernet code assumes the Ethernet header is=0A= * contiguous in the first mbuf header.=0A= * Insure this is true.=0A= */=0A= if (m->m_len < ETHER_HDR_LEN &&=0A= (m =3D m_pullup(m, ETHER_HDR_LEN)) =3D=3D NULL) {=0A= printf("dummynet/ether: pullup failed, "=0A= "dropping packet\n");=0A= break;=0A= }=0A= ether_demux(m->m_pkthdr.rcvif, m);=0A= break;=0A= case DN_TO_ETH_OUT:=0A= ether_output_frame(pkt->ifp, m);=0A= break;=0A= default:=0A= printf("dummynet: bad switch %d!\n", pkt->dn_dir);=0A= m_freem(m);=0A= break;=0A= }=0A= }=0A= }=0A= =0A= /*=0A= * Unconditionally expire empty queues in case of shortage.=0A= * Returns the number of queues freed.=0A= */=0A= static int=0A= expire_queues(struct dn_flow_set *fs)=0A= {=0A= struct dn_flow_queue *q, *prev ;=0A= int i, initial_elements =3D fs->rq_elements ;=0A= =0A= if (fs->last_expired =3D=3D time_uptime)=0A= return 0 ;=0A= fs->last_expired =3D time_uptime ;=0A= for (i =3D 0 ; i <=3D fs->rq_size ; i++) /* last one is overflow */=0A= for (prev=3DNULL, q =3D fs->rq[i] ; q !=3D NULL ; )=0A= if (q->head !=3D NULL || q->S !=3D q->F+1) {=0A= prev =3D q ;=0A= q =3D q->next ;=0A= } else { /* entry is idle, expire it */=0A= struct dn_flow_queue *old_q =3D q ;=0A= =0A= if (prev !=3D NULL)=0A= prev->next =3D q =3D q->next ;=0A= else=0A= fs->rq[i] =3D q =3D q->next ;=0A= fs->rq_elements-- ;=0A= free(old_q, M_DUMMYNET);=0A= }=0A= return initial_elements - fs->rq_elements ;=0A= }=0A= =0A= /*=0A= * If room, create a new queue and put at head of slot i;=0A= * otherwise, create or use the default queue.=0A= */=0A= static struct dn_flow_queue *=0A= create_queue(struct dn_flow_set *fs, int i)=0A= {=0A= struct dn_flow_queue *q ;=0A= =0A= if (fs->rq_elements > fs->rq_size * dn_max_ratio &&=0A= expire_queues(fs) =3D=3D 0) {=0A= /*=0A= * No way to get room, use or create overflow queue.=0A= */=0A= i =3D fs->rq_size ;=0A= if ( fs->rq[i] !=3D NULL )=0A= return fs->rq[i] ;=0A= }=0A= q =3D malloc(sizeof(*q), M_DUMMYNET, M_NOWAIT | M_ZERO);=0A= if (q =3D=3D NULL) {=0A= printf("dummynet: sorry, cannot allocate queue for new flow\n");=0A= return NULL ;=0A= }=0A= q->fs =3D fs ;=0A= q->hash_slot =3D i ;=0A= q->next =3D fs->rq[i] ;=0A= q->S =3D q->F + 1; /* hack - mark timestamp as invalid */=0A= fs->rq[i] =3D q ;=0A= fs->rq_elements++ ;=0A= return q ;=0A= }=0A= =0A= /*=0A= * Given a flow_set and a pkt in last_pkt, find a matching queue=0A= * after appropriate masking. The queue is moved to front=0A= * so that further searches take less time.=0A= */=0A= static struct dn_flow_queue *=0A= find_queue(struct dn_flow_set *fs, struct ipfw_flow_id *id)=0A= {=0A= int i =3D 0 ; /* we need i and q for new allocations */=0A= struct dn_flow_queue *q, *prev;=0A= int is_v6 =3D IS_IP6_FLOW_ID(id);=0A= =0A= if ( !(fs->flags_fs & DN_HAVE_FLOW_MASK) )=0A= q =3D fs->rq[0] ;=0A= else {=0A= /* first, do the masking, then hash */=0A= id->dst_port &=3D fs->flow_mask.dst_port ;=0A= id->src_port &=3D fs->flow_mask.src_port ;=0A= id->proto &=3D fs->flow_mask.proto ;=0A= id->flags =3D 0 ; /* we don't care about this one */=0A= if (is_v6) {=0A= APPLY_MASK(&id->dst_ip6, &fs->flow_mask.dst_ip6);=0A= APPLY_MASK(&id->src_ip6, &fs->flow_mask.src_ip6);=0A= id->flow_id6 &=3D fs->flow_mask.flow_id6;=0A= =0A= i =3D ((id->dst_ip6.__u6_addr.__u6_addr32[0]) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[1]) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[2]) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[3]) & 0xffff)^=0A= =0A= ((id->dst_ip6.__u6_addr.__u6_addr32[0] >> 15) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[1] >> 15) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[2] >> 15) & 0xffff)^=0A= ((id->dst_ip6.__u6_addr.__u6_addr32[3] >> 15) & 0xffff)^=0A= =0A= ((id->src_ip6.__u6_addr.__u6_addr32[0] << 1) & 0xfffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[1] << 1) & 0xfffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[2] << 1) & 0xfffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[3] << 1) & 0xfffff)^=0A= =0A= ((id->src_ip6.__u6_addr.__u6_addr32[0] << 16) & 0xffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[1] << 16) & 0xffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[2] << 16) & 0xffff)^=0A= ((id->src_ip6.__u6_addr.__u6_addr32[3] << 16) & 0xffff)^=0A= =0A= (id->dst_port << 1) ^ (id->src_port) ^=0A= (id->proto ) ^=0A= (id->flow_id6);=0A= } else {=0A= id->dst_ip &=3D fs->flow_mask.dst_ip ;=0A= id->src_ip &=3D fs->flow_mask.src_ip ;=0A= =0A= i =3D ( (id->dst_ip) & 0xffff ) ^=0A= ( (id->dst_ip >> 15) & 0xffff ) ^=0A= ( (id->src_ip << 1) & 0xffff ) ^=0A= ( (id->src_ip >> 16 ) & 0xffff ) ^=0A= (id->dst_port << 1) ^ (id->src_port) ^=0A= (id->proto );=0A= }=0A= i =3D i % fs->rq_size ;=0A= /* finally, scan the current list for a match */=0A= searches++ ;=0A= for (prev=3DNULL, q =3D fs->rq[i] ; q ; ) {=0A= search_steps++;=0A= if (is_v6 &&=0A= IN6_ARE_ADDR_EQUAL(&id->dst_ip6,&q->id.dst_ip6) && =0A= IN6_ARE_ADDR_EQUAL(&id->src_ip6,&q->id.src_ip6) && =0A= id->dst_port =3D=3D q->id.dst_port &&=0A= id->src_port =3D=3D q->id.src_port &&=0A= id->proto =3D=3D q->id.proto &&=0A= id->flags =3D=3D q->id.flags &&=0A= id->flow_id6 =3D=3D q->id.flow_id6)=0A= break ; /* found */=0A= =0A= if (!is_v6 && id->dst_ip =3D=3D q->id.dst_ip &&=0A= id->src_ip =3D=3D q->id.src_ip &&=0A= id->dst_port =3D=3D q->id.dst_port &&=0A= id->src_port =3D=3D q->id.src_port &&=0A= id->proto =3D=3D q->id.proto &&=0A= id->flags =3D=3D q->id.flags)=0A= break ; /* found */=0A= =0A= /* No match. Check if we can expire the entry */=0A= if (pipe_expire && q->head =3D=3D NULL && q->S =3D=3D q->F+1 ) {=0A= /* entry is idle and not in any heap, expire it */=0A= struct dn_flow_queue *old_q =3D q ;=0A= =0A= if (prev !=3D NULL)=0A= prev->next =3D q =3D q->next ;=0A= else=0A= fs->rq[i] =3D q =3D q->next ;=0A= fs->rq_elements-- ;=0A= free(old_q, M_DUMMYNET);=0A= continue ;=0A= }=0A= prev =3D q ;=0A= q =3D q->next ;=0A= }=0A= if (q && prev !=3D NULL) { /* found and not in front */=0A= prev->next =3D q->next ;=0A= q->next =3D fs->rq[i] ;=0A= fs->rq[i] =3D q ;=0A= }=0A= }=0A= if (q =3D=3D NULL) { /* no match, need to allocate a new entry */=0A= q =3D create_queue(fs, i);=0A= if (q !=3D NULL)=0A= q->id =3D *id ;=0A= }=0A= return q ;=0A= }=0A= =0A= static int=0A= red_drops(struct dn_flow_set *fs, struct dn_flow_queue *q, int len)=0A= {=0A= /*=0A= * RED algorithm=0A= *=0A= * RED calculates the average queue size (avg) using a low-pass filter=0A= * with an exponential weighted (w_q) moving average:=0A= * avg <- (1-w_q) * avg + w_q * q_size=0A= * where q_size is the queue length (measured in bytes or * packets).=0A= *=0A= * If q_size =3D=3D 0, we compute the idle time for the link, and set=0A= * avg =3D (1 - w_q)^(idle/s)=0A= * where s is the time needed for transmitting a medium-sized packet.=0A= *=0A= * Now, if avg < min_th the packet is enqueued.=0A= * If avg > max_th the packet is dropped. Otherwise, the packet is=0A= * dropped with probability P function of avg.=0A= */=0A= =0A= int64_t p_b =3D 0;=0A= =0A= /* Queue in bytes or packets? */=0A= u_int q_size =3D (fs->flags_fs & DN_QSIZE_IS_BYTES) ?=0A= q->len_bytes : q->len;=0A= =0A= DPRINTF(("\ndummynet: %d q: %2u ", (int)curr_time, q_size));=0A= =0A= /* Average queue size estimation. */=0A= if (q_size !=3D 0) {=0A= /* Queue is not empty, avg <- avg + (q_size - avg) * w_q */=0A= int diff =3D SCALE(q_size) - q->avg;=0A= int64_t v =3D SCALE_MUL((int64_t)diff, (int64_t)fs->w_q);=0A= =0A= q->avg +=3D (int)v;=0A= } else {=0A= /*=0A= * Queue is empty, find for how long the queue has been=0A= * empty and use a lookup table for computing=0A= * (1 - * w_q)^(idle_time/s) where s is the time to send a=0A= * (small) packet.=0A= * XXX check wraps...=0A= */=0A= if (q->avg) {=0A= u_int t =3D (curr_time - q->q_time) / fs->lookup_step;=0A= =0A= q->avg =3D (t < fs->lookup_depth) ?=0A= SCALE_MUL(q->avg, fs->w_q_lookup[t]) : 0;=0A= }=0A= }=0A= DPRINTF(("dummynet: avg: %u ", SCALE_VAL(q->avg)));=0A= =0A= /* Should i drop? */=0A= if (q->avg < fs->min_th) {=0A= q->count =3D -1;=0A= return (0); /* accept packet */=0A= }=0A= if (q->avg >=3D fs->max_th) { /* average queue >=3D max threshold */=0A= if (fs->flags_fs & DN_IS_GENTLE_RED) {=0A= /*=0A= * According to Gentle-RED, if avg is greater than=0A= * max_th the packet is dropped with a probability=0A= * p_b =3D c_3 * avg - c_4=0A= * where c_3 =3D (1 - max_p) / max_th=0A= * c_4 =3D 1 - 2 * max_p=0A= */=0A= p_b =3D SCALE_MUL((int64_t)fs->c_3, (int64_t)q->avg) -=0A= fs->c_4;=0A= } else {=0A= q->count =3D -1;=0A= DPRINTF(("dummynet: - drop"));=0A= return (1);=0A= }=0A= } else if (q->avg > fs->min_th) {=0A= /*=0A= * We compute p_b using the linear dropping function=0A= * p_b =3D c_1 * avg - c_2=0A= * where c_1 =3D max_p / (max_th - min_th)=0A= * c_2 =3D max_p * min_th / (max_th - min_th)=0A= */=0A= p_b =3D SCALE_MUL((int64_t)fs->c_1, (int64_t)q->avg) - fs->c_2;=0A= }=0A= =0A= if (fs->flags_fs & DN_QSIZE_IS_BYTES)=0A= p_b =3D (p_b * len) / fs->max_pkt_size;=0A= if (++q->count =3D=3D 0)=0A= q->random =3D random() & 0xffff;=0A= else {=0A= /*=0A= * q->count counts packets arrived since last drop, so a greater=0A= * value of q->count means a greater packet drop probability.=0A= */=0A= if (SCALE_MUL(p_b, SCALE((int64_t)q->count)) > q->random) {=0A= q->count =3D 0;=0A= DPRINTF(("dummynet: - red drop"));=0A= /* After a drop we calculate a new random value. */=0A= q->random =3D random() & 0xffff;=0A= return (1); /* drop */=0A= }=0A= }=0A= /* End of RED algorithm. */=0A= =0A= return (0); /* accept */=0A= }=0A= =0A= static __inline struct dn_flow_set *=0A= locate_flowset(int fs_nr)=0A= {=0A= struct dn_flow_set *fs;=0A= =0A= SLIST_FOREACH(fs, &flowsethash[HASH(fs_nr)], next)=0A= if (fs->fs_nr =3D=3D fs_nr)=0A= return (fs);=0A= =0A= return (NULL);=0A= }=0A= =0A= static __inline struct dn_pipe *=0A= locate_pipe(int pipe_nr)=0A= {=0A= struct dn_pipe *pipe;=0A= =0A= SLIST_FOREACH(pipe, &pipehash[HASH(pipe_nr)], next)=0A= if (pipe->pipe_nr =3D=3D pipe_nr)=0A= return (pipe);=0A= =0A= return (NULL);=0A= }=0A= =0A= /*=0A= * dummynet hook for packets. Below 'pipe' is a pipe or a queue=0A= * depending on whether WF2Q or fixed bw is used.=0A= *=0A= * pipe_nr pipe or queue the packet is destined for.=0A= * dir where shall we send the packet after dummynet.=0A= * m the mbuf with the packet=0A= * ifp the 'ifp' parameter from the caller.=0A= * NULL in ip_input, destination interface in ip_output,=0A= * rule matching rule, in case of multiple passes=0A= *=0A= */=0A= static int=0A= dummynet_io(struct mbuf *m, int dir, struct ip_fw_args *fwa)=0A= {=0A= struct mbuf *head =3D NULL, *tail =3D NULL;=0A= struct dn_pkt_tag *pkt;=0A= struct m_tag *mtag;=0A= struct dn_flow_set *fs =3D NULL;=0A= struct dn_pipe *pipe ;=0A= u_int64_t len =3D m->m_pkthdr.len ;=0A= struct dn_flow_queue *q =3D NULL ;=0A= int is_pipe;=0A= ipfw_insn *cmd =3D ACTION_PTR(fwa->rule);=0A= =0A= KASSERT(m->m_nextpkt =3D=3D NULL,=0A= ("dummynet_io: mbuf queue passed to dummynet"));=0A= =0A= if (cmd->opcode =3D=3D O_LOG)=0A= cmd +=3D F_LEN(cmd);=0A= if (cmd->opcode =3D=3D O_ALTQ)=0A= cmd +=3D F_LEN(cmd);=0A= if (cmd->opcode =3D=3D O_TAG)=0A= cmd +=3D F_LEN(cmd);=0A= is_pipe =3D (cmd->opcode =3D=3D O_PIPE);=0A= =0A= DUMMYNET_LOCK();=0A= /*=0A= * This is a dummynet rule, so we expect an O_PIPE or O_QUEUE rule.=0A= *=0A= * XXXGL: probably the pipe->fs and fs->pipe logic here=0A= * below can be simplified.=0A= */=0A= if (is_pipe) {=0A= pipe =3D locate_pipe(fwa->cookie);=0A= if (pipe !=3D NULL)=0A= fs =3D &(pipe->fs);=0A= } else=0A= fs =3D locate_flowset(fwa->cookie);=0A= =0A= if (fs =3D=3D NULL)=0A= goto dropit; /* This queue/pipe does not exist! */=0A= pipe =3D fs->pipe;=0A= if (pipe =3D=3D NULL) { /* Must be a queue, try find a matching = pipe. */=0A= pipe =3D locate_pipe(fs->parent_nr);=0A= if (pipe !=3D NULL)=0A= fs->pipe =3D pipe;=0A= else {=0A= printf("dummynet: no pipe %d for queue %d, drop pkt\n",=0A= fs->parent_nr, fs->fs_nr);=0A= goto dropit ;=0A= }=0A= }=0A= q =3D find_queue(fs, &(fwa->f_id));=0A= if ( q =3D=3D NULL )=0A= goto dropit ; /* cannot allocate queue */=0A= /*=0A= * update statistics, then check reasons to drop pkt=0A= */=0A= q->tot_bytes +=3D len ;=0A= q->tot_pkts++ ;=0A= if ( fs->plr && random() < fs->plr )=0A= goto dropit ; /* random pkt drop */=0A= if ( fs->flags_fs & DN_QSIZE_IS_BYTES) {=0A= if (q->len_bytes > fs->qsize)=0A= goto dropit ; /* queue size overflow */=0A= } else {=0A= if (q->len >=3D fs->qsize)=0A= goto dropit ; /* queue count overflow */=0A= }=0A= if ( fs->flags_fs & DN_IS_RED && red_drops(fs, q, len) )=0A= goto dropit ;=0A= =0A= /* XXX expensive to zero, see if we can remove it*/=0A= mtag =3D m_tag_get(PACKET_TAG_DUMMYNET,=0A= sizeof(struct dn_pkt_tag), M_NOWAIT|M_ZERO);=0A= if ( mtag =3D=3D NULL )=0A= goto dropit ; /* cannot allocate packet header */=0A= m_tag_prepend(m, mtag); /* attach to mbuf chain */=0A= =0A= pkt =3D (struct dn_pkt_tag *)(mtag+1);=0A= /* ok, i can handle the pkt now... */=0A= /* build and enqueue packet + parameters */=0A= pkt->rule =3D fwa->rule ;=0A= pkt->dn_dir =3D dir ;=0A= =0A= pkt->ifp =3D fwa->oif;=0A= =0A= if (q->head =3D=3D NULL)=0A= q->head =3D m;=0A= else=0A= q->tail->m_nextpkt =3D m;=0A= q->tail =3D m;=0A= q->len++;=0A= q->len_bytes +=3D len ;=0A= =0A= if ( q->head !=3D m ) /* flow was not idle, we are done */=0A= goto done;=0A= /*=0A= * If we reach this point the flow was previously idle, so we need=0A= * to schedule it. This involves different actions for fixed-rate or=0A= * WF2Q queues.=0A= */=0A= if (is_pipe) {=0A= /*=0A= * Fixed-rate queue: just insert into the ready_heap.=0A= */=0A= dn_key t =3D 0 ;=0A= if (pipe->bandwidth)=0A= t =3D SET_TICKS(m, q, pipe);=0A= q->sched_time =3D curr_time ;=0A= if (t =3D=3D 0) /* must process it now */=0A= ready_event(q, &head, &tail);=0A= else=0A= heap_insert(&ready_heap, curr_time + t , q );=0A= } else {=0A= /*=0A= * WF2Q. First, compute start time S: if the flow was idle (S=3DF+1)=0A= * set S to the virtual time V for the controlling pipe, and update=0A= * the sum of weights for the pipe; otherwise, remove flow from=0A= * idle_heap and set S to max(F,V).=0A= * Second, compute finish time F =3D S + len/weight.=0A= * Third, if pipe was idle, update V=3Dmax(S, V).=0A= * Fourth, count one more backlogged flow.=0A= */=0A= if (DN_KEY_GT(q->S, q->F)) { /* means timestamps are invalid */=0A= q->S =3D pipe->V ;=0A= pipe->sum +=3D fs->weight ; /* add weight of new queue */=0A= } else {=0A= heap_extract(&(pipe->idle_heap), q);=0A= q->S =3D MAX64(q->F, pipe->V ) ;=0A= }=0A= q->F =3D q->S + ( len<weight;=0A= =0A= if (pipe->not_eligible_heap.elements =3D=3D 0 &&=0A= pipe->scheduler_heap.elements =3D=3D 0)=0A= pipe->V =3D MAX64 ( q->S, pipe->V );=0A= fs->backlogged++ ;=0A= /*=0A= * Look at eligibility. A flow is not eligibile if S>V (when=0A= * this happens, it means that there is some other flow already=0A= * scheduled for the same pipe, so the scheduler_heap cannot be=0A= * empty). If the flow is not eligible we just store it in the=0A= * not_eligible_heap. Otherwise, we store in the scheduler_heap=0A= * and possibly invoke ready_event_wfq() right now if there is=0A= * leftover credit.=0A= * Note that for all flows in scheduler_heap (SCH), S_i <=3D V,=0A= * and for all flows in not_eligible_heap (NEH), S_i > V .=0A= * So when we need to compute max( V, min(S_i) ) forall i in SCH+NEH,=0A= * we only need to look into NEH.=0A= */=0A= if (DN_KEY_GT(q->S, pipe->V) ) { /* not eligible */=0A= if (pipe->scheduler_heap.elements =3D=3D 0)=0A= printf("dummynet: ++ ouch! not eligible but empty scheduler!\n");=0A= heap_insert(&(pipe->not_eligible_heap), q->S, q);=0A= } else {=0A= heap_insert(&(pipe->scheduler_heap), q->F, q);=0A= if (pipe->numbytes >=3D 0) { /* pipe is idle */=0A= if (pipe->scheduler_heap.elements !=3D 1)=0A= printf("dummynet: OUCH! pipe should have been idle!\n");=0A= DPRINTF(("dummynet: waking up pipe %d at %d\n",=0A= pipe->pipe_nr, (int)(q->F >> MY_M)));=0A= pipe->sched_time =3D curr_time ;=0A= ready_event_wfq(pipe, &head, &tail);=0A= }=0A= }=0A= }=0A= done:=0A= DUMMYNET_UNLOCK();=0A= if (head !=3D NULL)=0A= dummynet_send(head);=0A= return 0;=0A= =0A= dropit:=0A= if (q)=0A= q->drops++ ;=0A= DUMMYNET_UNLOCK();=0A= m_freem(m);=0A= return ( (fs && (fs->flags_fs & DN_NOERROR)) ? 0 : ENOBUFS);=0A= }=0A= =0A= /*=0A= * Below, the rt_unref is only needed when (pkt->dn_dir =3D=3D = DN_TO_IP_OUT)=0A= * Doing this would probably save us the initial bzero of dn_pkt=0A= */=0A= #define DN_FREE_PKT(_m) do { \=0A= m_freem(_m); \=0A= } while (0)=0A= =0A= /*=0A= * Dispose all packets and flow_queues on a flow_set.=0A= * If all=3D1, also remove red lookup table and other storage,=0A= * including the descriptor itself.=0A= * For the one in dn_pipe MUST also cleanup ready_heap...=0A= */=0A= static void=0A= purge_flow_set(struct dn_flow_set *fs, int all)=0A= {=0A= struct dn_flow_queue *q, *qn;=0A= int i;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= for (i =3D 0; i <=3D fs->rq_size; i++) {=0A= for (q =3D fs->rq[i]; q !=3D NULL; q =3D qn) {=0A= struct mbuf *m, *mnext;=0A= =0A= mnext =3D q->head;=0A= while ((m =3D mnext) !=3D NULL) {=0A= mnext =3D m->m_nextpkt;=0A= DN_FREE_PKT(m);=0A= }=0A= qn =3D q->next;=0A= free(q, M_DUMMYNET);=0A= }=0A= fs->rq[i] =3D NULL;=0A= }=0A= =0A= fs->rq_elements =3D 0;=0A= if (all) {=0A= /* RED - free lookup table. */=0A= if (fs->w_q_lookup !=3D NULL)=0A= free(fs->w_q_lookup, M_DUMMYNET);=0A= if (fs->rq !=3D NULL)=0A= free(fs->rq, M_DUMMYNET);=0A= /* If this fs is not part of a pipe, free it. */=0A= if (fs->pipe =3D=3D NULL || fs !=3D &(fs->pipe->fs))=0A= free(fs, M_DUMMYNET);=0A= }=0A= }=0A= =0A= /*=0A= * Dispose all packets queued on a pipe (not a flow_set).=0A= * Also free all resources associated to a pipe, which is about=0A= * to be deleted.=0A= */=0A= static void=0A= purge_pipe(struct dn_pipe *pipe)=0A= {=0A= struct mbuf *m, *mnext;=0A= =0A= purge_flow_set( &(pipe->fs), 1 );=0A= =0A= mnext =3D pipe->head;=0A= while ((m =3D mnext) !=3D NULL) {=0A= mnext =3D m->m_nextpkt;=0A= DN_FREE_PKT(m);=0A= }=0A= =0A= heap_free( &(pipe->scheduler_heap) );=0A= heap_free( &(pipe->not_eligible_heap) );=0A= heap_free( &(pipe->idle_heap) );=0A= }=0A= =0A= /*=0A= * Delete all pipes and heaps returning memory. Must also=0A= * remove references from all ipfw rules to all pipes.=0A= */=0A= static void=0A= dummynet_flush(void)=0A= {=0A= struct dn_pipe *pipe, *pipe1;=0A= struct dn_flow_set *fs, *fs1;=0A= int i;=0A= =0A= DUMMYNET_LOCK();=0A= /* Free heaps so we don't have unwanted events. */=0A= heap_free(&ready_heap);=0A= heap_free(&wfq_ready_heap);=0A= heap_free(&extract_heap);=0A= =0A= /*=0A= * Now purge all queued pkts and delete all pipes.=0A= *=0A= * XXXGL: can we merge the for(;;) cycles into one or not?=0A= */=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH_SAFE(fs, &flowsethash[i], next, fs1) {=0A= SLIST_REMOVE(&flowsethash[i], fs, dn_flow_set, next);=0A= purge_flow_set(fs, 1);=0A= }=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH_SAFE(pipe, &pipehash[i], next, pipe1) {=0A= SLIST_REMOVE(&pipehash[i], pipe, dn_pipe, next);=0A= purge_pipe(pipe);=0A= free(pipe, M_DUMMYNET);=0A= }=0A= DUMMYNET_UNLOCK();=0A= }=0A= =0A= extern struct ip_fw *ip_fw_default_rule ;=0A= static void=0A= dn_rule_delete_fs(struct dn_flow_set *fs, void *r)=0A= {=0A= int i ;=0A= struct dn_flow_queue *q ;=0A= struct mbuf *m ;=0A= =0A= for (i =3D 0 ; i <=3D fs->rq_size ; i++) /* last one is ovflow */=0A= for (q =3D fs->rq[i] ; q ; q =3D q->next )=0A= for (m =3D q->head ; m ; m =3D m->m_nextpkt ) {=0A= struct dn_pkt_tag *pkt =3D dn_tag_get(m) ;=0A= if (pkt->rule =3D=3D r)=0A= pkt->rule =3D ip_fw_default_rule ;=0A= }=0A= }=0A= /*=0A= * when a firewall rule is deleted, scan all queues and remove the = flow-id=0A= * from packets matching this rule.=0A= */=0A= void=0A= dn_rule_delete(void *r)=0A= {=0A= struct dn_pipe *pipe;=0A= struct dn_flow_set *fs;=0A= struct dn_pkt_tag *pkt;=0A= struct mbuf *m;=0A= int i;=0A= =0A= DUMMYNET_LOCK();=0A= /*=0A= * If the rule references a queue (dn_flow_set), then scan=0A= * the flow set, otherwise scan pipes. Should do either, but doing=0A= * both does not harm.=0A= */=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(fs, &flowsethash[i], next)=0A= dn_rule_delete_fs(fs, r);=0A= =0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(pipe, &pipehash[i], next) {=0A= fs =3D &(pipe->fs);=0A= dn_rule_delete_fs(fs, r);=0A= for (m =3D pipe->head ; m ; m =3D m->m_nextpkt ) {=0A= pkt =3D dn_tag_get(m);=0A= if (pkt->rule =3D=3D r)=0A= pkt->rule =3D ip_fw_default_rule;=0A= }=0A= }=0A= DUMMYNET_UNLOCK();=0A= }=0A= =0A= /*=0A= * setup RED parameters=0A= */=0A= static int=0A= config_red(struct dn_flow_set *p, struct dn_flow_set *x)=0A= {=0A= int i;=0A= =0A= x->w_q =3D p->w_q;=0A= x->min_th =3D SCALE(p->min_th);=0A= x->max_th =3D SCALE(p->max_th);=0A= x->max_p =3D p->max_p;=0A= =0A= x->c_1 =3D p->max_p / (p->max_th - p->min_th);=0A= x->c_2 =3D SCALE_MUL(x->c_1, SCALE(p->min_th));=0A= =0A= if (x->flags_fs & DN_IS_GENTLE_RED) {=0A= x->c_3 =3D (SCALE(1) - p->max_p) / p->max_th;=0A= x->c_4 =3D SCALE(1) - 2 * p->max_p;=0A= }=0A= =0A= /* If the lookup table already exist, free and create it again. */=0A= if (x->w_q_lookup) {=0A= free(x->w_q_lookup, M_DUMMYNET);=0A= x->w_q_lookup =3D NULL;=0A= }=0A= if (red_lookup_depth =3D=3D 0) {=0A= printf("\ndummynet: net.inet.ip.dummynet.red_lookup_depth"=0A= "must be > 0\n");=0A= free(x, M_DUMMYNET);=0A= return (EINVAL);=0A= }=0A= x->lookup_depth =3D red_lookup_depth;=0A= x->w_q_lookup =3D (u_int *)malloc(x->lookup_depth * sizeof(int),=0A= M_DUMMYNET, M_NOWAIT);=0A= if (x->w_q_lookup =3D=3D NULL) {=0A= printf("dummynet: sorry, cannot allocate red lookup table\n");=0A= free(x, M_DUMMYNET);=0A= return(ENOSPC);=0A= }=0A= =0A= /* Fill the lookup table with (1 - w_q)^x */=0A= x->lookup_step =3D p->lookup_step;=0A= x->lookup_weight =3D p->lookup_weight;=0A= x->w_q_lookup[0] =3D SCALE(1) - x->w_q;=0A= =0A= for (i =3D 1; i < x->lookup_depth; i++)=0A= x->w_q_lookup[i] =3D=0A= SCALE_MUL(x->w_q_lookup[i - 1], x->lookup_weight);=0A= =0A= if (red_avg_pkt_size < 1)=0A= red_avg_pkt_size =3D 512;=0A= x->avg_pkt_size =3D red_avg_pkt_size;=0A= if (red_max_pkt_size < 1)=0A= red_max_pkt_size =3D 1500;=0A= x->max_pkt_size =3D red_max_pkt_size;=0A= return (0);=0A= }=0A= =0A= static int=0A= alloc_hash(struct dn_flow_set *x, struct dn_flow_set *pfs)=0A= {=0A= if (x->flags_fs & DN_HAVE_FLOW_MASK) { /* allocate some slots */=0A= int l =3D pfs->rq_size;=0A= =0A= if (l =3D=3D 0)=0A= l =3D dn_hash_size;=0A= if (l < 4)=0A= l =3D 4;=0A= else if (l > DN_MAX_HASH_SIZE)=0A= l =3D DN_MAX_HASH_SIZE;=0A= x->rq_size =3D l;=0A= } else /* one is enough for null mask */=0A= x->rq_size =3D 1;=0A= x->rq =3D malloc((1 + x->rq_size) * sizeof(struct dn_flow_queue *),=0A= M_DUMMYNET, M_NOWAIT | M_ZERO);=0A= if (x->rq =3D=3D NULL) {=0A= printf("dummynet: sorry, cannot allocate queue\n");=0A= return (ENOMEM);=0A= }=0A= x->rq_elements =3D 0;=0A= return 0 ;=0A= }=0A= =0A= static void=0A= set_fs_parms(struct dn_flow_set *x, struct dn_flow_set *src)=0A= {=0A= x->flags_fs =3D src->flags_fs;=0A= x->qsize =3D src->qsize;=0A= x->plr =3D src->plr;=0A= x->flow_mask =3D src->flow_mask;=0A= if (x->flags_fs & DN_QSIZE_IS_BYTES) {=0A= if (x->qsize > 1024 * 1024)=0A= x->qsize =3D 1024 * 1024;=0A= } else {=0A= if (x->qsize =3D=3D 0)=0A= x->qsize =3D 50;=0A= if (x->qsize > 100)=0A= x->qsize =3D 50;=0A= }=0A= /* Configuring RED. */=0A= if (x->flags_fs & DN_IS_RED)=0A= config_red(src, x); /* XXX should check errors */=0A= }=0A= =0A= /*=0A= * Setup pipe or queue parameters.=0A= */=0A= static int=0A= config_pipe(struct dn_pipe *p)=0A= {=0A= struct dn_flow_set *pfs =3D &(p->fs);=0A= struct dn_flow_queue *q;=0A= int i, error;=0A= =0A= /*=0A= * The config program passes parameters as follows:=0A= * bw =3D bits/second (0 means no limits),=0A= * delay =3D ms, must be translated into ticks.=0A= * qsize =3D slots/bytes=0A= */=0A= p->delay =3D (p->delay * hz) / 1000;=0A= /* We need either a pipe number or a flow_set number. */=0A= if (p->pipe_nr =3D=3D 0 && pfs->fs_nr =3D=3D 0)=0A= return (EINVAL);=0A= if (p->pipe_nr !=3D 0 && pfs->fs_nr !=3D 0)=0A= return (EINVAL);=0A= if (p->pipe_nr !=3D 0) { /* this is a pipe */=0A= struct dn_pipe *pipe;=0A= =0A= DUMMYNET_LOCK();=0A= pipe =3D locate_pipe(p->pipe_nr); /* locate pipe */=0A= =0A= if (pipe =3D=3D NULL) { /* new pipe */=0A= pipe =3D malloc(sizeof(struct dn_pipe), M_DUMMYNET,=0A= M_NOWAIT | M_ZERO);=0A= if (pipe =3D=3D NULL) {=0A= DUMMYNET_UNLOCK();=0A= printf("dummynet: no memory for new pipe\n");=0A= return (ENOMEM);=0A= }=0A= pipe->pipe_nr =3D p->pipe_nr;=0A= pipe->fs.pipe =3D pipe;=0A= /*=0A= * idle_heap is the only one from which=0A= * we extract from the middle.=0A= */=0A= pipe->idle_heap.size =3D pipe->idle_heap.elements =3D 0;=0A= pipe->idle_heap.offset =3D=0A= offsetof(struct dn_flow_queue, heap_pos);=0A= } else=0A= /* Flush accumulated credit for all queues. */=0A= for (i =3D 0; i <=3D pipe->fs.rq_size; i++)=0A= for (q =3D pipe->fs.rq[i]; q; q =3D q->next)=0A= q->numbytes =3D 0;=0A= =0A= pipe->bandwidth =3D p->bandwidth;=0A= pipe->numbytes =3D 0; /* just in case... */=0A= bcopy(p->if_name, pipe->if_name, sizeof(p->if_name));=0A= pipe->ifp =3D NULL; /* reset interface ptr */=0A= pipe->delay =3D p->delay;=0A= set_fs_parms(&(pipe->fs), pfs);=0A= =0A= if (pipe->fs.rq =3D=3D NULL) { /* a new pipe */=0A= error =3D alloc_hash(&(pipe->fs), pfs);=0A= if (error) {=0A= DUMMYNET_UNLOCK();=0A= free(pipe, M_DUMMYNET);=0A= return (error);=0A= }=0A= SLIST_INSERT_HEAD(&pipehash[HASH(pipe->pipe_nr)],=0A= pipe, next);=0A= }=0A= DUMMYNET_UNLOCK();=0A= } else { /* config queue */=0A= struct dn_flow_set *fs;=0A= =0A= DUMMYNET_LOCK();=0A= fs =3D locate_flowset(pfs->fs_nr); /* locate flow_set */=0A= =0A= if (fs =3D=3D NULL) { /* new */=0A= if (pfs->parent_nr =3D=3D 0) { /* need link to a pipe */=0A= DUMMYNET_UNLOCK();=0A= return (EINVAL);=0A= }=0A= fs =3D malloc(sizeof(struct dn_flow_set), M_DUMMYNET,=0A= M_NOWAIT | M_ZERO);=0A= if (fs =3D=3D NULL) {=0A= DUMMYNET_UNLOCK();=0A= printf(=0A= "dummynet: no memory for new flow_set\n");=0A= return (ENOMEM);=0A= }=0A= fs->fs_nr =3D pfs->fs_nr;=0A= fs->parent_nr =3D pfs->parent_nr;=0A= fs->weight =3D pfs->weight;=0A= if (fs->weight =3D=3D 0)=0A= fs->weight =3D 1;=0A= else if (fs->weight > 100)=0A= fs->weight =3D 100;=0A= } else {=0A= /*=0A= * Change parent pipe not allowed;=0A= * must delete and recreate.=0A= */=0A= if (pfs->parent_nr !=3D 0 &&=0A= fs->parent_nr !=3D pfs->parent_nr) {=0A= DUMMYNET_UNLOCK();=0A= return (EINVAL);=0A= }=0A= }=0A= =0A= set_fs_parms(fs, pfs);=0A= =0A= if (fs->rq =3D=3D NULL) { /* a new flow_set */=0A= error =3D alloc_hash(fs, pfs);=0A= if (error) {=0A= DUMMYNET_UNLOCK();=0A= free(fs, M_DUMMYNET);=0A= return (error);=0A= }=0A= SLIST_INSERT_HEAD(&flowsethash[HASH(fs->fs_nr)],=0A= fs, next);=0A= }=0A= DUMMYNET_UNLOCK();=0A= }=0A= return (0);=0A= }=0A= =0A= /*=0A= * Helper function to remove from a heap queues which are linked to=0A= * a flow_set about to be deleted.=0A= */=0A= static void=0A= fs_remove_from_heap(struct dn_heap *h, struct dn_flow_set *fs)=0A= {=0A= int i =3D 0, found =3D 0 ;=0A= for (; i < h->elements ;)=0A= if ( ((struct dn_flow_queue *)h->p[i].object)->fs =3D=3D fs) {=0A= h->elements-- ;=0A= h->p[i] =3D h->p[h->elements] ;=0A= found++ ;=0A= } else=0A= i++ ;=0A= if (found)=0A= heapify(h);=0A= }=0A= =0A= /*=0A= * helper function to remove a pipe from a heap (can be there at most = once)=0A= */=0A= static void=0A= pipe_remove_from_heap(struct dn_heap *h, struct dn_pipe *p)=0A= {=0A= if (h->elements > 0) {=0A= int i =3D 0 ;=0A= for (i=3D0; i < h->elements ; i++ ) {=0A= if (h->p[i].object =3D=3D p) { /* found it */=0A= h->elements-- ;=0A= h->p[i] =3D h->p[h->elements] ;=0A= heapify(h);=0A= break ;=0A= }=0A= }=0A= }=0A= }=0A= =0A= /*=0A= * drain all queues. Called in case of severe mbuf shortage.=0A= */=0A= void=0A= dummynet_drain(void)=0A= {=0A= struct dn_flow_set *fs;=0A= struct dn_pipe *pipe;=0A= struct mbuf *m, *mnext;=0A= int i;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= heap_free(&ready_heap);=0A= heap_free(&wfq_ready_heap);=0A= heap_free(&extract_heap);=0A= /* remove all references to this pipe from flow_sets */=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(fs, &flowsethash[i], next)=0A= purge_flow_set(fs, 0);=0A= =0A= for (i =3D 0; i < HASHSIZE; i++) {=0A= SLIST_FOREACH(pipe, &pipehash[i], next) {=0A= purge_flow_set(&(pipe->fs), 0);=0A= =0A= mnext =3D pipe->head;=0A= while ((m =3D mnext) !=3D NULL) {=0A= mnext =3D m->m_nextpkt;=0A= DN_FREE_PKT(m);=0A= }=0A= pipe->head =3D pipe->tail =3D NULL;=0A= }=0A= }=0A= }=0A= =0A= /*=0A= * Fully delete a pipe or a queue, cleaning up associated info.=0A= */=0A= static int=0A= delete_pipe(struct dn_pipe *p)=0A= {=0A= =0A= if (p->pipe_nr =3D=3D 0 && p->fs.fs_nr =3D=3D 0)=0A= return EINVAL ;=0A= if (p->pipe_nr !=3D 0 && p->fs.fs_nr !=3D 0)=0A= return EINVAL ;=0A= if (p->pipe_nr !=3D 0) { /* this is an old-style pipe */=0A= struct dn_pipe *pipe;=0A= struct dn_flow_set *fs;=0A= int i;=0A= =0A= DUMMYNET_LOCK();=0A= pipe =3D locate_pipe(p->pipe_nr); /* locate pipe */=0A= =0A= if (pipe =3D=3D NULL) {=0A= DUMMYNET_UNLOCK();=0A= return (ENOENT); /* not found */=0A= }=0A= =0A= /* Unlink from list of pipes. */=0A= SLIST_REMOVE(&pipehash[HASH(pipe->pipe_nr)], pipe, dn_pipe, next);=0A= =0A= /* Remove all references to this pipe from flow_sets. */=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(fs, &flowsethash[i], next)=0A= if (fs->pipe =3D=3D pipe) {=0A= printf("dummynet: ++ ref to pipe %d from fs %d\n",=0A= p->pipe_nr, fs->fs_nr);=0A= fs->pipe =3D NULL ;=0A= purge_flow_set(fs, 0);=0A= }=0A= fs_remove_from_heap(&ready_heap, &(pipe->fs));=0A= purge_pipe(pipe); /* remove all data associated to this pipe */=0A= /* remove reference to here from extract_heap and wfq_ready_heap */=0A= pipe_remove_from_heap(&extract_heap, pipe);=0A= pipe_remove_from_heap(&wfq_ready_heap, pipe);=0A= DUMMYNET_UNLOCK();=0A= =0A= free(pipe, M_DUMMYNET);=0A= } else { /* this is a WF2Q queue (dn_flow_set) */=0A= struct dn_flow_set *fs;=0A= =0A= DUMMYNET_LOCK();=0A= fs =3D locate_flowset(p->fs.fs_nr); /* locate set */=0A= =0A= if (fs =3D=3D NULL) {=0A= DUMMYNET_UNLOCK();=0A= return (ENOENT); /* not found */=0A= }=0A= =0A= /* Unlink from list of flowsets. */=0A= SLIST_REMOVE( &flowsethash[HASH(fs->fs_nr)], fs, dn_flow_set, next);=0A= =0A= if (fs->pipe !=3D NULL) {=0A= /* Update total weight on parent pipe and cleanup parent heaps. */=0A= fs->pipe->sum -=3D fs->weight * fs->backlogged ;=0A= fs_remove_from_heap(&(fs->pipe->not_eligible_heap), fs);=0A= fs_remove_from_heap(&(fs->pipe->scheduler_heap), fs);=0A= #if 1 /* XXX should i remove from idle_heap as well ? */=0A= fs_remove_from_heap(&(fs->pipe->idle_heap), fs);=0A= #endif=0A= }=0A= purge_flow_set(fs, 1);=0A= DUMMYNET_UNLOCK();=0A= }=0A= return 0 ;=0A= }=0A= =0A= /*=0A= * helper function used to copy data from kernel in DUMMYNET_GET=0A= */=0A= static char *=0A= dn_copy_set(struct dn_flow_set *set, char *bp)=0A= {=0A= int i, copied =3D 0 ;=0A= struct dn_flow_queue *q, *qp =3D (struct dn_flow_queue *)bp;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= =0A= for (i =3D 0 ; i <=3D set->rq_size ; i++)=0A= for (q =3D set->rq[i] ; q ; q =3D q->next, qp++ ) {=0A= if (q->hash_slot !=3D i)=0A= printf("dummynet: ++ at %d: wrong slot (have %d, "=0A= "should be %d)\n", copied, q->hash_slot, i);=0A= if (q->fs !=3D set)=0A= printf("dummynet: ++ at %d: wrong fs ptr (have %p, should be %p)\n",=0A= i, q->fs, set);=0A= copied++ ;=0A= bcopy(q, qp, sizeof( *q ) );=0A= /* cleanup pointers */=0A= qp->next =3D NULL ;=0A= qp->head =3D qp->tail =3D NULL ;=0A= qp->fs =3D NULL ;=0A= }=0A= if (copied !=3D set->rq_elements)=0A= printf("dummynet: ++ wrong count, have %d should be %d\n",=0A= copied, set->rq_elements);=0A= return (char *)qp ;=0A= }=0A= =0A= static size_t=0A= dn_calc_size(void)=0A= {=0A= struct dn_flow_set *fs;=0A= struct dn_pipe *pipe;=0A= size_t size =3D 0;=0A= int i;=0A= =0A= DUMMYNET_LOCK_ASSERT();=0A= /*=0A= * Compute size of data structures: list of pipes and flow_sets.=0A= */=0A= for (i =3D 0; i < HASHSIZE; i++) {=0A= SLIST_FOREACH(pipe, &pipehash[i], next)=0A= size +=3D sizeof(*pipe) +=0A= pipe->fs.rq_elements * sizeof(struct dn_flow_queue);=0A= SLIST_FOREACH(fs, &flowsethash[i], next)=0A= size +=3D sizeof (*fs) +=0A= fs->rq_elements * sizeof(struct dn_flow_queue);=0A= }=0A= return size;=0A= }=0A= =0A= static int=0A= dummynet_get(struct sockopt *sopt)=0A= {=0A= char *buf, *bp ; /* bp is the "copy-pointer" */=0A= size_t size ;=0A= struct dn_flow_set *fs;=0A= struct dn_pipe *pipe;=0A= int error=3D0, i ;=0A= =0A= /* XXX lock held too long */=0A= DUMMYNET_LOCK();=0A= /*=0A= * XXX: Ugly, but we need to allocate memory with M_WAITOK flag and = we=0A= * cannot use this flag while holding a mutex.=0A= */=0A= for (i =3D 0; i < 10; i++) {=0A= size =3D dn_calc_size();=0A= DUMMYNET_UNLOCK();=0A= buf =3D malloc(size, M_TEMP, M_WAITOK);=0A= DUMMYNET_LOCK();=0A= if (size =3D=3D dn_calc_size())=0A= break;=0A= free(buf, M_TEMP);=0A= buf =3D NULL;=0A= }=0A= if (buf =3D=3D NULL) {=0A= DUMMYNET_UNLOCK();=0A= return ENOBUFS ;=0A= }=0A= bp =3D buf;=0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(pipe, &pipehash[i], next) {=0A= struct dn_pipe *pipe_bp =3D (struct dn_pipe *)bp;=0A= =0A= /*=0A= * Copy pipe descriptor into *bp, convert delay back to ms,=0A= * then copy the flow_set descriptor(s) one at a time.=0A= * After each flow_set, copy the queue descriptor it owns.=0A= */=0A= bcopy(pipe, bp, sizeof(*pipe));=0A= pipe_bp->delay =3D (pipe_bp->delay * 1000) / hz;=0A= /*=0A= * XXX the following is a hack based on ->next being the=0A= * first field in dn_pipe and dn_flow_set. The correct=0A= * solution would be to move the dn_flow_set to the beginning=0A= * of struct dn_pipe.=0A= */=0A= pipe_bp->next.sle_next =3D (struct dn_pipe *)DN_IS_PIPE;=0A= /* Clean pointers. */=0A= pipe_bp->head =3D pipe_bp->tail =3D NULL;=0A= pipe_bp->fs.next.sle_next =3D NULL;=0A= pipe_bp->fs.pipe =3D NULL;=0A= pipe_bp->fs.rq =3D NULL;=0A= =0A= bp +=3D sizeof(*pipe) ;=0A= bp =3D dn_copy_set(&(pipe->fs), bp);=0A= }=0A= =0A= for (i =3D 0; i < HASHSIZE; i++)=0A= SLIST_FOREACH(fs, &flowsethash[i], next) {=0A= struct dn_flow_set *fs_bp =3D (struct dn_flow_set *)bp;=0A= =0A= bcopy(fs, bp, sizeof(*fs));=0A= /* XXX same hack as above */=0A= fs_bp->next.sle_next =3D (struct dn_flow_set *)DN_IS_QUEUE;=0A= fs_bp->pipe =3D NULL;=0A= fs_bp->rq =3D NULL;=0A= bp +=3D sizeof(*fs);=0A= bp =3D dn_copy_set(fs, bp);=0A= }=0A= =0A= DUMMYNET_UNLOCK();=0A= =0A= error =3D sooptcopyout(sopt, buf, size);=0A= free(buf, M_TEMP);=0A= return error ;=0A= }=0A= =0A= /*=0A= * Handler for the various dummynet socket options (get, flush, config, = del)=0A= */=0A= static int=0A= ip_dn_ctl(struct sockopt *sopt)=0A= {=0A= int error =3D 0 ;=0A= struct dn_pipe *p, tmp_pipe;=0A= =0A= /* Disallow sets in really-really secure mode. */=0A= if (sopt->sopt_dir =3D=3D SOPT_SET) {=0A= #if __FreeBSD_version >=3D 500034=0A= error =3D securelevel_ge(sopt->sopt_td->td_ucred, 3);=0A= if (error)=0A= return (error);=0A= #else=0A= if (securelevel >=3D 3)=0A= return (EPERM);=0A= #endif=0A= }=0A= =0A= switch (sopt->sopt_name) {=0A= default :=0A= printf("dummynet: -- unknown option %d", sopt->sopt_name);=0A= return EINVAL ;=0A= =0A= case IP_DUMMYNET_GET :=0A= error =3D dummynet_get(sopt);=0A= break ;=0A= =0A= case IP_DUMMYNET_FLUSH :=0A= dummynet_flush() ;=0A= break ;=0A= =0A= case IP_DUMMYNET_CONFIGURE :=0A= p =3D &tmp_pipe ;=0A= error =3D sooptcopyin(sopt, p, sizeof *p, sizeof *p);=0A= if (error)=0A= break ;=0A= error =3D config_pipe(p);=0A= break ;=0A= =0A= case IP_DUMMYNET_DEL : /* remove a pipe or queue */=0A= p =3D &tmp_pipe ;=0A= error =3D sooptcopyin(sopt, p, sizeof *p, sizeof *p);=0A= if (error)=0A= break ;=0A= =0A= error =3D delete_pipe(p);=0A= break ;=0A= }=0A= return error ;=0A= }=0A= =0A= static void=0A= ip_dn_init(void)=0A= {=0A= int i;=0A= =0A= if (bootverbose)=0A= printf("DUMMYNET with IPv6 initialized (040826)\n");=0A= =0A= DUMMYNET_LOCK_INIT();=0A= =0A= for (i =3D 0; i < HASHSIZE; i++) {=0A= SLIST_INIT(&pipehash[i]);=0A= SLIST_INIT(&flowsethash[i]);=0A= }=0A= ready_heap.size =3D ready_heap.elements =3D 0;=0A= ready_heap.offset =3D 0;=0A= =0A= wfq_ready_heap.size =3D wfq_ready_heap.elements =3D 0;=0A= wfq_ready_heap.offset =3D 0;=0A= =0A= extract_heap.size =3D extract_heap.elements =3D 0;=0A= extract_heap.offset =3D 0;=0A= =0A= ip_dn_ctl_ptr =3D ip_dn_ctl;=0A= ip_dn_io_ptr =3D dummynet_io;=0A= ip_dn_ruledel_ptr =3D dn_rule_delete;=0A= =0A= TASK_INIT(&dn_task, 0, dummynet_task, NULL);=0A= dn_tq =3D taskqueue_create_fast("dummynet", M_NOWAIT,=0A= taskqueue_thread_enqueue, &dn_tq);=0A= taskqueue_start_threads(&dn_tq, 1, PI_NET, "dummynet");=0A= =0A= callout_init(&dn_timeout, CALLOUT_MPSAFE);=0A= callout_reset(&dn_timeout, 1, dummynet, NULL);=0A= =0A= /* Initialize curr_time adjustment mechanics. */=0A= getmicrouptime(&prev_t);=0A= }=0A= =0A= #ifdef KLD_MODULE=0A= static void=0A= ip_dn_destroy(void)=0A= {=0A= ip_dn_ctl_ptr =3D NULL;=0A= ip_dn_io_ptr =3D NULL;=0A= ip_dn_ruledel_ptr =3D NULL;=0A= =0A= DUMMYNET_LOCK();=0A= callout_stop(&dn_timeout);=0A= DUMMYNET_UNLOCK();=0A= taskqueue_drain(dn_tq, &dn_task);=0A= taskqueue_free(dn_tq);=0A= =0A= dummynet_flush();=0A= =0A= DUMMYNET_LOCK_DESTROY();=0A= }=0A= #endif /* KLD_MODULE */=0A= =0A= static int=0A= dummynet_modevent(module_t mod, int type, void *data)=0A= {=0A= =0A= switch (type) {=0A= case MOD_LOAD:=0A= if (DUMMYNET_LOADED) {=0A= printf("DUMMYNET already loaded\n");=0A= return EEXIST ;=0A= }=0A= ip_dn_init();=0A= break;=0A= =0A= case MOD_UNLOAD:=0A= #if !defined(KLD_MODULE)=0A= printf("dummynet statically compiled, cannot unload\n");=0A= return EINVAL ;=0A= #else=0A= ip_dn_destroy();=0A= #endif=0A= break ;=0A= default:=0A= return EOPNOTSUPP;=0A= break ;=0A= }=0A= return 0 ;=0A= }=0A= =0A= static moduledata_t dummynet_mod =3D {=0A= "dummynet",=0A= dummynet_modevent,=0A= NULL=0A= };=0A= DECLARE_MODULE(dummynet, dummynet_mod, SI_SUB_PROTO_IFATTACHDOMAIN, = SI_ORDER_ANY);=0A= MODULE_DEPEND(dummynet, ipfw, 2, 2, 2);=0A= MODULE_VERSION(dummynet, 1);=0A= ------=_NextPart_000_00BC_01C885D1.BFA54E80-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 11:18:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D5D2106566C; Fri, 14 Mar 2008 11:18:19 +0000 (UTC) (envelope-from vadim_nuclight@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.23]) by mx1.freebsd.org (Postfix) with ESMTP id 6EA728FC27; Fri, 14 Mar 2008 11:18:19 +0000 (UTC) (envelope-from vadim_nuclight@mail.ru) Received: from [78.140.2.78] (port=42460 helo=nuclight.avtf.net) by mx27.mail.ru with asmtp id 1Ja7vV-000Cpw-00; Fri, 14 Mar 2008 14:18:18 +0300 To: bug-followup@freebsd.org, eugen@kuzbass.ru Date: Fri, 14 Mar 2008 17:18:11 +0600 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.54 (Win32, build 3865) Cc: "freebsd-ipfw@freebsd.org" , "freebsd-net@freebsd.org" Subject: Re: kern/118432: [ng_nat] [panic] kernel libalias: repeatable panic (double fault) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 11:18:19 -0000 Hi! The issue seems to be reprodusable on 7.0 - see kern/121693. -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 14:20:09 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42CA61065674 for ; Fri, 14 Mar 2008 14:20:09 +0000 (UTC) (envelope-from darcy@dbitech.ca) Received: from lists.commandprompt.com (host-159.commandprompt.net [207.173.203.159]) by mx1.freebsd.org (Postfix) with ESMTP id 2D6338FC16 for ; Fri, 14 Mar 2008 14:20:09 +0000 (UTC) (envelope-from darcy@dbitech.ca) Received: from dbitech.homenet.dbitech.bc.ca (d205-250-11-93.bchsia.telus.net [205.250.11.93]) (authenticated bits=0) by lists.commandprompt.com (8.13.8/8.13.8) with ESMTP id m2EDUIKZ005754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 14 Mar 2008 06:30:19 -0700 From: Darcy Buskermolen Organization: DBI Technologies To: freebsd-ipfw@freebsd.org Date: Fri, 14 Mar 2008 06:28:55 -0700 User-Agent: KMail/1.9.7 References: <1205343184.4032.44.camel@wade-linux.itiva.com> <1205442400.4349.18.camel@wade-linux.itiva.com> <200803140447.18646.asstec@matik.com.br> In-Reply-To: <200803140447.18646.asstec@matik.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803140628.55989.darcy@dbitech.ca> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (lists.commandprompt.com [207.173.203.159]); Fri, 14 Mar 2008 06:30:19 -0700 (PDT) Subject: Re: On the trail of a dummynet/bridge/ipfw bug. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 14:20:09 -0000 On Friday 14 March 2008 00:47:18 AT Matik wrote: > On Thursday 13 March 2008 18:06:40 Wade Klaver wrote: > > OK, here's something weird then. ipfw pipe show | wc -l has reported > > higher numbers: > > [root@ibm3550b ~]# ipfw pipe show | wc -l > > 3453 > > This was reported after the bridge "died" attempting 2600 simultaneous > > connections... it had been running at 2400 before I added 200 more. > > Now, immediately after the above crash, I do a /etc/rc.d/netif restart, > > and then: > > [root@ibm3550b ~]# ipfw pipe show | wc -l > > 3900 > > Then as long as I add additional connections very slowly, I can manage > > to get more established until it dies at 2800 with: > > [root@ibm3550b ~]# ipfw pipe show | wc -l > > 4160 > > At this point I am only using these numbers as a general indication of > > pipe activity as the output is not 1 pipe per line. In fact there is > > more often than not two lines per pipe. However, the end problem > > remains the same. After a point, the bridge doesn't get saturated, it > > crashes and requires that the network be restarted before continuing. > > The fact that it is necessary only to restart the network and not to > > flush ipfw's pipes (which has no effect without a network restart) > > perhaps suggests the problem lies in a different subsystem? The > > broadcom driver perhaps? Wade, are you in a position to try this with a pair of intel gigE cards, using the em driver? That should at least answer if it's a bce issue. > > hard to say because you do not tell so very much about your machine, it > might be too weak for so many pipes (mem or cpu?), The original post had the system configuration in terms of system, CPU and memory. > I do not know your setup > or the nics you use > you say it crash but can restart the network? probably you have some error > in your script or since you run bridge some mac issue? From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 14 18:16:11 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 874B6106566B for ; Fri, 14 Mar 2008 18:16:11 +0000 (UTC) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id F24268FC2D for ; Fri, 14 Mar 2008 18:16:09 +0000 (UTC) (envelope-from oleg@lath.rinet.ru) Received: from lath.rinet.ru (localhost [127.0.0.1]) by lath.rinet.ru (8.14.2/8.14.2) with ESMTP id m2EHwZ8B062727 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Mar 2008 20:58:35 +0300 (MSK) (envelope-from oleg@lath.rinet.ru) Received: (from oleg@localhost) by lath.rinet.ru (8.14.2/8.14.2/Submit) id m2EHwZBP062726; Fri, 14 Mar 2008 20:58:35 +0300 (MSK) (envelope-from oleg) Date: Fri, 14 Mar 2008 20:58:35 +0300 From: Oleg Bulyzhin To: "Vladimir V. Kobal" Message-ID: <20080314175835.GA62177@lath.rinet.ru> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet causes kernel trap and system freeze X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 18:16:11 -0000 On Fri, Mar 14, 2008 at 12:48:43PM +0200, Vladimir V. Kobal wrote: > The system is PPTP NAS (mpd5) with NAT (ng_nat), firewall (ipfw2) and > shaping (dummynet). FreeBSD 7.0-RELEASE, Quad-Core AMD Phenom, AMD 690V > chipset, two em interfaces (EXPI9400PT 82572GI). On high load there are > about 500 simultaneous PPTP users snd 50Mbps/15Mbps of downlink/uplink > traffic going through. > > Kernel is patched against rtfree problem. We've replaced rtfree to > RTFREE_LOCKED at > net/route.c > netinet/if_ether.c > > Sometimes immediately after boot, sometimes after 10 hours of work, we get a > kernel trap because of the page fault and system freeze. The first few > seconds or minutes after the trap there is a possibility to Scroll Lock and > go through debug console. Then the system hangs totally and can be rebooted > only by hardware reset. The current process on kernel trap is always > dummynet. > > Rarely we get a series of four sequential kernel traps and automatic > reboots. > > Today the following happened: the dummynet pipes just stoped working but > other traffic flows worked well and the system console had been freezed. > > Without a load the system runs for days. > > We've tryed to: > apply patch-2 from kern/113548 > apply patch-3 from kern/113548 > change NICs to bge, mks, rl > change processor to Dual-Core AMD 64 x2 > use motherboard with Nvidia chipset > > We always get the same symptoms. > > Backtrace and appropriate dummynet source file are attached. > > We have in production the same system on FreeBSD 6.1-RELEASE. We have never > had traps on it, but the load on it wasn't more than 400 PPTP users and > 30Mbps/10Mbps because of lack of CPU resources. > > The problem looks rather like mentioned in kern/118128, kern/113548, > kern/106534 but there are no working solutions. Could someone help to solve > the problem with dummynet? > > Best regards, > Vladimir Kobal > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "amd64-marcel-freebsd". > > Unread portion of the kernel message buffer: > Copyright (c) 1992-2008 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD is a registered trademark of The FreeBSD Foundation. > FreeBSD 7.0-RELEASE #12: Thu Mar 13 12:27:02 EET 2008 > natalie@firewall.prokk.net:/usr/src/sys/amd64/compile/FIREWALL > Timecounter "i8254" frequency 1193182 Hz quality 0 > CPU: AMD Phenom(tm) 9600 Quad-Core Processor (2305.24-MHz K8-class CPU) > Origin = "AuthenticAMD" Id = 0x100f22 Stepping = 2 > Features=0x178bfbff > Features2=0x802009> > AMD Features=0xee500800,RDTSCP,LM,3DNow!+,3DNow!> > AMD Features2=0x7ff,,,Prefetch,,> > Cores per package: 4 > usable memory = 2105335808 (2007 MB) > avail memory = 2031869952 (1937 MB) > ACPI APIC Table: > FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs > cpu0 (BSP): APIC ID: 0 > cpu1 (AP): APIC ID: 1 > cpu2 (AP): APIC ID: 2 > cpu3 (AP): APIC ID: 3 > ioapic0: Changing APIC ID to 2 > ioapic0 irqs 0-23 on motherboard > kbd1 at kbdmux0 > acpi0: on motherboard > acpi0: [ITHREAD] > acpi0: Power Button (fixed) > acpi0: reservation of 0, a0000 (3) failed > acpi0: reservation of 100000, 7dde0000 (3) failed > Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 > acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 > acpi_hpet0: iomem 0xfed00000-0xfed003ff on acpi0 > acpi_hpet0: HPET never increments, disabling > device_attach: acpi_hpet0 attach returned 6 > cpu0: on acpi0 > cpu1: on acpi0 > cpu2: on acpi0 > cpu3: on acpi0 > acpi_button0: on acpi0 > pcib0: port 0xcf8-0xcff on acpi0 > pci0: on pcib0 > pcib1: at device 1.0 on pci0 > pci1: on pcib1 > vgapci0: port 0xce00-0xceff mem 0xfa000000-0xfbffffff,0xfdcf0000-0xfdcfffff,0xfdb00000-0xfdbfffff irq 18 at device 5.0 on pci1 > pcib2: at device 2.0 on pci0 > pci2: on pcib2 > em0: port 0xef00-0xef1f mem 0xfdae0000-0xfdafffff,0xfdac0000-0xfdadffff irq 18 at device 0.0 on pci2 > em0: Using MSI interrupt > em0: Ethernet address: 00:15:17:68:58:84 > em0: [FILTER] > pcib3: at device 4.0 on pci0 > pci3: on pcib3 > em1: port 0xdf00-0xdf1f mem 0xfdee0000-0xfdefffff,0xfdec0000-0xfdedffff irq 16 at device 0.0 on pci3 > em1: Using MSI interrupt > em1: Ethernet address: 00:15:17:67:49:49 > em1: [FILTER] > atapci0: port 0xff00-0xff07,0xfe00-0xfe03,0xfd00-0xfd07,0xfc00-0xfc03,0xfb00-0xfb0f mem 0xfe02f000-0xfe02f3ff irq 22 at device 18.0 on pci0 > atapci0: [ITHREAD] > ata2: on atapci0 > ata2: [ITHREAD] > ata3: on atapci0 > ata3: [ITHREAD] > pci0: at device 20.0 (no driver attached) > atapci1: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf900-0xf90f at device 20.1 on pci0 > ata0: on atapci1 > ata0: [ITHREAD] > isab0: at device 20.3 on pci0 > isa0: on isab0 > pcib4: at device 20.4 on pci0 > pci4: on pcib4 > re0: port 0xbe00-0xbeff mem 0xfd9ff000-0xfd9ff0ff irq 23 at device 15.0 on pci4 > miibus0: on re0 > rgephy0: PHY 1 on miibus0 > rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto > re0: Ethernet address: 00:1a:4d:f6:aa:4a > re0: [FILTER] > atkbdc0: port 0x60,0x64 irq 1 on acpi0 > atkbd0: irq 1 on atkbdc0 > kbd0 at atkbd0 > atkbd0: [GIANT-LOCKED] > atkbd0: [ITHREAD] > psm0: irq 12 on atkbdc0 > psm0: [GIANT-LOCKED] > psm0: [ITHREAD] > psm0: model Generic PS/2 mouse, device ID 0 > acpi_hpet0: iomem 0xfed00000-0xfed003ff on acpi0 > acpi_hpet0: HPET never increments, disabling > device_attach: acpi_hpet0 attach returned 6 > sc0: at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x300> > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > Timecounters tick every 1.000 msec > ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to accept, logging limited to 100 packets/entry by default > ad4: 76318MB at ata2-master UDMA33 > SMP: AP CPU #3 Launched! > SMP: AP CPU #1 Launched! > SMP: AP CPU #2 Launched! > Trying to mount root from ufs:/dev/ad4s1a > <118>Loading configuration files. > <118>kernel dumps on /dev/ad4s1b > <118>Entropy harvesting: > <118> interrupts > <118> ethernet > <118> point_to_point > <118> kickstart > <118>. > <118>swapon: adding /dev/ad4s1b as swap device > <118>Starting file system checks: > <118>/dev/ad4s1a: FILE SYSTEM CLEAN; SKIPPING CHECKS > <118>/dev/ad4s1a: clean, 35547366 free (100502 frags, 4430858 blocks, 0.3% fragmentation) > <118>Setting hostuuid: 42c32a0e-ef7a-11dc-b498-001517685884. > <118>Setting hostid: 0x5e99e61e. > <118>Mounting local file systems: > <118>. > <118>Setting hostname: firewall.prokk.net. > <118>net.inet.ip.fastforwarding: > <118>0 > <118> -> > <118>1 > <118> > <118>lo0: flags=8049 metric 0 mtu 16384 > <118>inet 127.0.0.1 netmask 0xff000000 > <118>em0: flags=8843 metric 0 mtu 1500 > <118>options=19b > <118>ether 00:15:17:68:58:84 > <118>inet 195.16.76.6 netmask 0xfffffff8 broadcast 195.16.76.7 > <118>inet 195.16.77.2 netmask 0xfffffff0 broadcast 195.16.77.15 > <118>inet 10.100.1.1 netmask 0xfffffffc broadcast 10.100.1.3 > <118>inet 10.100.2.1 netmask 0xfffffff0 broadcast 10.100.2.15 > <118>inet 217.119.114.186 netmask 0xfffffffc broadcast 217.119.114.187 > <118>inet 195.16.77.33 netmask 0xfffffff8 broadcast 195.16.77.39 > <118>inet 10.110.1.17 netmask 0xfffffff0 broadcast 10.110.1.31 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>em1: flags=8843 metric 0 mtu 1500 > <118>options=19b > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.99.1 netmask 0xffffc000 broadcast 192.168.127.255 > <118>inet 195.16.76.129 netmask 0xffffffe0 broadcast 195.16.76.159 > <118>inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > <118>inet 192.168.4.33 netmask 0xfffffffc broadcast 192.168.4.35 > <118>inet 192.168.5.1 netmask 0xfffffff8 broadcast 192.168.5.7 > <118>inet 192.168.11.1 netmask 0xfffffff8 broadcast 192.168.11.7 > <118>inet 192.168.129.1 netmask 0xffffff00 broadcast 192.168.129.255 > <118>inet 192.168.250.1 netmask 0xfffffff8 broadcast 192.168.250.7 > <118>inet 192.168.231.1 netmask 0xffffff00 broadcast 192.168.231.255 > <118>inet 195.16.76.225 netmask 0xffffffe0 broadcast 195.16.76.255 > <118>inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 > <118>inet 195.16.76.29 netmask 0xfffffffc broadcast 195.16.76.31 > <118>inet 195.16.76.9 netmask 0xfffffff8 broadcast 195.16.76.15 > <118>inet 195.16.76.17 netmask 0xfffffffc broadcast 195.16.76.19 > <118>inet 10.2.1.1 netmask 0xfffffff0 broadcast 10.2.1.15 > <118>inet 10.2.2.1 netmask 0xffffff00 broadcast 10.2.2.255 > <118>inet 195.16.76.93 netmask 0xfffffffc broadcast 195.16.76.95 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan2: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.11.241 netmask 0xfffffff8 broadcast 192.168.11.247 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 2 parent interface: em1 > <118>vlan3: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.11.20 netmask 0xfffffff0 broadcast 192.168.11.31 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 3 parent interface: em1 > <118>vlan4: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.11.249 netmask 0xfffffff8 broadcast 192.168.11.255 > <118>inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 4 parent interface: em1 > <118>vlan5: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.19.1 netmask 0xffffff00 broadcast 192.168.19.255 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 5 parent interface: em1 > <118>vlan6: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.11.33 netmask 0xffffffe0 broadcast 192.168.11.63 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 6 parent interface: em1 > <118>vlan7: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 192.168.230.1 netmask 0xffffff00 broadcast 192.168.230.255 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 7 parent interface: em1 > <118>vlan8: flags=8843 metric 0 mtu 1500 > <118>options=3 > <118>ether 00:15:17:67:49:49 > <118>inet 195.16.76.209 netmask 0xfffffff0 broadcast 195.16.76.223 > <118>inet 10.1.5.1 netmask 0xffffff00 broadcast 10.1.5.255 > <118>inet 10.2.5.1 netmask 0xffffff00 broadcast 10.2.5.255 > <118>media: Ethernet autoselect > <118>status: no carrier > <118>vlan: 8 parent interface: em1 > <118>add net default: gateway 217.119.114.185 > <118>Additional routing options: > <118> IP gateway=YES > <118> ARP proxyall=YES > <118>. > <118>Starting devd. > <118>re0: flags=8843 metric 0 mtu 1500 > <118>options=9b > <118>ether 00:1a:4d:f6:aa:4a > <118>inet 195.16.77.4 netmask 0xfffffff0 broadcast 195.16.77.15 > <118>media: Ethernet autoselect (none) > <118>status: no carrier > <118>route: > <118>writing to routing socket > <118>: > <118>File exists > <118>add net default: gateway 217.119.114.185: route already in table > <118>hw.acpi.cpu.cx_lowest: > <118>C1 > <118> -> > <118>C1 > <118> > <118>Flushed all rules. > <118>Flushed all pipes. > <118>00020 deny tcp from any 2022,2023 to any > <118>00020 deny tcp from any to any dst-port 2022,2023 > <118>00047 deny ip from 10.5.0.0/24 to any > <118>00047 deny ip from any to 10.5.0.0/24 > <118>00049 deny ip from 60.48.0.0/13 to any > <118>00049 deny ip from 60.240.195.0/24 to any > <118>00049 deny ip from 192.168.0.0/24 to any > <118>00049 deny ip from any to 169.254.0.0/16 > <118>00049 deny ip from 169.254.0.0/16 to any > <118>00050 allow ip from 195.16.77.5 to any dst-port 25 via em0 > <118>00050 allow ip from any 25 to 195.16.77.5 via em0 > <118>00050 pipe 5362 ip from any 25 to { 195.16.76.32/27 or dst-ip 195.16.76.64/30 or dst-ip 195.16.76.68/30 } > <118>00050 pipe 5367 ip from { 195.16.76.32/27 or 195.16.76.64/30 or 195.16.76.68/30 } to any dst-port 25 > <118>00050 pipe 5212 ip from any 25 to 194.60.77.0/24 > <118>00050 pipe 5217 ip from 194.60.77.0/24 to any dst-port 25 > <118>00050 allow ip from 195.16.76.208/28 to any dst-port 25 > <118>00050 allow ip from any 25 to 195.16.76.208/28 > <118>00050 allow ip from 195.16.76.86 to any dst-port 25 > <118>00050 allow ip from any 25 to 195.16.76.86 > <118>00050 pipe 5172 ip from 195.16.76.232 to any dst-port 25 > <118>00050 pipe 5177 ip from any 25 to 195.16.76.232 > <118>00050 pipe 5552 ip from 195.16.76.253 to any dst-port 25 > <118>00050 pipe 5557 ip from any 25 to 195.16.76.253 > <118>00050 pipe 5152 ip from 195.16.76.137 to any dst-port 25 > <118>00050 pipe 5157 ip from any 25 to 195.16.76.137 > <118>00050 pipe 5182 ip from 195.16.76.140 to any dst-port 25 > <118>00050 pipe 5187 ip from any 25 to 195.16.76.140 > <118>00050 pipe 5492 ip from 195.16.76.134 to any dst-port 25 > <118>00050 pipe 5497 ip from any 25 to 195.16.76.134 > <118>00050 pipe 5212 ip from 194.0.157.100 to any dst-port 25 > <118>00050 pipe 5217 ip from any 25 to 194.0.157.100 > <118>00050 pipe 5212 ip from 194.0.157.1 to any dst-port 25 > <118>00050 pipe 5217 ip from any 25 to 194.0.157.1 > <118>00050 pipe 5212 ip from 194.60.77.0/24 to any dst-port 25 > <118>00050 pipe 5217 ip from any 25 to 194.60.77.0/24 > <118>00051 deny ip from not table(1) 25 to any > <118>00051 deny ip from any to not table(1) dst-port 25 > <118>00053 allow icmp from 195.16.77.7 to any > <118>00053 allow icmp from any to 195.16.77.7 > <118>00053 allow icmp from 195.16.77.2 to any > <118>00053 allow icmp from any to 195.16.77.2 > <118>00054 allow udp from 195.16.77.0/28 to me dst-port 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 > <118>00054 allow tcp from 195.16.76.0/23 to me dst-port 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 > <118>00054 allow tcp from 192.168.0.0/16 to me dst-port 53,123,137,138,139,161,199,445,514,953,1723,8668,57030 > <118>00054 allow tcp from 10.0.0.0/8 to me dst-port 53,123,137,138,139,161,199,445,514,953,1723,8668,57030 > <118>00055 deny tcp from any to me dst-port 53,123,137,138,139,161,199,445,514,953,1723,8668,30001,57030 > <118>00056 allow tcp from 192.168.0.0/16 to 195.16.77.3 dst-port 20,21 > <118>00056 allow tcp from 172.16.0.0/16 to 195.16.77.3 dst-port 20,21 > <118>00056 allow tcp from 195.16.76.0/23 to 195.16.77.3 dst-port 20,21 > <118>00056 allow ip from 194.88.220.30 to 195.16.77.3 dst-port 20,21 > <118>00056 allow ip from 195.16.77.3 20,21 to 194.88.220.30 > <118>00056 deny tcp from any to 195.16.77.3 dst-port 20,21 > <118>00057 allow tcp from 192.168.0.0/16 to 195.16.77.1 dst-port 53 > <118>00057 allow udp from 192.168.0.0/16 to 195.16.77.1 dst-port 53 > <118>00057 allow tcp from 195.16.77.1 53 to 192.168.0.0/16 > <118>00057 allow udp from 195.16.77.1 53 to 192.168.0.0/16 > <118>00058 allow udp from 195.16.77.0/28 to me dst-port 5005 > <118>00059 deny udp from any to me dst-port 5005 > <118>00062 count ip from 195.16.76.208/30 to any > <118>00063 count ip from any to 195.16.76.208/30 > <118>00065 allow ip from 10.100.2.0/24 to 195.16.77.0/28 > <118>00065 allow ip from 195.16.77.0/28 to 10.100.2.0/24 > <118>00065 allow ip from 10.100.2.0/24 to me > <118>00065 allow ip from me to 10.100.2.0/24 > <118>00065 allow ip from 10.2.5.0/24 to 195.16.77.0/28 > <118>00065 allow ip from 195.16.77.0/28 to 10.2.5.0/24 > <118>00066 allow ip from 195.16.77.7 69 to 192.168.230.0/24 > <118>00066 allow ip from 192.168.230.0/24 to 195.16.77.7 dst-port 69 > <118>00075 allow tcp from 195.16.76.212 to 195.16.77.7 dst-port 3389 > <118>00075 allow tcp from 195.16.77.7 3389 to 195.16.76.212 > <118>00076 allow tcp from 192.168.2.65 to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00076 allow tcp from 192.168.99.65 to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00076 allow tcp from 195.16.76.152 to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to 192.168.2.65 > <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to 192.168.99.65 > <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to 195.16.76.152 > <118>00076 allow tcp from 195.16.76.152 to 195.16.77.2 > <118>00076 allow tcp from 195.16.77.2 to 195.16.76.152 > <118>00076 allow tcp from 195.16.76.99 to 195.16.77.2 > <118>00076 allow tcp from 195.16.77.2 to 195.16.76.99 > <118>00076 allow tcp from 195.16.76.99 to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00076 allow tcp from 195.16.77.7 3389,137,138,139,445 to 195.16.76.99 > <118>00076 allow tcp from 195.234.148.238 to 195.16.77.7 > <118>00076 allow tcp from 195.16.77.7 to 195.234.148.238 > <118>00077 allow tcp from 192.168.99.235 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 172.16.1.235 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.99.235 > <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.1.235 > <118>00077 allow tcp from 192.168.97.91 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 172.16.3.91 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 192.168.96.2 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.96.2 > <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.97.91 > <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.3.91 > <118>00077 allow tcp from 192.168.99.61 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 172.16.1.61 to 195.16.77.7 dst-port 3389 > <118>00077 allow tcp from 195.16.77.7 3389 to 192.168.99.61 > <118>00077 allow tcp from 195.16.77.7 3389 to 172.16.1.61 > <118>00079 allow tcp from 195.16.76.144 to 195.16.77.7 dst-port 3389 > <118>00079 allow tcp from 195.16.77.7 3389 to 195.16.76.144 > <118>00080 allow tcp from 195.16.76.145 to 195.16.77.7 dst-port 3389 > <118>00080 allow tcp from 195.16.77.7 3389 to 195.16.76.145 > <118>00080 allow tcp from 192.168.94.165 to 195.16.77.7 dst-port 3389 > <118>00080 allow tcp from 195.16.77.7 3389 to 192.168.94.165 > <118>00080 allow tcp from 192.168.92.49 to 195.16.77.7 dst-port 3389 > <118>00080 allow tcp from 195.16.77.7 3389 to 192.168.92.49 > <118>00081 allow tcp from 192.168.99.252 to 195.16.77.7 dst-port 3389 > <118>00081 allow tcp from 172.16.1.252 to 195.16.77.7 dst-port 3389 > <118>00081 allow tcp from 195.16.76.146 to 195.16.77.7 dst-port 3389 > <118>00081 allow tcp from 195.16.76.98 to 195.16.77.7 dst-port 3389 > <118>00081 allow tcp from 195.16.77.7 3389 to 192.168.99.252 > <118>00081 allow tcp from 195.16.77.7 3389 to 172.16.1.252 > <118>00081 allow tcp from 195.16.77.7 3389 to 195.16.76.146 > <118>00081 allow tcp from 195.16.77.7 3389 to 195.16.76.98 > <118>00081 allow tcp from 195.16.76.146 to 195.16.77.0/28 dst-port 22 > <118>00081 allow tcp from 192.168.99.252 to 195.16.77.0/28 dst-port 22 > <118>00081 allow tcp from 172.16.1.252 to 195.16.77.0/28 dst-port 22 > <118>00081 allow tcp from 195.16.76.98 to 195.16.77.0/28 dst-port 22 > <118>00081 allow tcp from 195.16.77.0/28 22 to 195.16.76.146 > <118>00081 allow tcp from 195.16.77.0/28 22 to 192.168.99.252 > <118>00081 allow tcp from 195.16.77.0/28 22 to 172.16.1.252 > <118>00081 allow tcp from 195.16.77.0/28 22 to 195.16.76.98 > <118>00082 allow tcp from 192.168.96.1 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 172.16.4.1 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 195.16.77.7 3389 to 192.168.96.1 > <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.4.1 > <118>00082 allow tcp from 192.168.91.60 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 195.16.77.7 3389 to 192.168.91.60 > <118>00082 allow tcp from 172.16.9.60 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.9.60 > <118>00082 allow tcp from 10.10.133.3 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 172.16.6.8 to 195.16.77.7 dst-port 3389 > <118>00082 allow tcp from 195.16.77.7 3389 to 10.10.133.3 > <118>00082 allow tcp from 195.16.77.7 3389 to 172.16.6.8 > <118>00083 allow tcp from 192.168.92.160 to 195.16.77.7 dst-port 3389 > <118>00083 allow tcp from 195.16.77.7 3389 to 192.168.92.160 > <118>00083 allow tcp from 172.16.8.160 to 195.16.77.7 dst-port 3389 > <118>00083 allow tcp from 195.16.77.7 3389 to 172.16.8.160 > <118>00086 allow tcp from 192.168.97.116 to 195.16.77.7 dst-port 3389 > <118>00086 allow tcp from 195.16.77.7 3389 to 192.168.97.116 > <118>00086 allow tcp from 172.16.3.116 to 195.16.77.7 dst-port 3389 > <118>00086 allow tcp from 195.16.77.7 3389 to 172.16.3.116 > <118>00087 allow tcp from 192.168.99.2 to 195.16.77.7 dst-port 3389 > <118>00087 allow tcp from 192.168.96.1 to 195.16.77.7 dst-port 3389 > <118>00087 allow tcp from 192.168.99.9 to 195.16.77.7 dst-port 3389 > <118>00087 allow tcp from 192.168.97.7 to 195.16.77.7 dst-port 3389 > <118>00087 allow tcp from 192.168.99.2 to 195.16.77.7 dst-port 3389 > <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.99.9 > <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.97.7 > <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.99.2 > <118>00087 allow tcp from 195.16.77.7 3389 to 192.168.96.1 > <118>00088 deny tcp from any to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00088 deny udp from any to 195.16.77.7 dst-port 3389,137,138,139,445 > <118>00088 deny tcp from 195.16.77.7 3389,137,138,139,445 to any > <118>00088 deny udp from 195.16.77.7 3389,137,138,139,445 to any > <118>00088 deny udp from any 1433,1434 to not 195.16.76.34 > <118>00088 deny udp from any to not 195.16.76.34 dst-port 1433,1434 > <118>00089 allow ip from 10.0.0.0/8 to 195.16.77.0/24 > <118>00089 allow ip from 195.16.76.0/22 to 195.16.77.7 > <118>00089 allow icmp from any to 195.16.77.7 icmptypes 0 > <118>00090 pipe 7 ip from 195.16.76.0/22 to 195.16.77.7 in recv em0 > <118>00090 pipe 90 ip from any to 195.16.77.7 in recv em0 > <118>00091 count ip from 195.16.77.7 to any out via em0 > <118>00092 pipe 92 ip from 195.16.77.3 to any out via em0 > <118>00096 pipe 96 ip from 10.100.2.6 to 10.100.2.1 > <118>00096 pipe 96 ip from 10.100.2.7 to 10.100.2.1 > <118>00096 pipe 96 ip from 10.100.2.1 to 10.100.2.6 > <118>00096 pipe 96 ip from 10.100.2.1 to 10.100.2.7 > <118>00096 pipe 96 ip from 192.168.98.169 to 10.100.2.6 > <118>00096 pipe 96 ip from 192.168.98.169 to 10.100.2.7 > <118>00096 pipe 96 ip from 10.100.2.6 to 192.168.98.169 > <118>00096 pipe 96 ip from 10.100.2.7 to 192.168.98.169 > <118>00096 pipe 96 ip from 172.16.2.169 to 10.100.2.6 > <118>00096 pipe 96 ip from 172.16.2.169 to 10.100.2.7 > <118>00096 pipe 96 ip from 10.100.2.6 to 172.16.2.169 > <118>00096 pipe 96 ip from 10.100.2.7 to 172.16.2.169 > <118>00096 pipe 96 ip from 10.100.2.6 to 10.100.2.7 > <118>00096 pipe 96 ip from 10.100.2.7 to 10.100.2.6 > <118>00097 deny ip from any to 10.100.2.6 > <118>00097 deny ip from any to 10.100.2.7 > <118>00097 deny ip from 10.100.2.6 to any > <118>00097 deny ip from 10.100.2.7 to any > <118>00098 netgraph 60 ip from 192.168.200.0/24 to any out recv em0 xmit em0 > <118>00098 allow ip from any to 192.168.200.0/24 recv em0 > <118>00099 allow ip from me to 10.110.1.0/27 > <118>00100 deny ip from any to 10.0.0.0/8 out via em0 > <118>00101 deny ip from any to 172.16.0.0/16 out via em0 > <118>00102 deny ip from any to 192.168.0.0/16 out via em0 > <118>00109 allow ip from any to 195.16.77.3 > <118>00109 allow ip from 195.16.77.3 to any > <118>00120 allow tcp from 195.16.77.7 to me dst-port 22 > <118>00120 allow tcp from 195.16.77.12 to me dst-port 22 > <118>00120 allow tcp from 195.16.76.144 to me dst-port 22 > <118>00120 allow tcp from 195.16.76.99 to me dst-port 22 > <118>00120 allow tcp from 195.16.77.11 to me dst-port 22 > <118>00121 deny tcp from any to 195.16.77.0/28 dst-port 22 > <118>00123 deny ip from any to 195.16.78.0/24 > <118>00123 deny ip from any to 195.16.79.0/24 > <118>00123 deny ip from any to 195.16.77.128/25 > <118>00123 deny ip from any to 195.16.77.64/26 > <118>00123 deny ip from any to 195.16.77.48/28 > <118>00123 deny ip from any to 195.16.77.40/29 > <118>00123 deny ip from any to 195.16.77.16/28 > <118>00129 allow udp from any to any dst-port 137,138,139,445 via em1 > <118>00129 allow udp from any 137,138,139,445 to any via em1 > <118>00130 allow tcp from any to any dst-port 137,138,139,445 via em1 > <118>00130 allow tcp from any 137,138,139,445 to any via em1 > <118>00131 deny tcp from any to any dst-port 69,135,136,137,138,139,445 > <118>00131 deny udp from any to any dst-port 69,135,136,445 > <118>00131 deny tcp from any 69,135,136,137,138,139,445 to any > <118>00131 deny udp from any 69,135,136,445 to any > <118>00142 deny ip from any to 224.0.0.0/12 > <118>00143 deny ip from 224.0.0.0/12 to any > <118>00144 deny ip from any to 225.0.0.0/12 > <118>00145 deny ip from 225.0.0.0/12 to any > <118>00146 deny ip from any to 255.0.0.0/8 > <118>00147 deny ip from 255.0.0.0/8 to any > <118>00148 deny ip from any to 255.255.255.255 > <118>00149 deny ip from 255.255.255.255 to any > <118>00159 deny igmp from any to any > <118>00192 pipe 192 icmp from 195.16.77.0/28 to any > <118>00192 pipe 192 icmp from any to 195.16.77.0/28 > <118>00200 count ip from 192.168.19.0/24 to any > <118>00210 count ip from any to 192.168.19.0/24 > <118>00220 count ip from 192.168.20.0/24 to any > <118>00230 count ip from any to 192.168.20.0/24 > <118>04000 netgraph 60 ip from 172.16.0.0/18 to any out xmit em0 > <118>04010 netgraph 61 ip from any to me in via em0 > <118>04100 skipto 20000 ip from 172.16.0.0/18 to any > <118>04100 skipto 20000 ip from any to 172.16.0.0/18 > <118>64500 pipe 192 icmp from any to any via em0 > <118>65000 pipe 65000 log ip from any to 172.16.0.0/18 > <118>65050 skipto 65500 ip from any to any > <118>65100 pipe 65100 ip from any to any > <118>65101 skipto 65500 ip from any to any > <118>65110 pipe 65110 ip from any to any > <118>65111 skipto 65500 ip from any to any > <118>00196 deny ip from 192.168.64.0/18 to any via em0 > <118>00196 deny ip from any to 192.168.64.0/18 via em0 > <118>00199 deny ip from 192.168.152.0/22 to any > <118>00199 deny ip from any to 192.168.152.0/22 > <118>00202 count ip from any to 192.168.2.0/24 via em1 > <118>00521 deny udp from any 520 to 195.16.76.0/22 > <118>65530 allow ip from any to 192.168.2.0/24 via em1 > <118>65530 allow ip from 192.168.2.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.3.0/24 via em1 > <118>65530 allow ip from 192.168.3.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.4.0/24 via em1 > <118>65530 allow ip from 192.168.4.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.5.0/29 via em1 > <118>65530 allow ip from 192.168.5.0/29 to any via em1 > <118>65530 allow ip from any to 192.168.11.0/24 via em1 > <118>65530 allow ip from 192.168.11.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.129.0/24 via em1 > <118>65530 allow ip from 192.168.129.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.230.0/24 via em1 > <118>65530 allow ip from 192.168.230.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.231.0/24 via em1 > <118>65530 allow ip from 192.168.231.0/24 to any via em1 > <118>65530 allow ip from any to 10.1.1.0/24 via em1 > <118>65530 allow ip from 10.1.1.0/24 to any via em1 > <118>65530 allow ip from any to 192.168.13.0/24 via em1 > <118>65530 allow ip from 192.168.13.0/24 to any via em1 > <118>65531 allow ip from any to 195.16.76.0/22 via em1 > <118>65531 allow ip from 195.16.76.0/22 to any via em1 > <118>65532 allow ip from any to 195.16.77.32/29 via em1 > <118>65532 allow ip from 195.16.77.32/29 to any via em1 > <118>65533 allow ip from any to 192.168.64.0/18 via em1 > <118>65533 allow ip from 192.168.64.0/18 to any via em1 > <118>65534 deny ip from any to any via em1 > <118>15032 pipe 15032 ip from any to 192.168.2.4 via em1 > <118>15033 skipto 65100 ip from any to 192.168.2.4 via em1 > <118>15037 netgraph 60 ip from 192.168.2.4 to any out recv em1 xmit em0 > <118>15038 pipe 15037 ip from 192.168.2.4 to any via em1 > <118>15039 skipto 65110 ip from 192.168.2.4 to any via em1 > <118>15042 pipe 15042 ip from any to 192.168.2.31 via em1 > <118>15043 skipto 65100 ip from any to 192.168.2.31 via em1 > <118>15047 netgraph 60 ip from 192.168.2.31 to any out recv em1 xmit em0 > <118>15048 pipe 15047 ip from 192.168.2.31 to any via em1 > <118>15049 skipto 65110 ip from 192.168.2.31 to any via em1 > <118>15052 pipe 15052 ip from any to 192.168.2.32 via em1 > <118>15053 skipto 65100 ip from any to 192.168.2.32 via em1 > <118>15057 netgraph 60 ip from 192.168.2.32 to any out recv em1 xmit em0 > <118>15058 pipe 15057 ip from 192.168.2.32 to any via em1 > <118>15059 skipto 65110 ip from 192.168.2.32 to any via em1 > <118>15062 pipe 15062 ip from any to 192.168.2.35 via em1 > <118>15063 skipto 65500 ip from any to 192.168.2.35 via em1 > <118>15067 netgraph 60 ip from 192.168.2.35 to any out recv em1 xmit em0 > <118>15068 pipe 15067 ip from 192.168.2.35 to any via em1 > <118>15069 skipto 65510 ip from 192.168.2.35 to any via em1 > <118>15072 pipe 15072 ip from any to 192.168.2.37 via em1 > <118>15073 skipto 65100 ip from any to 192.168.2.37 via em1 > <118>15077 netgraph 60 ip from 192.168.2.37 to any out recv em1 xmit em0 > <118>15078 pipe 15077 ip from 192.168.2.37 to any via em1 > <118>15079 skipto 65110 ip from 192.168.2.37 to any via em1 > <118>15092 pipe 15092 ip from any to 192.168.2.7 via em1 > <118>15093 skipto 65500 ip from any to 192.168.2.7 via em1 > <118>15097 netgraph 60 ip from 192.168.2.7 to any out recv em1 xmit em0 > <118>15098 pipe 15097 ip from 192.168.2.7 to any via em1 > <118>15099 skipto 65510 ip from 192.168.2.7 to any via em1 > <118>15102 pipe 15102 ip from any to 192.168.2.8 via em1 > <118>15103 skipto 65100 ip from any to 192.168.2.8 via em1 > <118>15107 netgraph 60 ip from 192.168.2.8 to any out recv em1 xmit em0 > <118>15108 pipe 15107 ip from 192.168.2.8 to any via em1 > <118>15109 skipto 65110 ip from 192.168.2.8 to any via em1 > <118>15112 pipe 15112 ip from any to 192.168.2.52 via em1 > <118>15113 skipto 65100 ip from any to 192.168.2.52 via em1 > <118>15117 netgraph 60 ip from 192.168.2.52 to any out recv em1 xmit em0 > <118>15118 pipe 15117 ip from 192.168.2.52 to any via em1 > <118>15119 skipto 65110 ip from 192.168.2.52 to any via em1 > <118>15122 pipe 15122 ip from any to 192.168.2.9 via em1 > <118>15123 skipto 65100 ip from any to 192.168.2.9 via em1 > <118>15127 netgraph 60 ip from 192.168.2.9 to any out recv em1 xmit em0 > <118>15128 pipe 15127 ip from 192.168.2.9 to any via em1 > <118>15129 skipto 65110 ip from 192.168.2.9 to any via em1 > <118>15132 pipe 15132 ip from any to 192.168.2.12 via em1 > <118>15133 skipto 65100 ip from any to 192.168.2.12 via em1 > <118>15137 netgraph 60 ip from 192.168.2.12 to any out recv em1 xmit em0 > <118>15138 pipe 15137 ip from 192.168.2.12 to any via em1 > <118>15139 skipto 65110 ip from 192.168.2.12 to any via em1 > <118>15142 pipe 15142 ip from any to 192.168.2.13 via em1 > <118>15143 skipto 65100 ip from any to 192.168.2.13 via em1 > <118>15147 netgraph 60 ip from 192.168.2.13 to any out recv em1 xmit em0 > <118>15148 pipe 15147 ip from 192.168.2.13 to any via em1 > <118>15149 skipto 65110 ip from 192.168.2.13 to any via em1 > <118>15152 pipe 15152 ip from any to 192.168.2.14 via em1 > <118>15153 skipto 65100 ip from any to 192.168.2.14 via em1 > <118>15157 netgraph 60 ip from 192.168.2.14 to any out recv em1 xmit em0 > <118>15158 pipe 15157 ip from 192.168.2.14 to any via em1 > <118>15159 skipto 65110 ip from 192.168.2.14 to any via em1 > <118>15162 pipe 15162 ip from any to 192.168.2.62 via em1 > <118>15163 skipto 65100 ip from any to 192.168.2.62 via em1 > <118>15167 netgraph 60 ip from 192.168.2.62 to any out recv em1 xmit em0 > <118>15168 pipe 15167 ip from 192.168.2.62 to any via em1 > <118>15169 skipto 65110 ip from 192.168.2.62 to any via em1 > <118>15172 pipe 15172 ip from any to 192.168.2.65 via em1 > <118>15173 skipto 65100 ip from any to 192.168.2.65 via em1 > <118>15177 netgraph 60 ip from 192.168.2.65 to any out recv em1 xmit em0 > <118>15178 pipe 15177 ip from 192.168.2.65 to any via em1 > <118>15179 skipto 65110 ip from 192.168.2.65 to any via em1 > <118>15182 pipe 15182 ip from any to 192.168.2.74 via em1 > <118>15183 skipto 65100 ip from any to 192.168.2.74 via em1 > <118>15187 netgraph 60 ip from 192.168.2.74 to any out recv em1 xmit em0 > <118>15188 pipe 15187 ip from 192.168.2.74 to any via em1 > <118>15189 skipto 65110 ip from 192.168.2.74 to any via em1 > <118>15192 pipe 15192 ip from any to 192.168.2.27 via em1 > <118>15193 skipto 65100 ip from any to 192.168.2.27 via em1 > <118>15197 netgraph 60 ip from 192.168.2.27 to any out recv em1 xmit em0 > <118>15198 pipe 15197 ip from 192.168.2.27 to any via em1 > <118>15199 skipto 65110 ip from 192.168.2.27 to any via em1 > <118>15202 pipe 15202 ip from any to 192.168.2.15 via em1 > <118>15203 skipto 65100 ip from any to 192.168.2.15 via em1 > <118>15207 netgraph 60 ip from 192.168.2.15 to any out recv em1 xmit em0 > <118>15208 pipe 15207 ip from 192.168.2.15 to any via em1 > <118>15209 skipto 65110 ip from 192.168.2.15 to any via em1 > <118>15212 pipe 15212 ip from any to 192.168.2.16 via em1 > <118>15213 skipto 65100 ip from any to 192.168.2.16 via em1 > <118>15217 netgraph 60 ip from 192.168.2.16 to any out recv em1 xmit em0 > <118>15218 pipe 15217 ip from 192.168.2.16 to any via em1 > <118>15219 skipto 65110 ip from 192.168.2.16 to any via em1 > <118>tokar4: not found > <118>15222 pipe 15222 ip from any to 192.168.2.17 via em1 > <118>15223 skipto 65100 ip from any to 192.168.2.17 via em1 > <118>15227 netgraph 60 ip from 192.168.2.17 to any out recv em1 xmit em0 > <118>15228 pipe 15227 ip from 192.168.2.17 to any via em1 > <118>15229 skipto 65110 ip from 192.168.2.17 to any via em1 > <118>15232 pipe 15232 ip from any to 192.168.2.18 via em1 > <118>15233 skipto 65100 ip from any to 192.168.2.18 via em1 > <118>15237 netgraph 60 ip from 192.168.2.18 to any out recv em1 xmit em0 > <118>15238 pipe 15237 ip from 192.168.2.18 to any via em1 > <118>15239 skipto 65110 ip from 192.168.2.18 to any via em1 > <118>15252 pipe 15252 ip from any to 192.168.2.20 via em1 > <118>15253 skipto 65100 ip from any to 192.168.2.20 via em1 > <118>15257 netgraph 60 ip from 192.168.2.20 to any out recv em1 xmit em0 > <118>15258 pipe 15257 ip from 192.168.2.20 to any via em1 > <118>15259 skipto 65110 ip from 192.168.2.20 to any via em1 > <118>15262 pipe 15262 ip from any to 192.168.2.19 via em1 > <118>15263 skipto 65100 ip from any to 192.168.2.19 via em1 > <118>15267 netgraph 60 ip from 192.168.2.19 to any out recv em1 xmit em0 > <118>15268 pipe 15267 ip from 192.168.2.19 to any via em1 > <118>15269 skipto 65110 ip from 192.168.2.19 to any via em1 > <118>15272 pipe 15272 ip from any to 192.168.2.21 via em1 > <118>15273 skipto 65100 ip from any to 192.168.2.21 via em1 > <118>15277 netgraph 60 ip from 192.168.2.21 to any out recv em1 xmit em0 > <118>15278 pipe 15277 ip from 192.168.2.21 to any via em1 > <118>15279 skipto 65110 ip from 192.168.2.21 to any via em1 > <118>15282 pipe 15282 ip from any to 192.168.2.115 via em1 > <118>15283 skipto 65100 ip from any to 192.168.2.115 via em1 > <118>15287 netgraph 60 ip from 192.168.2.115 to any out recv em1 xmit em0 > <118>15288 pipe 15287 ip from 192.168.2.115 to any via em1 > <118>15289 skipto 65110 ip from 192.168.2.115 to any via em1 > <118>15292 pipe 15292 ip from any to 192.168.2.116 via em1 > <118>15293 skipto 65100 ip from any to 192.168.2.116 via em1 > <118>15297 netgraph 60 ip from 192.168.2.116 to any out recv em1 xmit em0 > <118>15298 pipe 15297 ip from 192.168.2.116 to any via em1 > <118>15299 skipto 65110 ip from 192.168.2.116 to any via em1 > <118>15302 pipe 15302 ip from any to 192.168.2.22 via em1 > <118>15303 skipto 65100 ip from any to 192.168.2.22 via em1 > <118>15307 netgraph 60 ip from 192.168.2.22 to any out recv em1 xmit em0 > <118>15308 pipe 15307 ip from 192.168.2.22 to any via em1 > <118>15309 skipto 65110 ip from 192.168.2.22 to any via em1 > <118>15312 pipe 15312 ip from any to 192.168.2.23 via em1 > <118>15313 skipto 65100 ip from any to 192.168.2.23 via em1 > <118>15317 netgraph 60 ip from 192.168.2.23 to any out recv em1 xmit em0 > <118>15318 pipe 15317 ip from 192.168.2.23 to any via em1 > <118>15319 skipto 65110 ip from 192.168.2.23 to any via em1 > <118>15322 pipe 15322 ip from any to 192.168.2.24 via em1 > <118>15323 skipto 65100 ip from any to 192.168.2.24 via em1 > <118>15327 netgraph 60 ip from 192.168.2.24 to any out recv em1 xmit em0 > <118>15328 pipe 15327 ip from 192.168.2.24 to any via em1 > <118>15329 skipto 65110 ip from 192.168.2.24 to any via em1 > <118>15332 pipe 15332 ip from any to 192.168.2.25 via em1 > <118>15333 skipto 65100 ip from any to 192.168.2.25 via em1 > <118>15337 netgraph 60 ip from 192.168.2.25 to any out recv em1 xmit em0 > <118>15338 pipe 15337 ip from 192.168.2.25 to any via em1 > <118>15339 skipto 65110 ip from 192.168.2.25 to any via em1 > <118>15342 pipe 15342 ip from any to 192.168.2.90 via em1 > <118>15343 skipto 65100 ip from any to 192.168.2.90 via em1 > <118>15347 netgraph 60 ip from 192.168.2.90 to any out recv em1 xmit em0 > <118>15348 pipe 15347 ip from 192.168.2.90 to any via em1 > <118>15349 skipto 65110 ip from 192.168.2.90 to any via em1 > <118>15352 pipe 15352 ip from any to 192.168.2.245 via em1 > <118>15353 skipto 65500 ip from any to 192.168.2.245 via em1 > <118>15357 netgraph 60 ip from 192.168.2.245 to any out recv em1 xmit em0 > <118>15358 pipe 15357 ip from 192.168.2.245 to any via em1 > <118>15359 skipto 65510 ip from 192.168.2.245 to any via em1 > <118>15362 pipe 15362 ip from any to 192.168.4.0/27 via em1 > <118>15363 skipto 65100 ip from any to 192.168.4.0/27 via em1 > <118>15367 netgraph 60 ip from 192.168.4.0/27 to any out recv em1 xmit em0 > <118>15368 pipe 15367 ip from 192.168.4.0/27 to any via em1 > <118>15369 skipto 65110 ip from 192.168.4.0/27 to any via em1 > <118>15372 pipe 15372 ip from any to 192.168.5.2 via em1 > <118>15373 skipto 65100 ip from any to 192.168.5.2 via em1 > <118>15377 netgraph 60 ip from 192.168.5.2 to any out recv em1 xmit em0 > <118>15378 pipe 15377 ip from 192.168.5.2 to any via em1 > <118>15379 skipto 65110 ip from 192.168.5.2 to any via em1 > <118>15662 pipe 15372 ip from any to 192.168.5.3 via em1 > <118>15663 skipto 65100 ip from any to 192.168.5.3 via em1 > <118>15667 netgraph 60 ip from 192.168.5.3 to any out recv em1 xmit em0 > <118>15668 pipe 15377 ip from 192.168.5.3 to any via em1 > <118>15669 skipto 65110 ip from 192.168.5.3 to any via em1 > <118>15402 pipe 15412 ip from any to 192.168.11.21 via vlan3 > <118>15403 skipto 65100 ip from any to 192.168.11.21 via vlan3 > <118>15407 netgraph 60 ip from 192.168.11.21 to any out recv vlan3 xmit em0 > <118>15408 pipe 15417 ip from 192.168.11.21 to any via vlan3 > <118>15409 skipto 65110 ip from 192.168.11.21 to any via vlan3 > <118>15412 pipe 15412 ip from any to 192.168.11.18 via vlan3 > <118>15413 skipto 65100 ip from any to 192.168.11.18 via vlan3 > <118>15417 netgraph 60 ip from 192.168.11.18 to any out recv vlan3 xmit em0 > <118>15418 pipe 15417 ip from 192.168.11.18 to any via vlan3 > <118>15419 skipto 65110 ip from 192.168.11.18 to any via vlan3 > <118>15432 pipe 15432 ip from any to 192.168.11.36 via em1 > <118>15433 skipto 65100 ip from any to 192.168.11.36 via em1 > <118>15437 netgraph 60 ip from 192.168.11.36 to any out recv em1 xmit em0 > <118>15438 pipe 15437 ip from 192.168.11.36 to any via em1 > <118>15439 skipto 65110 ip from 192.168.11.36 to any via em1 > <118>15452 pipe 15452 ip from any to 192.168.129.4 via em1 > <118>15453 skipto 65100 ip from any to 192.168.129.4 via em1 > <118>15457 netgraph 60 ip from 192.168.129.4 to any out recv em1 xmit em0 > <118>15458 pipe 15457 ip from 192.168.129.4 to any via em1 > <118>15459 skipto 65110 ip from 192.168.129.4 to any via em1 > <118>15462 pipe 15462 ip from any to 192.168.129.10 via em1 > <118>15463 skipto 65100 ip from any to 192.168.129.10 via em1 > <118>15467 netgraph 60 ip from 192.168.129.10 to any out recv em1 xmit em0 > <118>15468 pipe 15467 ip from 192.168.129.10 to any via em1 > <118>15469 skipto 65110 ip from 192.168.129.10 to any via em1 > <118>15502 pipe 15502 ip from any to 192.168.129.205 via em1 > <118>15503 skipto 65100 ip from any to 192.168.129.205 via em1 > <118>15507 netgraph 60 ip from 192.168.129.205 to any out recv em1 xmit em0 > <118>15508 pipe 15507 ip from 192.168.129.205 to any via em1 > <118>15509 skipto 65110 ip from 192.168.129.205 to any via em1 > <118>15552 pipe 15552 ip from any to 192.168.129.26 via em1 > <118>15553 skipto 65100 ip from any to 192.168.129.26 via em1 > <118>15557 netgraph 60 ip from 192.168.129.26 to any out recv em1 xmit em0 > <118>15558 pipe 15557 ip from 192.168.129.26 to any via em1 > <118>15559 skipto 65110 ip from 192.168.129.26 to any via em1 > <118>15562 pipe 15562 ip from any to 192.168.129.85 via em1 > <118>15563 skipto 65100 ip from any to 192.168.129.85 via em1 > <118>15567 netgraph 60 ip from 192.168.129.85 to any out recv em1 xmit em0 > <118>15568 pipe 15567 ip from 192.168.129.85 to any via em1 > <118>15569 skipto 65110 ip from 192.168.129.85 to any via em1 > <118>15572 pipe 15572 ip from any to 192.168.129.173 via em1 > <118>15573 skipto 65100 ip from any to 192.168.129.173 via em1 > <118>15577 netgraph 60 ip from 192.168.129.173 to any out recv em1 xmit em0 > <118>15578 pipe 15577 ip from 192.168.129.173 to any via em1 > <118>15579 skipto 65110 ip from 192.168.129.173 to any via em1 > <118>15582 pipe 15582 ip from any to 192.168.11.19 via vlan3 > <118>15583 skipto 65100 ip from any to 192.168.11.19 via vlan3 > <118>15587 netgraph 60 ip from 192.168.11.19 to any out recv vlan3 xmit em0 > <118>15588 pipe 15587 ip from 192.168.11.19 to any via vlan3 > <118>15589 skipto 65110 ip from 192.168.11.19 to any via vlan3 > <118>15592 pipe 15592 ip from any to 192.168.129.215 via em1 > <118>15593 skipto 65100 ip from any to 192.168.129.215 via em1 > <118>15597 netgraph 60 ip from 192.168.129.215 to any out recv em1 xmit em0 > <118>15598 pipe 15597 ip from 192.168.129.215 to any via em1 > <118>15599 skipto 65110 ip from 192.168.129.215 to any via em1 > <118>15622 pipe 15622 ip from any to 192.168.2.239 via em1 > <118>15623 skipto 65100 ip from any to 192.168.2.239 via em1 > <118>15627 netgraph 60 ip from 192.168.2.239 to any out recv em1 xmit em0 > <118>15628 pipe 15627 ip from 192.168.2.239 to any via em1 > <118>15629 skipto 65110 ip from 192.168.2.239 to any via em1 > <118>15632 pipe 5232 ip from any to 192.168.2.10 via em1 > <118>15633 skipto 65100 ip from any to 192.168.2.10 via em1 > <118>15637 netgraph 60 ip from 192.168.2.10 to any out recv em1 xmit em0 > <118>15638 pipe 5237 ip from 192.168.2.10 to any via em1 > <118>15639 skipto 65110 ip from 192.168.2.10 to any via em1 > <118>15652 pipe 15652 ip from any to 192.168.2.100 via em1 > <118>15653 skipto 65100 ip from any to 192.168.2.100 via em1 > <118>15657 netgraph 60 ip from 192.168.2.100 to any out recv em1 xmit em0 > <118>15658 pipe 15657 ip from 192.168.2.100 to any via em1 > <118>15659 skipto 65110 ip from 192.168.2.100 to any via em1 > <118>15672 pipe 15672 ip from any to 192.168.2.5 via em1 > <118>15673 skipto 65500 ip from any to 192.168.2.5 via em1 > <118>15677 netgraph 60 ip from 192.168.2.5 to any out recv em1 xmit em0 > <118>15678 pipe 15677 ip from 192.168.2.5 to any via em1 > <118>15679 skipto 65510 ip from 192.168.2.5 to any via em1 > <118>15682 pipe 15682 ip from any to 192.168.129.112 via em1 > <118>15683 skipto 65100 ip from any to 192.168.129.112 via em1 > <118>15687 netgraph 60 ip from 192.168.129.112 to any out recv em1 xmit em0 > <118>15688 pipe 15687 ip from 192.168.129.112 to any via em1 > <118>15689 skipto 65110 ip from 192.168.129.112 to any via em1 > <118>15692 pipe 15692 ip from any to 192.168.129.55 via em1 > <118>15693 skipto 65100 ip from any to 192.168.129.55 via em1 > <118>15697 netgraph 60 ip from 192.168.129.55 to any out recv em1 xmit em0 > <118>15698 pipe 15697 ip from 192.168.129.55 to any via em1 > <118>15699 skipto 65110 ip from 192.168.129.55 to any via em1 > <118>15702 pipe 15702 ip from any to 192.168.129.129 via em1 > <118>15703 skipto 65100 ip from any to 192.168.129.129 via em1 > <118>15707 netgraph 60 ip from 192.168.129.129 to any out recv em1 xmit em0 > <118>15708 pipe 15707 ip from 192.168.129.129 to any via em1 > <118>15709 skipto 65110 ip from 192.168.129.129 to any via em1 > <118>15712 pipe 15712 ip from any to 192.168.2.26 via em1 > <118>15713 skipto 65100 ip from any to 192.168.2.26 via em1 > <118>15717 netgraph 60 ip from 192.168.2.26 to any out recv em1 xmit em0 > <118>15718 pipe 15717 ip from 192.168.2.26 to any via em1 > <118>15719 skipto 65110 ip from 192.168.2.26 to any via em1 > <118>17002 pipe 17002 ip from any to 192.168.2.30 via em1 > <118>17003 skipto 65100 ip from any to 192.168.2.30 via em1 > <118>17007 netgraph 60 ip from 192.168.2.30 to any out recv em1 xmit em0 > <118>17008 pipe 17009 ip from 192.168.2.30 to any via em1 > <118>17009 skipto 65110 ip from 192.168.2.30 to any via em1 > <118>05002 pipe 5002 ip from any to 195.16.76.10 in via em0 > <118>05003 skipto 65500 ip from any to 195.16.76.10 in via em0 > <118>05007 pipe 5007 ip from 195.16.76.10 to any out via em0 > <118>05008 skipto 65510 ip from 195.16.76.10 to any out via em0 > <118>05012 pipe 5012 ip from any to 195.16.76.14 in via em0 > <118>05013 skipto 65500 ip from any to 195.16.76.14 in via em0 > <118>05017 pipe 5017 ip from 195.16.76.14 to any out via em0 > <118>05018 skipto 65510 ip from 195.16.76.14 to any out via em0 > <118>05022 pipe 5022 ip from any to { 195.16.76.30 or dst-ip 195.16.76.18 } in via em0 > <118>05023 skipto 65500 ip from any to { 195.16.76.30 or dst-ip 195.16.76.18 } in via em0 > <118>05027 pipe 5027 ip from { 195.16.76.30 or 195.16.76.18 } to any out via em0 > <118>05028 skipto 65510 ip from { 195.16.76.30 or 195.16.76.18 } to any out via em0 > <118>05032 count ip from 213.70.83.33 to 195.16.76.32/27{34} in via em0 > <118>05033 skipto 65500 ip from 213.70.83.33 to 195.16.76.32/27{34} in via em0 > <118>05037 count ip from 195.16.76.32/27{34} to 213.70.83.33 out via em0 > <118>05038 skipto 65510 ip from 195.16.76.32/27{34} to 213.70.83.33 out via em0 > <118>05042 pipe 5042 ip from any to 195.16.76.156 in via em0 > <118>05043 skipto 65500 ip from any to 195.16.76.156 in via em0 > <118>05047 pipe 5047 ip from 195.16.76.156 to any out via em0 > <118>05048 skipto 65510 ip from 195.16.76.156 to any out via em0 > <118>05062 pipe 5062 ip from any to 195.16.76.12 in via em0 > <118>05063 skipto 65500 ip from any to 195.16.76.12 in via em0 > <118>05067 count ip from 195.16.76.12 to any out via em0 > <118>05069 pipe 5067 ip from 195.16.76.12 to any out via em0 > <118>05068 skipto 65510 ip from 195.16.76.12 to any out via em0 > <118>05072 pipe 5072 ip from any to 195.16.76.143 in via em0 > <118>05073 skipto 65100 ip from any to 195.16.76.143 in via em0 > <118>05077 pipe 5077 ip from 195.16.76.143 to any out via em0 > <118>05078 skipto 65110 ip from 195.16.76.143 to any out via em0 > <118>05082 pipe 5082 ip from any to 195.16.76.13 in via em0 > <118>05083 skipto 65500 ip from any to 195.16.76.13 in via em0 > <118>05087 pipe 5087 ip from 195.16.76.13 to any out via em0 > <118>05088 skipto 65510 ip from 195.16.76.13 to any out via em0 > <118>05092 pipe 5092 ip from any to 195.16.76.130 in via em0 > <118>05093 skipto 65500 ip from any to 195.16.76.130 in via em0 > <118>05097 pipe 5097 ip from 195.16.76.130 to any out via em0 > <118>05098 skipto 65510 ip from 195.16.76.130 to any out via em0 > <118>05102 pipe 5102 ip from any to 195.16.76.132 in via em0 > <118>05103 skipto 65100 ip from any to 195.16.76.132 in via em0 > <118>05107 pipe 5107 ip from 195.16.76.132 to any out via em0 > <118>05108 skipto 65110 ip from 195.16.76.132 to any out via em0 > <118>05112 pipe 5112 ip from any to 195.16.76.133 in via em0 > <118>05113 skipto 65100 ip from any to 195.16.76.133 in via em0 > <118>05117 pipe 5117 ip from 195.16.76.133 to any out via em0 > <118>05118 skipto 65110 ip from 195.16.76.133 to any out via em0 > <118>05122 pipe 5122 ip from any to 195.16.77.34 > <118>05123 skipto 65100 ip from any to 195.16.77.34 > <118>05127 pipe 5127 ip from 195.16.77.34 to any > <118>05128 skipto 65110 ip from 195.16.77.34 to any > <118>05132 pipe 5132 ip from any to 195.16.76.135 in via em0 > <118>05133 skipto 65100 ip from any to 195.16.76.135 in via em0 > <118>05137 pipe 5137 ip from 195.16.76.135 to any out via em0 > <118>05138 skipto 65110 ip from 195.16.76.135 to any out via em0 > <118>05142 pipe 5142 ip from any to 195.16.76.136 in via em0 > <118>05143 skipto 65500 ip from any to 195.16.76.136 in via em0 > <118>05147 pipe 5147 ip from 195.16.76.136 to any out via em0 > <118>05148 skipto 65510 ip from 195.16.76.136 to any out via em0 > <118>05152 pipe 5152 ip from any to 195.16.76.137 in via em0 > <118>05153 skipto 65500 ip from any to 195.16.76.137 in via em0 > <118>05157 pipe 5157 ip from 195.16.76.137 to any out via em0 > <118>05158 skipto 65510 ip from 195.16.76.137 to any out via em0 > <118>05162 pipe 5162 ip from any to 195.16.76.138 in via em0 > <118>05163 skipto 65500 ip from any to 195.16.76.138 in via em0 > <118>05167 pipe 5167 ip from 195.16.76.138 to any out via em0 > <118>05168 skipto 65510 ip from 195.16.76.138 to any out via em0 > <118>05172 pipe 5172 ip from any to 195.16.76.232 in via em0 > <118>05173 skipto 65500 ip from any to 195.16.76.232 in via em0 > <118>05177 pipe 5177 ip from 195.16.76.232 to any out via em0 > <118>05178 skipto 65510 ip from 195.16.76.232 to any out via em0 > <118>05182 pipe 5182 ip from any to 195.16.76.140 in via em0 > <118>05183 skipto 65500 ip from any to 195.16.76.140 in via em0 > <118>05187 pipe 5187 ip from 195.16.76.140 to any out via em0 > <118>05188 skipto 65510 ip from 195.16.76.140 to any out via em0 > <118>05212 count ip from any to 192.168.157.10 > <118>05213 pipe 5212 ip from { 192.168.11.0/30 or 195.16.76.0/29 or 195.16.77.0/28 } to 192.168.157.10 > <118>05214 skipto 65500 ip from { 192.168.11.0/30 or 195.16.76.0/29 or 195.16.77.0/28 } to 192.168.157.10 > <118>05217 count ip from 192.168.157.10 to any > <118>05218 pipe 5217 ip from 192.168.157.10 to { 192.168.11.0/30 or dst-ip 195.16.76.0/29 or dst-ip 195.16.77.0/28 } > <118>05219 skipto 65510 ip from 192.168.157.10 to { 192.168.11.0/30 or dst-ip 195.16.76.0/29 or dst-ip 195.16.77.0/28 } > <118>05222 pipe 5222 ip from any to 195.16.76.144 in via em0 > <118>05223 skipto 65500 ip from any to 195.16.76.144 in via em0 > <118>05227 pipe 5227 ip from 195.16.76.144 to any out via em0 > <118>05228 skipto 65510 ip from 195.16.76.144 to any out via em0 > <118>05232 pipe 5232 ip from any to 195.16.76.147 in via em0 > <118>05233 skipto 65100 ip from any to 195.16.76.147 in via em0 > <118>05237 pipe 5237 ip from 195.16.76.147 to any out via em0 > <118>05238 skipto 65110 ip from 195.16.76.147 to any out via em0 > <118>05252 pipe 5252 ip from any to 195.16.76.148 in via em0 > <118>05253 skipto 65100 ip from any to 195.16.76.148 in via em0 > <118>05257 pipe 5257 ip from 195.16.76.148 to any out via em0 > <118>05258 skipto 65110 ip from 195.16.76.148 to any out via em0 > <118>05262 pipe 5262 ip from any to 195.16.76.149 in via em0 > <118>05263 skipto 65100 ip from any to 195.16.76.149 in via em0 > <118>05267 pipe 5267 ip from 195.16.76.149 to any out via em0 > <118>05268 skipto 65110 ip from 195.16.76.149 to any out via em0 > <118>05272 pipe 5272 ip from any to 195.16.76.150 in via em0 > <118>05273 skipto 65100 ip from any to 195.16.76.150 in via em0 > <118>05277 pipe 5277 ip from 195.16.76.150 to any out via em0 > <118>05278 skipto 65110 ip from 195.16.76.150 to any out via em0 > <118>05282 pipe 5282 ip from any to 195.16.76.151 in via em0 > <118>05283 skipto 65100 ip from any to 195.16.76.151 in via em0 > <118>05287 pipe 5287 ip from 195.16.76.151 to any out via em0 > <118>05288 skipto 65110 ip from 195.16.76.151 to any out via em0 > <118>05292 pipe 5292 ip from any to 195.16.76.154 in via em0 > <118>05293 skipto 65100 ip from any to 195.16.76.154 in via em0 > <118>05297 pipe 5297 ip from 195.16.76.154 to any out via em0 > <118>05298 skipto 65110 ip from 195.16.76.154 to any out via em0 > <118>05302 pipe 5302 ip from any to 195.16.76.155 in via em0 > <118>05303 skipto 65500 ip from any to 195.16.76.155 in via em0 > <118>05307 pipe 5307 ip from 195.16.76.155 to any out via em0 > <118>05308 skipto 65510 ip from 195.16.76.155 to any out via em0 > <118>05312 pipe 5312 ip from any to 195.16.76.235 in via em0 > <118>05313 skipto 65500 ip from any to 195.16.76.235 in via em0 > <118>05317 pipe 5317 ip from 195.16.76.235 to any out via em0 > <118>05318 skipto 65510 ip from 195.16.76.235 to any out via em0 > <118>05322 pipe 5322 ip from any to 195.16.76.222 in via em0 > <118>05323 skipto 65500 ip from any to 195.16.76.222 in via em0 > <118>05327 pipe 5327 ip from 195.16.76.222 to any out via em0 > <118>05328 skipto 65510 ip from 195.16.76.222 to any out via em0 > <118>05332 pipe 5332 ip from any to 195.16.76.142 via em0 > <118>05333 skipto 65100 ip from any to 195.16.76.142 via em0 > <118>05337 pipe 5337 ip from 195.16.76.142 to any via em0 > <118>05338 skipto 65110 ip from 195.16.76.142 to any via em0 > <118>05342 pipe 5342 ip from any to 195.16.76.145 via em0 > <118>05343 skipto 65100 ip from any to 195.16.76.145 via em0 > <118>05347 count ip from 195.16.76.145 to any via em0 > <118>05348 pipe 5347 ip from 195.16.76.145 to any via em0 > <118>05349 skipto 65110 ip from 195.16.76.145 to any via em0 > <118>05352 pipe 5352 ip from any to 195.16.76.157 via em0 > <118>05353 skipto 65100 ip from any to 195.16.76.157 via em0 > <118>05357 pipe 5357 ip from 195.16.76.157 to any via em0 > <118>05358 skipto 65110 ip from 195.16.76.157 to any via em0 > <118>05362 pipe 5362 ip from any to { 195.16.76.32/27{33,35-63} or dst-ip 195.16.76.64/30 or dst-ip 195.16.76.68/30 } in via em0 > <118>05363 skipto 65500 ip from any to { 195.16.76.32/27{33,35-63} or dst-ip 195.16.76.64/30 or dst-ip 195.16.76.68/30 } in via em0 > <118>05367 pipe 5367 ip from { 195.16.76.32/27{33,35-63} or 195.16.76.64/30 or 195.16.76.68/30 } to any out via em0 > <118>05368 skipto 65510 ip from { 195.16.76.32/27{33,35-63} or 195.16.76.64/30 or 195.16.76.68/30 } to any out via em0 > <118>05372 pipe 5372 ip from any to 195.16.76.153 in via em0 > <118>05373 skipto 65100 ip from any to 195.16.76.153 in via em0 > <118>05377 pipe 5377 ip from 195.16.76.153 to any out via em0 > <118>05378 skipto 65110 ip from 195.16.76.153 to any out via em0 > <118>05382 pipe 15372 ip from any to 195.16.76.158 in via em0 > <118>05383 skipto 65100 ip from any to 195.16.76.158 in via em0 > <118>05387 pipe 15377 ip from 195.16.76.158 to any out via em0 > <118>05388 skipto 65110 ip from 195.16.76.158 to any out via em0 > <118>05392 pipe 5392 ip from 62.64.120.62 to 195.16.76.141 in via em0 > <118>05393 skipto 65500 ip from 62.64.120.62 to 195.16.76.141 in via em0 > <118>05394 deny ip from any to 195.16.76.141 in via em0 > <118>05397 pipe 5397 ip from 195.16.76.141 to 62.64.120.62 out via em0 > <118>05398 skipto 65510 ip from 195.16.76.141 to 62.64.120.62 out via em0 > <118>05399 deny ip from 195.16.76.141 to any out via em0 > <118>05402 pipe 5402 ip from any to 195.16.76.152 in via em0 > <118>05403 skipto 65100 ip from any to 195.16.76.152 in via em0 > <118>05407 pipe 5407 ip from 195.16.76.152 to any out via em0 > <118>05408 skipto 65110 ip from 195.16.76.152 to any out via em0 > <118>05412 pipe 5412 ip from any to 195.16.76.226 in via em0 > <118>05413 skipto 65500 ip from any to 195.16.76.226 in via em0 > <118>05417 pipe 5417 ip from 195.16.76.226 to any out via em0 > <118>05418 skipto 65510 ip from 195.16.76.226 to any out via em0 > <118>05432 pipe 5432 ip from any to 195.16.76.139 in via em0 > <118>05433 skipto 65500 ip from any to 195.16.76.139 in via em0 > <118>05437 pipe 5437 ip from 195.16.76.139 to any out via em0 > <118>05438 skipto 65510 ip from 195.16.76.139 to any out via em0 > <118>05462 pipe 5412 ip from any to 195.16.76.228 in via em0 > <118>05463 skipto 65100 ip from any to 195.16.76.228 in via em0 > <118>05467 pipe 5417 ip from 195.16.76.228 to any out via em0 > <118>05468 skipto 65110 ip from 195.16.76.228 to any out via em0 > <118>05482 pipe 5412 ip from any to 195.16.76.230 in via em0 > <118>05483 skipto 65100 ip from any to 195.16.76.230 in via em0 > <118>05487 pipe 5417 ip from 195.16.76.230 to any out via em0 > <118>05488 skipto 65110 ip from 195.16.76.230 to any out via em0 > <118>05492 pipe 5492 ip from any to 195.16.76.134 in via em0 > <118>05493 skipto 65500 ip from any to 195.16.76.134 in via em0 > <118>05497 pipe 5497 ip from 195.16.76.134 to any out via em0 > <118>05498 skipto 65510 ip from 195.16.76.134 to any out via em0 > <118>05512 pipe 5512 ip from any to 195.16.76.231 in via em0 > <118>05513 skipto 65100 ip from any to 195.16.76.231 in via em0 > <118>05517 pipe 5517 ip from 195.16.76.231 to any out via em0 > <118>05518 skipto 65110 ip from 195.16.76.231 to any out via em0 > <118>05522 pipe 5522 ip from any to 195.16.76.233 in via em0 > <118>05523 skipto 65500 ip from any to 195.16.76.233 in via em0 > <118>05527 pipe 5527 ip from 195.16.76.233 to any out via em0 > <118>05528 skipto 65510 ip from 195.16.76.233 to any out via em0 > <118>05532 pipe 5532 ip from any to 195.16.76.254 in via em0 > <118>05533 skipto 65500 ip from any to 195.16.76.254 in via em0 > <118>05537 pipe 5537 ip from 195.16.76.254 to any out via em0 > <118>05538 skipto 65510 ip from 195.16.76.254 to any out via em0 > <118>05542 pipe 5542 ip from any to 195.16.76.86 in via em0 > <118>05543 skipto 65500 ip from any to 195.16.76.86 in via em0 > <118>05547 pipe 5547 ip from 195.16.76.86 to any out via em0 > <118>05548 skipto 65510 ip from 195.16.76.86 to any out via em0 > <118>05552 pipe 5552 ip from any to 195.16.76.253 in via em0 > <118>05553 skipto 65500 ip from any to 195.16.76.253 in via em0 > <118>05557 pipe 5557 ip from 195.16.76.253 to any out via em0 > <118>05558 skipto 65510 ip from 195.16.76.253 to any out via em0 > <118>05562 pipe 5552 ip from any to 195.16.76.131 in via em0 > <118>05563 skipto 65100 ip from any to 195.16.76.131 in via em0 > <118>05567 pipe 5557 ip from 195.16.76.131 to any out via em0 > <118>05568 skipto 65110 ip from 195.16.76.131 to any out via em0 > <118>05572 pipe 5532 ip from any to 195.16.76.252 in via em0 > <118>05573 skipto 65200 ip from any to 195.16.76.252 in via em0 > <118>05577 pipe 5537 ip from 195.16.76.252 to any out via em0 > <118>05578 skipto 65210 ip from 195.16.76.252 to any out via em0 > <118>05582 pipe 5582 ip from any to 195.16.76.229 in via em0 > <118>05583 skipto 65100 ip from any to 195.16.76.229 in via em0 > <118>05587 pipe 5587 ip from 195.16.76.229 to any out via em0 > <118>05588 skipto 65110 ip from 195.16.76.229 to any out via em0 > <118>05592 pipe 5592 ip from any to 195.16.76.236 in via em0 > <118>05593 skipto 65100 ip from any to 195.16.76.236 in via em0 > <118>05597 pipe 5597 ip from 195.16.76.236 to any out via em0 > <118>05598 skipto 65110 ip from 195.16.76.236 to any out via em0 > <118>05602 pipe 5602 ip from any to 195.16.76.227 in via em0 > <118>05603 skipto 65500 ip from any to 195.16.76.227 in via em0 > <118>05607 pipe 5607 ip from 195.16.76.227 to any out via em0 > <118>05608 skipto 65510 ip from 195.16.76.227 to any out via em0 > <118>05612 pipe 5612 ip from any to 195.16.76.237 in via em0 > <118>05613 skipto 65100 ip from any to 195.16.76.237 in via em0 > <118>05617 pipe 5617 ip from 195.16.76.237 to any out via em0 > <118>05618 skipto 65110 ip from 195.16.76.237 to any out via em0 > <118>05622 pipe 5622 ip from any to 195.16.76.239 in via em0 > <118>05623 skipto 65500 ip from any to 195.16.76.239 in via em0 > <118>05627 pipe 5627 ip from 195.16.76.239 to any out via em0 > <118>05628 skipto 65510 ip from 195.16.76.239 to any out via em0 > <118>05632 pipe 5632 ip from any to 195.16.76.238 in via em0 > <118>05633 skipto 65100 ip from any to 195.16.76.238 in via em0 > <118>05637 pipe 5637 ip from 195.16.76.238 to any out via em0 > <118>05638 skipto 65110 ip from 195.16.76.238 to any out via em0 > <118>Firewall rules loaded. > <118>net.inet.ip.fw.enable: > <118>1 > <118> -> > <118>1 > <118> > <118>Additional IP options: > <118>. > <118>Mounting NFS file systems: > <118>. > > > Fatal trap 12: page fault while in kernel mode > cpuid = 1; apic id = 01 > fault virtual address= 0x28 > fault code= supervisor write data, page not present > instruction pointer= 0x8:0xffffffff803430b3 > stack pointer = 0x10:0xffffffffac0d6af0 > frame pointer = 0x10:0xffffff0001b7ba00 > code segment= base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags= interrupt enabled, resume, IOPL = 0 > current process= 29 (dummynet) > trap number= 12 > panic: page fault > cpuid = 1 > Uptime: 6s > Physical memory: 2007 MB > Dumping 101 MB: 86 70 54 38 22 6 > > #0 doadump () at pcpu.h:194 > 194pcpu.h: No such file or directory. > in pcpu.h > (kgdb) bt > #0 doadump () at pcpu.h:194 > #1 0xffffff0001925000 in ?? () > #2 0xffffffff8024c659 in boot (howto=260) at ../../../kern/kern_shutdown.c:409 > #3 0xffffffff8024ca5d in panic (fmt=0x104
) at ../../../kern/kern_shutdown.c:563 > #4 0xffffffff803ea974 in trap_fatal (frame=0xffffff0001925000, eva=18446742974216222928) at ../../../amd64/amd64/trap.c:724 > #5 0xffffffff803ead45 in trap_pfault (frame=0xffffffffac0d6a40, usermode=0) at ../../../amd64/amd64/trap.c:641 > #6 0xffffffff803eb688 in trap (frame=0xffffffffac0d6a40) at ../../../amd64/amd64/trap.c:410 > #7 0xffffffff803d12ee in calltrap () at ../../../amd64/amd64/exception.S:169 > #8 0xffffffff803430b3 in move_pkt (pkt=0xffffff0001b7ba00, q=0xffffff0001dd2000, p=0xffffff0001f67a00, len=191) at ../../../netinet/ip_dummynet.c:517 > #9 0xffffffff80343ae9 in ready_event (q=0xffffff0001dd2000, head=0xffffffffac0d6b88, tail=0xffffffffac0d6b80) at ../../../netinet/ip_dummynet.c:564 > #10 0xffffffff80345593 in dummynet_task (context=Variable "context" is not available. > ) at ../../../netinet/ip_dummynet.c:802 > #11 0xffffffff8027cabf in taskqueue_run (queue=0xffffff0001948d80) at ../../../kern/subr_taskqueue.c:255 > #12 0xffffffff8027cd64 in taskqueue_thread_loop (arg=Variable "arg" is not available. > ) at ../../../kern/subr_taskqueue.c:374 > #13 0xffffffff8022dd73 in fork_exit (callout=0xffffffff8027cd00 , arg=0xffffffff805d7598, frame=0xffffffffac0d6c80) > at ../../../kern/kern_fork.c:781 > #14 0xffffffff803d16be in fork_trampoline () at ../../../amd64/amd64/exception.S:415 > #15 0x0000000000000000 in ?? () > #16 0x0000000000000000 in ?? () > #17 0x0000000000000001 in ?? () > #18 0x0000000000000000 in ?? () > #19 0x0000000000000000 in ?? () > #20 0x0000000000000000 in ?? () > #21 0x0000000000000000 in ?? () > #22 0x0000000000000000 in ?? () > #23 0x0000000000000000 in ?? () > #24 0x0000000000000000 in ?? () > #25 0x0000000000000000 in ?? () > #26 0x0000000000000000 in ?? () > #27 0x0000000000000000 in ?? () > #28 0x0000000000000000 in ?? () > #29 0x0000000000000000 in ?? () > #30 0x0000000000000000 in ?? () > #31 0x0000000000000000 in ?? () > #32 0x0000000000000000 in ?? () > #33 0x0000000000000000 in ?? () > #34 0x0000000000000000 in ?? () > #35 0x0000000000000000 in ?? () > #36 0x0000000000000000 in ?? () > #37 0x0000000000000000 in ?? () > #38 0x0000000000000000 in ?? () > #39 0x00000000007a5000 in ?? () > #40 0x0000000000000002 in ?? () > #41 0x0000000000000000 in ?? () > #42 0xffffff00011738d0 in ?? () > #43 0xffffff00010c9000 in ?? () > #44 0xffffff0001925000 in ?? () > #45 0xffffffffac0d66e8 in ?? () > #46 0xffffff0001925000 in ?? () > #47 0xffffffff8026a319 in sched_switch (td=0xffffffff805d7598, newtd=0xffffffff8027cd00, flags=0) at ../../../kern/sched_4bsd.c:905 > #48 0x0000000000000000 in ?? () > #49 0x0000000000000000 in ?? () > #50 0x0000000000000000 in ?? () > #51 0x0000000000000000 in ?? () > #52 0x0000000000000000 in ?? () > #53 0x0000000000000000 in ?? () > #54 0x0000000000000000 in ?? () > #55 0x0000000000000000 in ?? () > #56 0x0000000000000000 in ?? () > #57 0x0000000000000000 in ?? () > #58 0x0000000000000000 in ?? () > #59 0x0000000000000000 in ?? () > #60 0x0000000000000000 in ?? () > #61 0x0000000000000000 in ?? () > #62 0x0000000000000000 in ?? () > #63 0x0000000000000000 in ?? () > #64 0x0000000000000000 in ?? () > #65 0x0000000000000000 in ?? () > #66 0x0000000000000000 in ?? () > #67 0x0000000000000000 in ?? () > #68 0x0000000000000000 in ?? () > #69 0x0000000000000000 in ?? () > #70 0x0000000000000000 in ?? () > #71 0x0000000000000000 in ?? () > #72 0x0000000000000000 in ?? () > #73 0x0000000000000000 in ?? () > #74 0x0000000000000000 in ?? () > #75 0x0000000000000000 in ?? () > #76 0x0000000000000000 in ?? () > #77 0x0000000000000000 in ?? () > #78 0x0000000000000000 in ?? () > #79 0x0000000000000000 in ?? () > #80 0x0000000000000000 in ?? () > #81 0x0000000000000000 in ?? () > #82 0x0000000000000000 in ?? () > #83 0x0000000000000000 in ?? () > #84 0x0000000000000000 in ?? () > #85 0x0000000000000000 in ?? () > #86 0x0000000000000000 in ?? () > #87 0x0000000000000000 in ?? () > #88 0x0000000000000000 in ?? () > #89 0x0000000000000000 in ?? () > #90 0x0000000000000000 in ?? () > #91 0x0000000000000000 in ?? () > #92 0x0000000000000000 in ?? () > #93 0x0000000000000000 in ?? () > #94 0x0000000000000000 in ?? () > #95 0x0000000000000000 in ?? () > #96 0x0000000000000000 in ?? () > #97 0x0000000000000000 in ?? () > #98 0x0000000000000000 in ?? () > #99 0x0000000000000000 in ?? () > #100 0x0000000000000000 in ?? () > #101 0x0000000000000000 in ?? () > #102 0x0000000000000000 in ?? () > #103 0x0000000000000000 in ?? () > #104 0x0000000000000000 in ?? () > #105 0x0000000000000000 in ?? () > #106 0x0000000000000000 in ?? () > #107 0x0000000000000000 in ?? () > #108 0x0000000000000000 in ?? () > #109 0x0000000000000000 in ?? () > #110 0x0000000000000000 in ?? () > #111 0x0000000000000000 in ?? () > #112 0x0000000000000000 in ?? () > #113 0x0000000000000000 in ?? () > #114 0x0000000000000000 in ?? () > #115 0x0000000000000000 in ?? () > #116 0x0000000000000000 in ?? () > #117 0x0000000000000000 in ?? () > #118 0x0000000000000000 in ?? () > #119 0x0000000000000000 in ?? () > Cannot access memory at address 0xffffffffac0d7000 > (kgdb) bt full > #0 doadump () at pcpu.h:194 > No locals. > #1 0xffffff0001925000 in ?? () > No symbol table info available. > #2 0xffffffff8024c659 in boot (howto=260) at ../../../kern/kern_shutdown.c:409 > _ep = (struct eventhandler_entry *) 0xffffff0001925000 > _el = Variable "_el" is not available. > (kgdb) > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Do you have "options INVARIANTS" in your kernel config? If no please compile it in and then get crashdump again. I guess somehow we have packet without dummynet tag inside dummynet. -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================