Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Dec 2001 11:11:16 +0000
From:      chkno@dork.com
To:        freebsd-questions@freebsd.org
Subject:   ipfw+natd packet loop
Message-ID:  <20011219110956.KPYL6450.rwcrmhc52.attbi.com@chk.phattydomain.com>
next in thread | raw e-mail | index | archive | help 
I'm trying to use ipfw pipes to impose bandwidth restrictions in a
natd environment.  I'm having an issue with packets getting caught
up in some kind of loop between natd & the pipe.

Note: I'm using natd to nat between two subnets on the same interface.
This has worked beautifully so far, even though I gather that it
is not the normal way of doing things.  Hardware restrictions prevent
me from adding a second NIC.


Background info:

   # grep natd /etc/rc.conf
   natd_enable="YES"
   natd_flags="-use_sockets -same_ports -unregistered_only"
   natd_interface="ed1"
   # ifconfig ed1
   ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
           inet 12.225.230.182 netmask 0xfffffe00 broadcast 255.255.255.255
           inet 192.168.151.1 netmask 0xffffff00 broadcast 192.168.151.255
           ether 00:80:c8:e2:b0:5a
   # sysctl net.inet.ip.fw.one_pass
   net.inet.ip.fw.one_pass: 1
   # ipfw pipe show
   00010: 120.000 Kbit/s    0 ms    8 sl. 1 queues (1 buckets) droptail
       mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

Demonstration:

( XXX.XXX.XXX.XXX is downloading a file via ftp. )

   # echo;ipfw add 10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out; ipfw zero;s
leep 1;ipfw show;sleep 19;echo;ipfw show;ipfw delete 10000

   10000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   Accounting cleared.
   00049 39 39604 count ip from any to any
   00050 39 39604 divert 8668 ip from any to any via ed1
   00051 39 39604 count ip from any to any
   00100  0     0 allow ip from any to any via lo0
    00200  0     0 deny ip from any to 127.0.0.0/8
   00300  0     0 deny ip from 127.0.0.0/8 to any
   10000 14 21000 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   65000 25 18604 allow ip from any to any
   65535  0     0 deny ip from any to any

   00049    492    471097 count ip from any to any
   00050    492    471097 divert 8668 ip from any to any via ed1
   00051 556400 834347613 count ip from any to any
   00100      0         0 allow ip from any to any via lo0
   00200      0         0 deny ip from any to 127.0.0.0/8
   00300      0         0 deny ip from 127.0.0.0/8 to any
   10000 556141 834210534 pipe 10 ip from any to XXX.XXX.XXX.XXX out
   65000    259    137079 allow ip from any to any
   65535      0         0 deny ip from any to any
   #

CPU usage jumps to 100%.  233 packets become 556141.  What am I
doing wrong?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219110956.KPYL6450.rwcrmhc52.attbi.com>