From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 7 11:07:02 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82EF81065695 for ; Mon, 7 Sep 2009 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 70DE48FC08 for ; Mon, 7 Sep 2009 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n87B72J7010277 for ; Mon, 7 Sep 2009 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n87B714S010273 for freebsd-ipfw@FreeBSD.org; Mon, 7 Sep 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Sep 2009 11:07:01 GMT Message-Id: <200909071107.n87B714S010273@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2009 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 10 06:37:29 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47F05106566C for ; Thu, 10 Sep 2009 06:37:29 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 249208FC1E for ; Thu, 10 Sep 2009 06:37:28 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Mlcyc-0007HS-BO for freebsd-ipfw@freebsd.org; Wed, 09 Sep 2009 23:17:50 -0700 Message-ID: <25377926.post@talk.nabble.com> Date: Wed, 9 Sep 2009 23:17:50 -0700 (PDT) From: mkarjal To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: matti.karjalainen@nsn.com Subject: IPFW and SCTP port number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2009 06:37:29 -0000 Hi, I'm trying to catch SCTP packets with IPFW by SCTP port numbers, should it be working or not? Or is there some different syntax for this? "ipfw add count sctp from any to any" works, counts all SCTP packets. "ipfw add count sctp from any 49606 to any" does not work. Counters show zero reading. I have tried adding IP address, with different port ranges and combinations. I have tested this with 7.2-RELEASE and 8.0-BETA3. regards, Matti -- View this message in context: http://www.nabble.com/IPFW-and-SCTP-port-number-tp25377926p25377926.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 10 06:58:49 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 666CC1065697 for ; Thu, 10 Sep 2009 06:58:49 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 2D25E8FC19 for ; Thu, 10 Sep 2009 06:58:49 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id CAF4C730DA; Thu, 10 Sep 2009 08:47:44 +0200 (CEST) Date: Thu, 10 Sep 2009 08:47:44 +0200 From: Luigi Rizzo To: mkarjal Message-ID: <20090910064744.GA1149@onelab2.iet.unipi.it> References: <25377926.post@talk.nabble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25377926.post@talk.nabble.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and SCTP port number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2009 06:58:49 -0000 On Wed, Sep 09, 2009 at 11:17:50PM -0700, mkarjal wrote: > > Hi, > > I'm trying to catch SCTP packets with IPFW by SCTP port numbers, should it > be working or not? > Or is there some different syntax for this? > > "ipfw add count sctp from any to any" works, counts all SCTP packets. > > "ipfw add count sctp from any 49606 to any" does not work. Counters show > zero reading. > > I have tried adding IP address, with different port ranges and combinations. > I have tested this with 7.2-RELEASE and 8.0-BETA3. i think at the moment ipfw is not parsing sctp headers so it does not fetch port numbers. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 07:29:17 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1582C106566B for ; Sat, 12 Sep 2009 07:29:17 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by mx1.freebsd.org (Postfix) with ESMTP id E5C368FC14 for ; Sat, 12 Sep 2009 07:29:16 +0000 (UTC) Received: by pzk38 with SMTP id 38so1382642pzk.9 for ; Sat, 12 Sep 2009 00:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Io+k8Vpgio+U59g3a1v5yGUjtGTBt+kfqro9HAKqROk=; b=Tx4YfTu6bOLgN29mn/z+ddUWvp9iLJigfdv5dISI+3insDZ0ObXZZ+CRzRMe11wfN5 qLx7R1CTMsoUJPcls3Y63lTU9hnxVysAgvlyJ8CdyTvlGSuc3tvdYUQ7jD9R30zi+LgL gmCyRRePVJPAnfHlLKUg5W5ijATBvzmMyXvgE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=dI0V/aexetJ0t8k+Qs0ExBVBSBJ6SWJXk0IokmScJ68J1SU2FVPkjQijiN5a8bHKGw tyzaho5t39blWcdlN3N45dZtdNdptjvrbaGX5WeZv7wvfe04YBoOlhAJdr18Th7F7bG2 sO2yuRkahSda358SWPnnH4RzeQ2sV2MHEWv/I= MIME-Version: 1.0 Received: by 10.143.26.32 with SMTP id d32mr341979wfj.297.1252739151432; Sat, 12 Sep 2009 00:05:51 -0700 (PDT) Date: Sat, 12 Sep 2009 15:05:51 +0800 Message-ID: From: Cypher Wu To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Is there any one who can give me some opinions about the performance bout IPFW? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 07:29:17 -0000 1. How many rules configured. 2. The general traffic supported. 3. Hardware platform. ....... I'm thinking to port IPFW to another platform which can support up to 10GbE traffic bidirectional and running in user node, any advise will be appreciated. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 07:32:54 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79CCA1065672 for ; Sat, 12 Sep 2009 07:32:54 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by mx1.freebsd.org (Postfix) with ESMTP id 567A48FC13 for ; Sat, 12 Sep 2009 07:32:54 +0000 (UTC) Received: by pzk38 with SMTP id 38so1383932pzk.9 for ; Sat, 12 Sep 2009 00:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=+wexgHahUG8py0gCDEDnEMClX5sgeZOVC+zhnkSGFuM=; b=BsvAxLsiqJ8ZkTs2SZd447RsB46uGSg02wW7zZhvzGs/6TxNGyVt4w8hbqdyjZWahQ ASdssJ55dYvlQiMl8H8Qw2w49YRPmSmjTd5EQGjl2JMXRqf9Icqbfg7C0YxO5Ksk6VT+ 3SCGjCc7YE9csjKAYXfP6NdXwTmQDBsZh1mrM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hZinSqltCUJ/mSlI83GdSKFHMAaYK0D3CUIKsbvL95WEJZZXNbQroHzZtu0ZJ4ASjv LidH70jHyHfL898HKTmrCB3uSH5I/2l4ZDevkO1HbOmo+gj3Ep78nOCHdAxZbrLTidWR NhcyBFLwlHH4Y+7YBdCEJCD2Jrzs3fw6SAhX4= MIME-Version: 1.0 Received: by 10.143.26.32 with SMTP id d32mr343477wfj.297.1252740774043; Sat, 12 Sep 2009 00:32:54 -0700 (PDT) Date: Sat, 12 Sep 2009 15:32:54 +0800 Message-ID: From: Cypher Wu To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 07:32:54 -0000 I want to build a transparent firewall based on IPFW. For static rules this is fine, but for dynamic rules, ipfw uses keepalive packet to avoid deleting a dynamic rule that both ends are still alive but don't issue any traffic for a long time. But this means the firewall should have it's own IPs and is not transparent anymore. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:03:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20F06106566C for ; Sat, 12 Sep 2009 13:03:13 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id DA3968FC14 for ; Sat, 12 Sep 2009 13:03:12 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 190C5730DA; Sat, 12 Sep 2009 15:09:13 +0200 (CEST) Date: Sat, 12 Sep 2009 15:09:13 +0200 From: Luigi Rizzo To: Cypher Wu Message-ID: <20090912130913.GA46135@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:03:13 -0000 On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: > I want to build a transparent firewall based on IPFW. For static rules > this is fine, but for dynamic rules, ipfw uses keepalive packet to > avoid deleting a dynamic rule that both ends are still alive but don't > issue any traffic for a long time. But this means the firewall should > have it's own IPs and is not transparent anymore. keepalives carry the addresses of the two endpoints, the firewall is not visible. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:09:15 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47B35106566C for ; Sat, 12 Sep 2009 13:09:15 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 0BF8D8FC13 for ; Sat, 12 Sep 2009 13:09:14 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id CE21773106; Sat, 12 Sep 2009 15:15:16 +0200 (CEST) Date: Sat, 12 Sep 2009 15:15:16 +0200 From: Luigi Rizzo To: Cypher Wu Message-ID: <20090912131516.GB46135@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Is there any one who can give me some opinions about the performance bout IPFW? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:09:15 -0000 On Sat, Sep 12, 2009 at 03:05:51PM +0800, Cypher Wu wrote: > 1. How many rules configured. > 2. The general traffic supported. > 3. Hardware platform. > ....... > > I'm thinking to port IPFW to another platform which can support up to > 10GbE traffic bidirectional and running in user node, any advise will > be appreciated. i am not entirely clear on what you want to do or know but at the end of the dummynet page http://info.iet.unipi.it/~luigi/dummynet/ there are also some papers (and more data should come in the next couple of weeks) measuring the performance of ipfw. On a 2 GHz machine the ipfw overhead alone is 200-500ns per entry in the firewall, plus another 50ns per rule, and another 30-50ns per additional microinstruction. Most of the overhead comes from the rest of the protocol stack; between receive, network stack demux and transmit you can easily consume between 1.5 and 6-7us per packet on the same hardware, depending on the OS and driver. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:42:21 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60C37106568D for ; Sat, 12 Sep 2009 13:42:21 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171]) by mx1.freebsd.org (Postfix) with ESMTP id 3659E8FC15 for ; Sat, 12 Sep 2009 13:42:20 +0000 (UTC) Received: by pzk1 with SMTP id 1so1036987pzk.13 for ; Sat, 12 Sep 2009 06:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=iW4VvqnpbHJ+91axv8gbGblCBIVt5eajQpHwSPkVKn4=; b=WInhhSbdS0hr0kuKKnfmLo3emOeLT9GO9bRPE428vCC4jgPscKoMvnu7CHostr+h8e qSiBU3Fi/yc8Fno+L+FB93rzLhxxEk61iKmJRuialmikbuBLIdKl2wtDL1tfo2RpF4Jc 4KK1tL+uQDboQDDMIv4QAiWGiMQjLjiKAsZ1Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Auh6snwTphoTL+d8Td9BTjKt/S29UtbEhHjEdjpM4Pz3MTUESVWCGfmdtkQ/TAUDHU soqfz4WYIDO0bQDnHOMdxQb+sDSkCj7Q1yH0fd7WFlsurSa9lobBARfbIlIMpdBec7Th bq3I0J/nuVsXCJ4zfFAxNnpEJL/7gzY5KR9Qw= MIME-Version: 1.0 Received: by 10.142.201.10 with SMTP id y10mr326305wff.260.1252762940777; Sat, 12 Sep 2009 06:42:20 -0700 (PDT) In-Reply-To: <20090912131516.GB46135@onelab2.iet.unipi.it> References: <20090912131516.GB46135@onelab2.iet.unipi.it> Date: Sat, 12 Sep 2009 21:42:20 +0800 Message-ID: From: Cypher Wu To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Is there any one who can give me some opinions about the performance bout IPFW? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:42:21 -0000 Thanks. I'll keep an eye at the page you said. Right now it seems the link at the end of it only show some perfomance on Dummynet. The platform I'm using has a very different way comparing to the usual platform we are using. It running a embedded Linux, but for the High speed network interface it supplies a way to get Ethernet directly from the interface driver to user space with zero copy, and no stack needed. Why I'm trying IPFW is because it can be used directly in the Ethernet layer, and only a single checkpoint. Thus I can 'create' a mbuf packet using the buffer I've got from interface driver and pass it into ipfw_chk. So what I care about is the performance about IPFW itself. On Sat, Sep 12, 2009 at 9:15 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 03:05:51PM +0800, Cypher Wu wrote: >> 1. How many rules configured. >> 2. The general traffic supported. >> 3. Hardware platform. >> ....... >> >> I'm thinking to port IPFW to another platform which can support up to >> 10GbE traffic bidirectional and running in user node, any advise will >> be appreciated. > > i am not entirely clear on what you want to do or know > but at the end of the dummynet page > > http://info.iet.unipi.it/~luigi/dummynet/ > > there are also some papers (and more data should come in the next > couple of weeks) measuring the performance of ipfw. > > On a 2 GHz machine the ipfw overhead alone is 200-500ns per > entry in the firewall, plus another 50ns per rule, and another > 30-50ns per additional microinstruction. > > Most of the overhead comes from the rest of the protocol stack; > between receive, network stack demux and transmit you can easily > consume between 1.5 and 6-7us per packet on the same hardware, > depending on the OS and driver. > > cheers > luigi > From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:51:04 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E02D4106566C for ; Sat, 12 Sep 2009 13:51:04 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-px0-f179.google.com (mail-px0-f179.google.com [209.85.216.179]) by mx1.freebsd.org (Postfix) with ESMTP id B71408FC14 for ; Sat, 12 Sep 2009 13:51:04 +0000 (UTC) Received: by pxi9 with SMTP id 9so1628208pxi.14 for ; Sat, 12 Sep 2009 06:51:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Wh/g6dCE1HPRFhFefkEK7ILT00Z3lK5vTK1qZaUvxKI=; b=uF4GhtytLjZ3/9GPCL2dMPOYvdEP0XwvI2YxD4roqNrxHs6whTy0GJVQIPSVD8vtQa L6eFkM/8urbkshygHOZWmn2bZGdZdqTWvmTheczmRExmou5/5pdkW6YVxWuJ8UKLSYHH 3cM1E6hBG0U0tbxP8TFQP6Ggd13osBfIW+dAc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GZ15JHkbbE4GyVEYVejje5Nd0EtWXBHxgdkvJVE4NGw3YU6d278qzG6sAG2CooEwFO ziHbMKnVmz6us9FWTiYndJWHip5Du1t2zQbcuiAwqtQ6RUw1fcSS+odTBpUWjb9UprRD zx2qTxkCVg1N2AqzQbV2eucRjAnAlQre4efQ4= MIME-Version: 1.0 Received: by 10.142.195.7 with SMTP id s7mr363326wff.293.1252763464438; Sat, 12 Sep 2009 06:51:04 -0700 (PDT) In-Reply-To: <20090912130913.GA46135@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> Date: Sat, 12 Sep 2009 21:51:04 +0800 Message-ID: From: Cypher Wu To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:51:05 -0000 It's seems fine, but I still have some questions: 1. The endpoint will response to the keepalive TCP segment and the destination will be the other endpoint, will IPFW just let it though like the usual IP packet, or try to figure it out and drop it? 2. If I have two computer I can make sure both end are not using keepalive, then I can still figure out there is a firewall between these two computers? On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: >> I want to build a transparent firewall based on IPFW. For static rules >> this is fine, but for dynamic rules, ipfw uses keepalive packet to >> avoid deleting a dynamic rule that both ends are still alive but don't >> issue any traffic for a long time. But this means the firewall should >> have it's own IPs and is not transparent anymore. > > keepalives carry the addresses of the two endpoints, > the firewall is not visible. > > From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 14:04:20 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 078FF1065670 for ; Sat, 12 Sep 2009 14:04:20 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id BF7518FC12 for ; Sat, 12 Sep 2009 14:04:19 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id AA202730DA; Sat, 12 Sep 2009 16:10:21 +0200 (CEST) Date: Sat, 12 Sep 2009 16:10:21 +0200 From: Luigi Rizzo To: Cypher Wu Message-ID: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 14:04:20 -0000 On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: > It's seems fine, but I still have some questions: > 1. The endpoint will response to the keepalive TCP segment and the > destination will be the other endpoint, will IPFW just let it though > like the usual IP packet, or try to figure it out and drop it? it will let the packet through. > 2. If I have two computer I can make sure both end are not using > keepalive, then I can still figure out there is a firewall between > these two computers? you can disable the keepalives on the firewall (if there is no sysctl for it, it's a trivial code change anyways), and you can set a large timeout. but by definition the presence of a firewall _is_ detectable, unless it blocks nothing so it is just a logger and not a firewall. 'transparent' referred to a middlebox means "it does not require endpoint reconfiguration", not that it is undetectable. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 14:52:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A397C106566B for ; Sat, 12 Sep 2009 14:52:30 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171]) by mx1.freebsd.org (Postfix) with ESMTP id 549E48FC0A for ; Sat, 12 Sep 2009 14:52:30 +0000 (UTC) Received: by pzk1 with SMTP id 1so1061780pzk.13 for ; Sat, 12 Sep 2009 07:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2Wt+v7wROPuzY3qCxvOzO3fvNsgzgIaC1bUam9bOkYs=; b=AE49PCrQ/RLMCiT4BkxVCCiDMd5PvW+WatlOWenThM+/BHRHRfLPT/iv305du2ss06 xyrUIS9a588DYeyKvHkZbSG1RwTrPk//KPzfplQRZLrCWGIHn4nzQ9ZgNQdLuEUeCGjc nhc+i6jykTOensriGQPvl28yxD1gBM5hnuvAk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Qjek4kZLJ1uW8ISe5Vj6VOWYybrxQd73tbRqgO8TWhv3jwpIaMUKyMukSmRt1emNlB GPEBwJOcC19Ci7J/X1l4JJexMcrk2sTpo7ax408lv0J12MiWs4McVPwqjlEIhADfvKMt U+8h2ooiiGjCN6R7AcTPV6Chr6yS3/158c3uk= MIME-Version: 1.0 Received: by 10.142.8.2 with SMTP id 2mr313628wfh.316.1252767149045; Sat, 12 Sep 2009 07:52:29 -0700 (PDT) In-Reply-To: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> <20090912141021.GA46670@onelab2.iet.unipi.it> Date: Sat, 12 Sep 2009 22:52:29 +0800 Message-ID: From: Cypher Wu To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 14:52:30 -0000 Thanks a lot. It seems that I've misunderstood 'transparent firewall'. On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: >> It's seems fine, but I still have some questions: >> 1. The endpoint will response to the keepalive TCP segment and the >> destination will be the other endpoint, will IPFW just let it though >> like the usual IP packet, or try to figure it out and drop it? > > it will let the packet through. > >> 2. If I have two computer I can make sure both end are not using >> keepalive, then I can still figure out there is a firewall between >> these two computers? > > you can disable the keepalives on the firewall (if there is no > sysctl for it, it's a trivial code change anyways), and you > can set a large timeout. > > but by definition the presence of a firewall _is_ detectable, > unless it blocks nothing so it is just a logger and not a firewall. > > 'transparent' referred to a middlebox means > "it does not require endpoint reconfiguration", not that > it is undetectable. >