From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 22 11:08:35 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34E8616A420 for ; Mon, 22 Jan 2007 11:08:35 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 0B03913C47E for ; Mon, 22 Jan 2007 11:08:35 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0MB8YrT036954 for ; Mon, 22 Jan 2007 11:08:34 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0MB8XxD036950 for freebsd-ipfw@FreeBSD.org; Mon, 22 Jan 2007 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Jan 2007 11:08:33 GMT Message-Id: <200701221108.l0MB8XxD036950@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 11:08:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 24 00:37:14 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0A57F16A403 for ; Wed, 24 Jan 2007 00:37:14 +0000 (UTC) (envelope-from aronesimi@yahoo.com) Received: from web58610.mail.re3.yahoo.com (web58610.mail.re3.yahoo.com [68.142.236.208]) by mx1.freebsd.org (Postfix) with SMTP id C475613C467 for ; Wed, 24 Jan 2007 00:37:13 +0000 (UTC) (envelope-from aronesimi@yahoo.com) Received: (qmail 34982 invoked by uid 60001); 24 Jan 2007 00:37:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=glIY66vIdunvHPripru4ewn4g9VcwX/DNlj4wzpiYk5S1O+2rKpXB2UDEhbpEgYI7o4jEmh9n3V3thmsjWH73qu+8doSH8HKzLzoPEKG85SrUENmbLvoRkxLaf+aDYOf/Ol//zszoo6E8wYdP38x8M0hviK0CN/d//u5lWbOqVE=; Received: from [72.160.59.100] by web58610.mail.re3.yahoo.com via HTTP; Tue, 23 Jan 2007 16:37:13 PST Date: Tue, 23 Jan 2007 16:37:13 -0800 (PST) From: Arone Silimantia To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <108951.34916.qm@web58610.mail.re3.yahoo.com> X-Mailman-Approved-At: Wed, 24 Jan 2007 03:35:45 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw pipe show .... clarification, please ... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 00:37:14 -0000 I set up a dummynet pipe with this sequence of commands: sysctl -w net.inet.ip.fw.one_pass=0 ipfw pipe 1 config bw 16Mbit/s ipfw add 10000 pipe 1 all from any to any So far so good. Works great. However, when I look at the pipe itself, with this command: ipfw pipe show 1 I see this: # ipfw pipe show 1 00001: 16.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 1.2.3.4/22 1.2.3.4/4333 2970975653 2649647615805 2 2992 10414733 I would like to clarify a few things... First, the ipfw pipe creation command I ran is not (as far as I can tell) TCP specific, and further, my ipfw rule says "any to any" - but when I look at the pipe, it has a protocol specified (TCP) and further, has a port number (22). I want to throttle ALL IP traffic, not just TCP, and certainly not just port 22. What am I doing wrong ? Second, there are seven headings (from BKT at the left to Drp on the right) but underneath those seven headings are _9_ values. What I really want to know is how many packets I am droppinig ... but I can't tell which of the fields are the "dropped" - I assume it is the final number .. if so, what is that measured in ? Packets ? Finally, why am I dropping any packets ? My total traffic is 5-7 Mbits/s on average ... I don't see why I would be dropping any packets at all ... are they being dropped because the system can't keep up, or are they being dropped because I am hitting the throttle limit and it drops everything above that ? Many thanks. --------------------------------- Food fight? Enjoy some healthy debate in the Yahoo! Answers Food & Drink Q&A. --------------------------------- Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 24 16:44:00 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E7D0516A401 for ; Wed, 24 Jan 2007 16:44:00 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.freebsd.org (Postfix) with ESMTP id 8ED1213C4A6 for ; Wed, 24 Jan 2007 16:43:58 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id B4972191; Wed, 24 Jan 2007 11:12:13 -0500 (EST) Date: Wed, 24 Jan 2007 11:12:13 -0500 From: "Michael W. Oliver" To: Arone Silimantia Message-ID: <20070124161213.GB34537@gargantuan.com> Mail-Followup-To: Arone Silimantia , freebsd-ipfw@freebsd.org References: <108951.34916.qm@web58610.mail.re3.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <108951.34916.qm@web58610.mail.re3.yahoo.com> X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 0881 F6F6 F92B F8A4 A1AB B3C3 B29C 7277 AC60 0B0E X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL 33810-2172 X-Mailing-Address2: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw pipe show .... clarification, please ... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 16:44:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2007-01-23T16:37:13-0800, Arone Silimantia wrote: > > I set up a dummynet pipe with this sequence of commands: > > sysctl -w net.inet.ip.fw.one_pass=0 > ipfw pipe 1 config bw 16Mbit/s > ipfw add 10000 pipe 1 all from any to any > > So far so good. Works great. However, when I look at the pipe > itself, with this command: > > ipfw pipe show 1 > > I see this: > > # ipfw pipe show 1 > 00001: 16.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp > 0 tcp 1.2.3.4/22 1.2.3.4/4333 2970975653 2649647615805 2 2992 10414733 > > I would like to clarify a few things... > > First, the ipfw pipe creation command I ran is not (as far as I can > tell) TCP specific, and further, my ipfw rule says "any to any" - but > when I look at the pipe, it has a protocol specified (TCP) and > further, has a port number (22). I want to throttle ALL IP traffic, > not just TCP, and certainly not just port 22. > > What am I doing wrong ? I think what you are seeing is just the latest user of the rule, and it happened to be that SSH connection. Since you are using an all-zeros mask, all traffic will fall into the same bucket and as such you will only see the latest flow/conversation/stream that used the rule. I could be wrong here, and would like clarification if so. > Second, there are seven headings (from BKT at the left to Drp on the > right) but underneath those seven headings are _9_ values. What I > really want to know is how many packets I am droppinig ... but I can't > tell which of the fields are the "dropped" - I assume it is the final > number .. if so, what is that measured in ? Packets ? Yes, the drops are listed in number of packets, and what you are seeing as nine fields is broken down as follows: BKT Prot Source IP/port Dest. IP/port Tot_pkt bytes Pkt Byte Drp The "Tot_pkt/bytes" and "Pkt/Byte" values are split, even though the headings are not. Not very intuitive, and actually quite ugly. Again, I am no expert and would like clarification if I am wrong. Personally, if I could code at all, I would try to whip up a patch that would do something like this.... 00001: 16.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT 0 Prot: TCP Source: 1.2.3.4(22) Dest: 1.2.3.4(4333) Total (pkts/bytes): 2970975653/2649647615805 Current (pkts/bytes): 2/2992 Drops: 10414733 > Finally, why am I dropping any packets ? My total traffic is 5-7 > Mbits/s on average ... I don't see why I would be dropping any packets > at all ... are they being dropped because the system can't keep up, or > are they being dropped because I am hitting the throttle limit and it > drops everything above that ? I think you are dropping packets because you are exceeding the pipe bandwidth. I am no expert on this stuff, just offering some possible answers to your questions. Have fun! - -- Mike Oliver, KI4OFU [see complete headers for contact information] - ------------------------------------------------------------------------ If your email to me is rejected, it is likely a problem with the MTA on your end, so please send the error report to me at mwoliver at gmail dot com and I will investigate the issue. Thanks. - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFFt4VdboLl4ADjAhARAlhZAJ0e8bOB7qmbrGixUdyXdiX/UGJx8gCgpU5h kHA5fOsAia5iZo97ExtVXQ0= =ybB5 -----END PGP SIGNATURE-----