From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 10 09:10:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2E1A37B401 for ; Sun, 10 Aug 2003 09:10:53 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E36643F3F for ; Sun, 10 Aug 2003 09:10:52 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h7AGAo913699 for ipfw@freebsd.org EPITA Paris France Sun, 10 Aug 2003 18:10:50 +0200 (CEST) Date: Sun, 10 Aug 2003 18:10:49 +0200 From: jeremie le-hen To: ipfw@freebsd.org Message-ID: <20030810161049.GA26412@carpediem.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Packets going through multiple queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2003 16:10:54 -0000 Hi folks, let's imagine I want to schedule traffic going out through tun0. First of all, in order to avoid filling modem buffers (and so having queue delays in the modem), let's define the main pipe, through which all traffic will go through: ipfw pipe 1 config bw 125Kbit/s Now I create a queue for interactive traffic, such as SSH, with a high weight: ipfw queue 10 config weight 100 pipe 1 mask all And another one for the rest of the traffic: ipfw queue 20 config weight 1 pipe 1 And finally the rules which will make packets going in our queues (in order to simplify, don't take care about the TOS field, though we should in real world): ipfw add 100 queue 10 tcp from any to any 22 out via tun0 ipfw add 101 queue 10 tcp from any 22 to any out via tun0 ipfw add 200 queue 20 all from any to any out via tun0 This configuration works perfectly with net.inet.ip.fw.one_pass set to 1; once an outgoing packet has matched one of this three rules, it will just stop any further rule checking. But now, imagine I want to limit my outgoing mail traffic, and be sure it will not exceed 4KBytes/s. But although outgoing SMTP packets will have to go though a particular pipe in order to achieve this, I still want to take them in account in my traffic prioritizing. This means that net.inet.ip.fw.one_pass must be set to 0. If I simply configure my pipe and add a rule like this: ipfw pipe 2 config bw 4KBytes/s ipfw add 500 pipe 2 tcp from any to any 25 out via tun0 This seems to work, but in fact SSH traffic now goes through both queues 10 and 20, and I'm not sure about the efficiency of this method, I'm afraid to loose all traffic prioritizing benefits. One tricky way to avoid the behavior would be to add "skipto" rules after each "queue" rules, with exactly the same rule body, but this clearly adds a great overhead. Furthermore, my real traffic prioritizing framework uses 6 queues and number of rules, and adding "skipto" rules as I described here is just a hard and time-wasting work. At this point, I wonder if I missed something in ipfw(8) syntax or if the latter is simply not enough powerful to achieve this easily. Thanks for your advices. Regards, -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 10 22:11:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00B7837B404 for ; Sun, 10 Aug 2003 22:11:36 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF09C43FBD for ; Sun, 10 Aug 2003 22:11:33 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h7B5BUkN032264; Sun, 10 Aug 2003 22:11:30 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h7B5BTRO032263; Sun, 10 Aug 2003 22:11:29 -0700 (PDT) (envelope-from rizzo) Date: Sun, 10 Aug 2003 22:11:29 -0700 From: Luigi Rizzo To: jeremie le-hen Message-ID: <20030810221129.A32121@xorpc.icir.org> References: <20030810161049.GA26412@carpediem.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030810161049.GA26412@carpediem.epita.fr>; from le-hen_j@epita.fr on Sun, Aug 10, 2003 at 06:10:49PM +0200 cc: ipfw@freebsd.org Subject: Re: Packets going through multiple queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 05:11:36 -0000 On Sun, Aug 10, 2003 at 06:10:49PM +0200, jeremie le-hen wrote: ... ... > One tricky way to avoid the behavior would be to add "skipto" rules after > each "queue" rules, with exactly the same rule body, but this clearly adds > a great overhead. Furthermore, my real traffic prioritizing framework uses > 6 queues and number of rules, and adding "skipto" rules as I described here > is just a hard and time-wasting work. it is not a great overhead -- it is just one extra rule to check per packet, which is fast (there are direct pointers to the jump target). As for the 'hard and time-wasting work'... you just have to design your ruleset correctly. Basically what you want is switch () { case A: break; case B: break; ... case Z: break; } where the blocks in <> are ipfw instructions. Once you have designed your ruleset this way, it is really trivial to implement it in terms of conditional and unconditional jumps. cheers luigi > At this point, I wonder if I missed something in ipfw(8) syntax or if the > latter is simply not enough powerful to achieve this easily. > > Thanks for your advices. > Regards, > -- > Jeremie aka TtZ/TataZ > jeremie.le-hen@epita.fr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 03:12:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8B3137B405; Mon, 11 Aug 2003 03:12:35 -0700 (PDT) Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BB3D43F75; Mon, 11 Aug 2003 03:12:34 -0700 (PDT) (envelope-from denb@front.ru) Received: from ws-2.dep624 ([212.1.235.150]) (authenticated bits=0) by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id h7B9xOCe035049; Mon, 11 Aug 2003 13:59:40 +0400 (MSD) (envelope-from denb@front.ru) From: Denis Borisov To: ipfw@freebsd.org Date: Mon, 11 Aug 2003 14:12:18 +0400 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308111412.18099.denb@front.ru> cc: current@freebsd.org Subject: natd over ipfw2 problem. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 10:12:36 -0000 Hi, All I want redirect incoming traffic to internal server. Why natd don't redirect packet? OS - FreeBSD 5.1-CURRENT 192.168.0.104 | | | 192.168.0.102 | router | 172.16.0.102 | | | 172.16.0.253 internal server #ipfw add divert 7777 ip from 172.16.0.253 to any out #ipfw add divert 6666 ip from any to 192.168.0.102 in #ipfw sh 00100 0 0 divert 7777 ip from 172.16.0.253 to any out 00200 0 0 divert 6666 ip from any to 192.168.0.102 in 65535 3363 607801 allow ip from any to any #natd -v -u -m -a 192.168.0.102 -i 6666 -o 7777 -redirect_address 172.16.0.253 192.168.0.102 In [TCP] [TCP] 192.168.0.104:49155 -> 192.168.0.102:80 aliased to [TCP] 192.168.0.104:49155 -> 172.16.0.253:80 ^C Why natd don't changes source IP address? Where OUT chain? ------------------------ Regards, Denis Borisov From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 11:01:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E23A737B401 for ; Mon, 11 Aug 2003 11:01:20 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB87643FE3 for ; Mon, 11 Aug 2003 11:01:15 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7BI1FUp080776 for ; Mon, 11 Aug 2003 11:01:15 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7BI1FFt080770 for freebsd-ipfw@freebsd.org; Mon, 11 Aug 2003 11:01:15 -0700 (PDT) Date: Mon, 11 Aug 2003 11:01:15 -0700 (PDT) Message-Id: <200308111801.h7BI1FFt080770@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 18:01:21 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/09/02] bin/42318 ipfw NATD redirect limitations 1 problem total. Non-critical problems From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 11:01:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF6EE37B405 for ; Mon, 11 Aug 2003 11:01:35 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44CE43FCB for ; Mon, 11 Aug 2003 11:01:33 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7BI1XUp081144 for ; Mon, 11 Aug 2003 11:01:33 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7BI1XwI081138 for ipfw@freebsd.org; Mon, 11 Aug 2003 11:01:33 -0700 (PDT) Date: Mon, 11 Aug 2003 11:01:33 -0700 (PDT) Message-Id: <200308111801.h7BI1XwI081138@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 18:01:36 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 12 03:39:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E02237B401 for ; Tue, 12 Aug 2003 03:39:33 -0700 (PDT) Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF36643F75 for ; Tue, 12 Aug 2003 03:39:31 -0700 (PDT) (envelope-from denb@front.ru) Received: from ws-2.dep624 ([212.1.235.150]) (authenticated bits=0) by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id h7CAQYCe083145 for ; Tue, 12 Aug 2003 14:26:35 +0400 (MSD) (envelope-from denb@front.ru) From: Denis Borisov To: ipfw@freebsd.org Date: Tue, 12 Aug 2003 14:26:11 +0400 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308121426.11858.denb@front.ru> Subject: When will implemented in-kernel NAT? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2003 10:39:33 -0000 In comments in file ip_fw2.c i read: * Dynamic rules can be used for different purposes: * + stateful rules; * + enforcing limits on the number of sessions; * + in-kernel NAT (not implemented yet) When will implemented in-kernel NAT? Regards, Denis From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 13 05:52:56 2003 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FA8837B401; Wed, 13 Aug 2003 05:52:56 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A1C243F75; Wed, 13 Aug 2003 05:52:56 -0700 (PDT) (envelope-from ru@FreeBSD.org) Received: from freefall.freebsd.org (ru@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7DCqtUp090878; Wed, 13 Aug 2003 05:52:55 -0700 (PDT) (envelope-from ru@freefall.freebsd.org) Received: (from ru@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7DCqrNP090575; Wed, 13 Aug 2003 05:52:53 -0700 (PDT) Date: Wed, 13 Aug 2003 05:52:53 -0700 (PDT) From: Ruslan Ermilov Message-Id: <200308131252.h7DCqrNP090575@freefall.freebsd.org> To: mark@outlander.us, ru@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: bin/42318: NATD redirect limitations X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 12:52:56 -0000 Synopsis: NATD redirect limitations State-Changed-From-To: open->closed State-Changed-By: ru State-Changed-When: Wed Aug 13 05:50:53 PDT 2003 State-Changed-Why: Not possible with NATD (as it's not a function of NAT). However, Apache web server can deal with this easily. http://www.freebsd.org/cgi/query-pr.cgi?pr=42318 From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 13 05:58:24 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3801D37B401; Wed, 13 Aug 2003 05:58:24 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C43D543F85; Wed, 13 Aug 2003 05:58:23 -0700 (PDT) (envelope-from ru@FreeBSD.org) Received: from freefall.freebsd.org (ru@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7DCwNUp008293; Wed, 13 Aug 2003 05:58:23 -0700 (PDT) (envelope-from ru@freefall.freebsd.org) Received: (from ru@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7DCwM8b008289; Wed, 13 Aug 2003 05:58:22 -0700 (PDT) Date: Wed, 13 Aug 2003 05:58:22 -0700 (PDT) From: Ruslan Ermilov Message-Id: <200308131258.h7DCwM8b008289@freefall.freebsd.org> To: brucegb@realtime.net, ru@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2003 12:58:24 -0000 Synopsis: natd/ipfw lose TCP packets for firewalled machines State-Changed-From-To: open->closed State-Changed-By: ru State-Changed-When: Wed Aug 13 05:56:51 PDT 2003 State-Changed-Why: Both natd and ipfw work normally here; please ask questions in another forum. Also note that the "simple" setup is a prorotype only, and it lacks many things to be useful in a production environment, and won't work "as is". http://www.freebsd.org/cgi/query-pr.cgi?pr=47529 From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 14 19:52:30 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 767F937B401 for ; Thu, 14 Aug 2003 19:52:30 -0700 (PDT) Received: from web11406.mail.yahoo.com (web11406.mail.yahoo.com [216.136.131.236]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C8C343FD7 for ; Thu, 14 Aug 2003 19:52:30 -0700 (PDT) (envelope-from mass_design@yahoo.com) Message-ID: <20030815025229.53371.qmail@web11406.mail.yahoo.com> Received: from [68.11.20.53] by web11406.mail.yahoo.com via HTTP; Thu, 14 Aug 2003 19:52:29 PDT Date: Thu, 14 Aug 2003 19:52:29 -0700 (PDT) From: Gerald Gauthreaux To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 02:52:30 -0000 Hey guys. Got my firewall to function with natd. It works fine except for the fact that everything is open(I think). zero_gate# ipfw -a l 00100 10061 4078454 divert 8668 ip from any to any via sis0 06500 13504 5987495 allow ip from any to any 65535 1266 315654 deny ip from any to any zero_gate# Of course sis0 is the WAN interface, and rl0 is the LAN interface. The problem comes in when I take out rule 6500 (allow ip from any to any), and allow certain ports in, and all ports out. It seem like nothing comes in unless I specify the outside ip. Example, 53 is allowed in and out but no response when I add the ip of my DNS server it will work All out 00700 7 376 allow tcp from 192.168.1.0/24 to any 00800 5 696 allow udp from 192.168.1.0/24 to any DNS 00500 0 0 allow tcp from any to any dst-port 53 00600 40 2699 allow udp from any to any dst-port 53 This is what makes it work. 01800 8 2459 allow udp from 68.xxx.xxx.xxx to any Do you know of a better way to do this. Any light you could shed on this would be greatly appreciated. Thanks, Beau __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 14 20:04:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E5337B401 for ; Thu, 14 Aug 2003 20:04:58 -0700 (PDT) Received: from meketrex.pix.net (meketrex.pix.net [192.111.45.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC85443FB1 for ; Thu, 14 Aug 2003 20:04:47 -0700 (PDT) (envelope-from stripes@meketrex.pix.net) Received: (from stripes@localhost) by meketrex.pix.net (8.11.6/8.11.6) id h7F34bO19250 for freebsd-ipfw@freebsd.org; Thu, 14 Aug 2003 23:04:37 -0400 (EDT) Date: Thu, 14 Aug 2003 23:04:37 -0400 From: Josh Osborne To: freebsd-ipfw@freebsd.org Message-ID: <20030814230437.A19173@meketrex.pix.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Subject: Does "ipfw pipe 1 config bw tun0" work under 5.1? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 03:04:59 -0000 I'm running "5.1-RELEASE" on a machine and I'm attempting to do a little bit of traffic shaping. ipfw queue list looks like this: 00001: tun0 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00080: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 157.15.34.14/49160 66.35.250.150/80 56 4780 50 4480 5 Whatever traffic I assign to pipe 1 (via one of the queues at least) shows up in that last line there, but never leaves the queue. I can see the packet counts going up (TCP retries I assume) and then the connection times out. I'm using ppp, and ifconfig shows tun0 as the interface I'm using (as opposed to tun1, or something else). I'm not sure what else to try here. So does "ipfw pipe 1 config bw tun0" really work in 5.1-RELEASE, or is it busted? From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 15 00:50:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3A2837B401 for ; Fri, 15 Aug 2003 00:50:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC82F43FA3 for ; Fri, 15 Aug 2003 00:50:14 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7F7oEUp017509 for ; Fri, 15 Aug 2003 00:50:14 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7F7oEfp017507; Fri, 15 Aug 2003 00:50:14 -0700 (PDT) Date: Fri, 15 Aug 2003 00:50:14 -0700 (PDT) Message-Id: <200308150750.h7F7oEfp017507@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Ruslan Ermilov Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ruslan Ermilov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 07:50:15 -0000 The following reply was made to PR kern/47529; it has been noted by GNATS. From: Ruslan Ermilov To: Martin Bartelds Cc: bug-followup@FreeBSD.org Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines Date: Fri, 15 Aug 2003 10:42:51 +0300 On Thu, Aug 14, 2003 at 08:58:09PM +0200, Martin Bartelds wrote: > I'm not sure about the legitimacy of the "closed" action. > > I do have at least one FW/FTP system with NAT which experiences > significant packet losses since I moved to IPFW2. Even ping's get lost > every now and then, whereas previously with IPFW this didn't happen. > Apart from the lost ping's, I also see a lot of hickups when collecting email > and doing FTP throught the FW/NAT. Locally and to/from the backbone > everything seems to be perfect, only once NAT is involved I do have > packet losses. I do use IPFW2's features IPLen, queue, pipe, recv and xmit. > Between the FW/FTP server and the backbone, I do have transfer rates > of up to 600 Kbyte/s on a 7.6 Mbit pipe. These transfers don't seem to > suffer from the hickups. > > If you do have suggestions how to pinpoint this to a more definated > point of failure, I'm open for testing. > I wish you would mention that your problem is bound to IPFW2 in the PR. Whatever, does the problem still exist in recent versions of 5.1-CURRENT? If not, please try it. If so, please give us simple steps to reproduce the problem. It should be possible for you, since you tell me that you believe the problem is with FW/NAT, so please start from a simple config, and see if the problem exists. If not, add features that you need, and see again. Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 01:16:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBED237B401 for ; Sat, 16 Aug 2003 01:16:26 -0700 (PDT) Received: from luftpost.plosh.net (luftpost.plosh.net [204.152.186.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 742A043F3F for ; Sat, 16 Aug 2003 01:16:26 -0700 (PDT) (envelope-from Peter_Losher@isc.org) Received: from dhcp-2.sql1.plosh.net (tardis-nat.plosh.net [64.139.14.228]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by luftpost.plosh.net (Postfix) with ESMTP id 077AB32606 for ; Sat, 16 Aug 2003 01:17:04 -0700 (PDT) (envelope-from Peter_Losher@isc.org) From: Peter Losher Organization: ISC To: freebsd-ipfw@freebsd.org Date: Sat, 16 Aug 2003 01:16:21 -0700 User-Agent: KMail/1.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308160116.22010.Peter_Losher@isc.org> Subject: piping killing performance on 5.1-REL-p2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 08:16:27 -0000 Hi - On several of our servers that provide name service to the local network, we normally have pipes in our ipfw/ipfw2 rules as such: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 to make sure outsiders don't slam us too hard, etc... This setup has worked fine for us in the past under 4.x, but we have now turned up our first 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are killing the response times. dig queries that normally take a couple of milliseconds from another host on the same subnet now take 40-50 milliseconds. Remove the rules, and the response time goes back down to a couple of milliseconds. Note that this same configuration on a 4.x system shows very little degradation with the pipes on-line. Has the syntax changed between ipfw and ipfw2, and have others experienced this "slowness" issue. (I looked in the archives beforehand) Best Wishes - Peter -- Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 16 02:58:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39B9C37B43C for ; Sat, 16 Aug 2003 02:58:49 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5A7943FBF for ; Sat, 16 Aug 2003 02:58:16 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h7G9wCkN031279; Sat, 16 Aug 2003 02:58:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h7G9wCqr031278; Sat, 16 Aug 2003 02:58:12 -0700 (PDT) (envelope-from rizzo) Date: Sat, 16 Aug 2003 02:58:12 -0700 From: Luigi Rizzo To: Peter Losher Message-ID: <20030816025812.A31188@xorpc.icir.org> References: <200308160116.22010.Peter_Losher@isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308160116.22010.Peter_Losher@isc.org>; from Peter_Losher@isc.org on Sat, Aug 16, 2003 at 01:16:21AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: piping killing performance on 5.1-REL-p2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 09:58:49 -0000 well... i don't understand what do you think is wrong here. A 64-byte (512 bits) packet in a 10Kbit/s pipe will take roughly 50ms to go through, and this is exactly what you are reporting.~ I suspect your 4.x configuration was not passing the packets through the pipe and/or had the bandwidth configured differently. [As an aside, by using "mask src-ip 0xffffffff" you are basically making yourself a wonderful candidate for DoS attacks as any IP will create a new pipe. I'd rather have one pipe (or a small number of pipes) for outsider and if someone is saturating them you'll still be able to provide service inside. cheers luigi On Sat, Aug 16, 2003 at 01:16:21AM -0700, Peter Losher wrote: > Hi - > > On several of our servers that provide name service to the local network, > we normally have pipes in our ipfw/ipfw2 rules as such: > > add pipe 1 udp from any to any 53 in > pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 > add pipe 2 tcp from any to any 53 in > pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 > > to make sure outsiders don't slam us too hard, etc... This setup has worked > fine for us in the past under 4.x, but we have now turned up our first > 5.1-REL box (5.1-REL-p2 to be exact) and while the pipes work, they are > killing the response times. dig queries that normally take a couple of > milliseconds from another host on the same subnet now take 40-50 > milliseconds. Remove the rules, and the response time goes back > down to a couple of milliseconds. Note that this same configuration on a > 4.x system shows very little degradation with the pipes on-line. > > Has the syntax changed between ipfw and ipfw2, and have others experienced > this "slowness" issue. (I looked in the archives beforehand) > > Best Wishes - Peter > -- > Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"