We have a FreeBSD 4.2-STABLE machine running as a Bridging Firewall
and we are having some difficulties, can anyone give me a pointer,
or outright help... figuring out what is the problem? Details
below. Problem repeatable using different network cards (fxp or xl)
FreeBSD 4.2 stable ipfw/dummynet issues (Kernel Config Below):
Sending selected TCP ports, or selected subnets through dummynet pipes
for bandwidth control, the pipes sometimes get "clogged up", causing all
packets going through the pipe to be dropped. Deleting and re-creating
the pipe clears it up.
We tried assigning selected subnets to pipes via dummynet queues,
masking for host addresses, so that each host address would get a
bucket. The system seemed to ignore the actual mask we gave it and
assigned flows to buckets by 4th octet only. The system generated log
messages "... /kernel: == not eligible, size nnnn" and after a while
paniced, rebooted.
This set of rules get you "clogged" pipes:
ipfw pipe 1 config bw 512KBytes/s queue 200Kbytes
ipfw pipe 2 config bw 256KBytes/s queue 100Kbytes
ipfw add 15130 pipe 1 ip from any to XXX.YYY.208.0/20 recv xl1
ipfw add 15140 pipe 1 ip from any to XXX.YYY.172.0/22 recv xl1
ipfw add 15110 pipe 2 ip from XXX.YYY.208.0/20 to any recv xl0
ipfw add 15120 pipe 2 ip from XXX.YYY.172.0/22 to any recv xl0
This set of rules caused OS-Crash (reboot):
ipfw pipe 1 config bw 256KBytes/s queue 150Kbytes
ipfw queue 1 config pipe 1 weight 1 mask src-ip 0x00000FFF buckets 256 queue
75K Bytes
ipfw queue 2 config pipe 1 weight 1 mask src-ip 0x000003FF buckets 128 queue
75K Bytes
ipfw pipe 2 config bw 512KBytes/s queue 300Kbytes
ipfw queue 3 config pipe 2 weight 1 mask dst-ip 0x00000FFF buckets 256 queue
75K Bytes
ipfw queue 4 config pipe 2 weight 1 mask dst-ip 0x000003FF buckets 128 queue
75K Bytes
ipfw add 16010 queue 1 ip from XXX.YYY.208.0/20 to any recv xl0
ipfw add 16020 queue 2 ip from XXX.YYY.172.0/22 to any recv xl0
ipfw add 16030 queue 3 ip from any to XXX.YYY.208.0/20 recv xl1
ipfw add 16040 queue 4 ip from any to XXX.YYY.172.0/22 recv xl1
In each case traffic flows worked as we had intended for a while before
failure.
Appropriate Settings from /etc/rc.conf:
bridging_enable="YES"
bridging_fw_enable="YES"
portmap_enable="NO"
firewall_enable="YES"
firewall_script="/usr/local/etc/firewall/rc.firewall"
drop_synfin_enable="YES"
extra Sysctls set are:
sysctl -w net.link.ether.bridge=1
sysctl -w net.link.ether.bridge_ipfw=1
KERNEL Config file:
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.20 2000/10/31 23:16:07 n_hibma Exp $
machine i386
cpu I586_CPU
cpu I686_CPU
ident GENERIC
maxusers 128
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options DUMMYNET
options IPDIVERT
options BRIDGE
options NMBCLUSTERS=16384
options TCP_DROP_SYNFIN
options IPSTEALTH #support for stealth forwarding
options TCP_RESTRICT_RST #restrict emission of TCP RST
options ICMP_BANDLIM #Rate limit bad replies
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
device isa
device eisa
device pci
# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
#device fd1 at fdc0 drive 1
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering
#options ATA_ENABLE_ATAPI_DMA #Enable DMA on ATAPI devices
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
options FAT_CURSOR # start with block cursor
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
# PCI Ethernet NICs that use the common MII bus controller code.
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices - the number indicates how many units to allocated.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device pty # Pseudo-ttys (telnet etc)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
--
| Ted Wisniewski INET: [EMAIL PROTECTED] |
| Computer Services [EMAIL PROTECTED] |
| Plymouth State College [EMAIL PROTECTED] |
| Plymouth NH, 03264 HTTP: http://oz.plymouth.edu/~ted/ |
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
