Re: ifconfig accepting hostname as ipv4 address

2012-06-09 Thread Wojciech Puchar 

input.
Moreover, ifconfig em0 some_valid_fqdn/MASK silently ignores it, so you can't 
set valid CIDR address using this notation.


Classful era has ended more than 10 years ago, do we still want to keep this 
behavior?



were not aware of that option, and it is rather stupid option - you should
work on addresses not names when configuring network
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ifconfig accepting hostname as ipv4 address

2012-06-09 Thread Garrett Cooper 
On Sat, Jun 9, 2012 at 12:23 AM, Wojciech Puchar
 wrote:
>> input.
>> Moreover, ifconfig em0 some_valid_fqdn/MASK silently ignores it, so you
>> can't set valid CIDR address using this notation.
>>
>> Classful era has ended more than 10 years ago, do we still want to keep
>> this behavior?
>>
> were not aware of that option, and it is rather stupid option - you should
> work on addresses not names when configuring network

I agree that it's not the best configuration in the world, as it
would only work 100% if a machine had proper DNS records or a
definitive hosts file.
There are already enough bugs with static IP configurations and
hostnames as-is *I'm looking at you mountlate* -- no sense to
introduce more potentially buggy interoperability that only works in a
handful of niche cases.
Thanks,
-Garrett
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: recommended 10g cards

2012-06-09 Thread Daniel Braniss 
thanks to all that responded! 
from the rough polling, it seems that the order list is
Intel, Myricom
Solarflare, Chelsio

Now I'll try and 'borrow' some of these.

thanks again,

danny


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Netgraph and Netflow-v9

2012-06-09 Thread Alexander V. Chernikov 

On 09.06.2012 00:04, Kolasinski, Brent D. wrote:

Hi All,

I have been doing some tests with the FreeBSD ng_netflow module for
netflow generation.  I am trying to export v9 netflow records to another
server running SiLK (which can receive v9 Netlfow from our Cisco routers
just fine).

When exporting v9 records from our FreeBSD-9-RELEASE server, we are
getting this error on our SiLK server (this repeats many times):
"rwflowpack[23113]: fBufNext: No Templates Present for Domain 0x000a"




Now I modified the settemplates variable in ngctl to send a template every
20 seconds, but we are still getting this.
It should disappear after 5-10 minutes. We're using several FreeBSD v9 
sensors with flowd and it seems to run fine (except first 5 minutes 
while waiting for template). I'm aware about the problem with templates 
timeout working incorrectly and I plan to fix this soon.




As a sanity check, I tried exporting v5 netflow data from this FreeBSD box
to the Silk box, and it happily receives it and processes it.  The Silk
server is receiving the v9 netflow datagrams, as I can see it with a PCAP.

Any ideas as to what I am doing wrong?  Am I using the export9 hook
correctly in the commands listed below?  There is not much documentation
covering export9 out there (besides the tiny blurb in the FreeBSD9 Release
notes).

Here is a detail of my setup:
2 ethernet cards:
1) bce0 ->  in promiscuous mode listening to traffic off of a tap
2) bce1 ->  nic to be exporting netflow / connected to our network

Commands I am using to export v9 netflow records in ngctl:

mkpeer bce0: netflow lower iface0
name bce0:lower netflow
connect bce0: netflow: upper out0
mkpeer netflow: ksocket export9 inet/dgram/udp
msg netflow:export9 connect inet/:


Thanks!!

--
Brent Kolasinski
Cyber Security Program Office
Argonne National Laboratory
Phone: 630-252-2546


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




--
WBR, Alexander
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Alexander V. Chernikov 

On 09.06.2012 01:56, Sami Halabi wrote:

Hi,

I Manage a FreeBSD server as an edge router&  firewall.
the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB&
bce-BCM5709) connected to 10G/1G switches.

With the following setup i get higher cpu usage:
bce1-upstream provider with little bandwidth, so i use pipes to limit
users, and subnets
ix0 - Internet Exchange

some rules.
.
.
.from 4000 starts pipes for specefic ips bandwidth allocations
0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any
out xmit bce1
04100   412898975373064110648124 pipe 1004 ip from any to 182.46.92.13
in recv bce1
You should use pipe tablearg for that. Traversing 4k rules effectively 
kills all performance.



.
.
.
.7000 is the wider pipeline for the whole block
0700091271547244651308720315 pipe 1000 ip from  182.46.92.0/24 to
any out xmit bce1
071004837016828 458027989917 pipe 1002 ip from any to
182.46.92.0/24 in recv bce1
last rule default to accept...

specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider
pipe (1000 and 1002) has a global limit of 40MBps that should be reached by
all other non-specefic ips, config like this:
#Wide
ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes
ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes
#specefic
ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes
ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes


with this configuration when i have lots of traffic (3-6GB) going via ix0
(not necessarly the ips described above, lets say to a server in my net ip
1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage
(70-90%).

my first test was to: ipfw add 1 allow all from any to any, and cpu usage
drops immediatly to 10-15%.
but that not why i want (i wantto keep thelimits) so I add rule right
before 4000 and the cpu usage drops down to 10-20%:
03020 1669463072808 1493341413029803 allow ip from any to any via ix0


Any advice why this happens? or should it be there in the first place?
I use FreeBSD 8.1-R-p10-amd64.

Thanks in advance,




--
WBR, Alexander
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Sami Halabi 
Hi,
all rules togther less than 80 rules

how tablearg helps this? each ip & pipe (up & down) are unique...

any other advices?

Sami

On Sat, Jun 9, 2012 at 1:15 PM, Alexander V. Chernikov  wrote:

> On 09.06.2012 01:56, Sami Halabi wrote:
>
>> Hi,
>>
>> I Manage a FreeBSD server as an edge router&  firewall.
>>
>> the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB&
>> bce-BCM5709) connected to 10G/1G switches.
>>
>> With the following setup i get higher cpu usage:
>> bce1-upstream provider with little bandwidth, so i use pipes to limit
>> users, and subnets
>> ix0 - Internet Exchange
>>
>> some rules.
>> .
>> .
>> .from 4000 starts pipes for specefic ips bandwidth allocations
>> 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any
>> out xmit bce1
>> 04100   412898975373064110648124 pipe 1004 ip from any to 182.46.92.13
>> in recv bce1
>>
> You should use pipe tablearg for that. Traversing 4k rules effectively
> kills all performance.
>
>
>  .
>> .
>> .
>> .7000 is the wider pipeline for the whole block
>> 0700091271547244651308720315 pipe 1000 ip from  182.46.92.0/24 to
>> any out xmit bce1
>> 071004837016828 458027989917 pipe 1002 ip from any to
>> 182.46.92.0/24 in recv bce1
>> last rule default to accept...
>>
>> specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider
>> pipe (1000 and 1002) has a global limit of 40MBps that should be reached
>> by
>> all other non-specefic ips, config like this:
>> #Wide
>> ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes
>> ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes
>> #specefic
>> ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes
>> ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes
>> ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes
>> ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes
>> ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes
>> ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes
>> ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes
>> ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes
>>
>>
>> with this configuration when i have lots of traffic (3-6GB) going via ix0
>> (not necessarly the ips described above, lets say to a server in my net ip
>> 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage
>> (70-90%).
>>
>> my first test was to: ipfw add 1 allow all from any to any, and cpu usage
>> drops immediatly to 10-15%.
>> but that not why i want (i wantto keep thelimits) so I add rule right
>> before 4000 and the cpu usage drops down to 10-20%:
>> 03020 1669463072808 1493341413029803 allow ip from any to any via ix0
>>
>>
>> Any advice why this happens? or should it be there in the first place?
>> I use FreeBSD 8.1-R-p10-amd64.
>>
>> Thanks in advance,
>>
>>
>
> --
> WBR, Alexander
>



-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Alexander V. Chernikov 

On 09.06.2012 15:19, Sami Halabi wrote:

Hi,
all rules togther less than 80 rules

However, it is too much.
You should reduce this to 10 rules or less (at least for main traffic flow).


(Btw, there is related http://wiki.freebsd.org/NetworkPerformanceTuning 
wiki page)





how tablearg helps this? each ip & pipe (up & down) are unique...

ipfw table 1 add 182.46.92.0/24 1000
ipfw table 1 add XXX.XXX.XX.0/24 1001
..
ipfw table 2 add 182.46.92.0/24 1002
ipfw table 2 add XXX.XXX.XX.0/24 1003

ipfw add 4000 pipe tablearg from table(1) to any out xmit bce1
ipfw add 4100 pipe tablearg from any to table(1) in recv bce1


It is often a good idea to split in/out rules initially (e.g. skipto 
1 ip from any to any out)


You can send me your ipfw config and we can discuss it more detailed.



any other advices?

Sami

On Sat, Jun 9, 2012 at 1:15 PM, Alexander V. Chernikov
mailto:melif...@freebsd.org>> wrote:

On 09.06.2012 01:56, Sami Halabi wrote:

Hi,

I Manage a FreeBSD server as an edge router&  firewall.

the setup has 10G interfaces (ixgbe-82599EB) and 1G
interfaces(em-82571EB&
bce-BCM5709) connected to 10G/1G switches.

With the following setup i get higher cpu usage:
bce1-upstream provider with little bandwidth, so i use pipes to
limit
users, and subnets
ix0 - Internet Exchange

some rules.
.
.
.from 4000 starts pipes for specefic ips bandwidth allocations
0400062100530015845967300616 pipe 1003 ip from
182.46.92.13 to any
out xmit bce1
04100   412898975373064110648124 pipe 1004 ip from any to
182.46.92.13
in recv bce1

You should use pipe tablearg for that. Traversing 4k rules
effectively kills all performance.


.
.
.
.7000 is the wider pipeline for the whole block
0700091271547244651308720315 pipe 1000 ip from
182.46.92.0/24  to
any out xmit bce1
071004837016828 458027989917 pipe 1002 ip from any to
182.46.92.0/24  in recv bce1
last rule default to accept...

specefic pipes (1003-...) have limits say between 1-10Mbps, and
the wider
pipe (1000 and 1002) has a global limit of 40MBps that should be
reached by
all other non-specefic ips, config like this:
#Wide
ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes
ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes
#specefic
ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes
ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes


with this configuration when i have lots of traffic (3-6GB)
going via ix0
(not necessarly the ips described above, lets say to a server in
my net ip
1832.46.93.4 and users behind the Internet Exchange) i see high
cpu usage
(70-90%).

my first test was to: ipfw add 1 allow all from any to any, and
cpu usage
drops immediatly to 10-15%.
but that not why i want (i wantto keep thelimits) so I add rule
right
before 4000 and the cpu usage drops down to 10-20%:
03020 1669463072808 1493341413029803 allow ip from any to any
via ix0


Any advice why this happens? or should it be there in the first
place?
I use FreeBSD 8.1-R-p10-amd64.

Thanks in advance,



--
WBR, Alexander




--
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert




--
WBR, Alexander
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Luigi Rizzo 
On Sat, Jun 09, 2012 at 03:36:15PM +0400, Alexander V. Chernikov wrote:
> On 09.06.2012 15:19, Sami Halabi wrote:
> >Hi,
> >all rules togther less than 80 rules
> However, it is too much.
> You should reduce this to 10 rules or less (at least for main traffic flow).

you should definitely try hard to use tablearg or similar tricks
to reduce the number of rules traversed. A couple of years ago we
did some detailed measurement of the cost of the various operations,
see "Dummynet revisited" and "An emulation tool for PlanetLab" at

http://info.iet.unipi.it/~luigi/research.html

cheers
luigi
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Panic with if_bridge when removing components

2012-06-09 Thread Gustau Perez Querol 

  Hi,

  I'm seeing panics when removing an interface of a bridge. The system 
runs HEAD/AMD64 r236733. I see no changes to if_bridge.c in the last two 
days, so I would say the problem's still there. I also checked stable 
and the problem should be there too.


  The problem is that I have a bridge composed of two ethernet 
interfaces, an ath interface and a tap. As soon as I remove any of them 
the system panics. Because the system runs openvpn with the tap 
connected to the bridge, when the system starts to reboot, the openvpn 
daemon removes the tap and thus causing also the panic.


  The panic comes because at sys/net/if_bridge.c:943 the struct 
*ifnet->if_bridge of the interface removed is set to NULL too early. 
Because of this, at sys/net/if_bridge.c:996 we call 
if_bridge.c:bridge_linkstate where the struct *ifnet->if_bridge is 
needed. This causes the panic.


  I can pastebin the core file if needed.

  I'm attaching a simple patch that solves it. The struct 
*ifnet->if_bridge could be set to null only if the interface removed is 
gone, but I think it won't hurt to set it to null in any case.


  Regards,

  Gustau
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 271ef30..6c112de 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -940,7 +940,6 @@ bridge_delete_member(struct bridge_softc *sc, struct bridge_iflist *bif,
 	if (bif->bif_flags & IFBIF_STP)
 		bstp_disable(&bif->bif_stp);
 
-	ifs->if_bridge = NULL;
 	BRIDGE_XLOCK(sc);
 	LIST_REMOVE(bif, bif_next);
 	BRIDGE_XDROP(sc);
@@ -994,6 +993,7 @@ bridge_delete_member(struct bridge_softc *sc, struct bridge_iflist *bif,
 	}
 	bstp_destroy(&bif->bif_stp);	/* prepare to free */
 	bridge_linkstate(ifs);
+	ifs->if_bridge = NULL;
 	BRIDGE_LOCK(sc);
 	free(bif, M_DEVBUF);
 }
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: if_ipsec

2012-06-09 Thread Jeremie Le Hen 
Hi Eugene,

On Fri, Jun 08, 2012 at 11:31:00PM +0600, Eugene M. Zheganin wrote:
> Hi.
> 
> I have an idea about new networking feature in FreeBSD.
> I guess everyone is having ideas from time to time, and lots of these 
> idea having people think that they just had a decent idea. However, only 
> ideas that are complemented by a working code can be considered by the 
> community, and only some of them got commited into the tree, I am fully 
> aware of this fact.
> 
> Unfortunately, I am not able to produce the code. I guess this is the 
> point where most of the subscribers will (or at least should) stop 
> reading this post. Still, I'm addressing this post for people that have 
> the time and will to do something interesting. I guess that someone may 
> find this interesting. Myself, I find that this could be really useful.
> 
> (You can skip this part and the next part if you only want to read about 
> the idea) I work about 10 years as a network engineer. My company holds 
> country-wide supermarkets business. I am personally responsible for the 
> network infrastructure of the company. As the company has lots of 
> (hundreds) of branch offices, lots of my time I'm constructing new VPNs 
> between them. My company network infrastructure is build using FreeBSD 
> servers and Cisco (and last year - Juniper) equipment. So I am aware and 
> capable of building VPN of almost any modern type, and this is the post 
> about building it on FreeBSD (this annoying passage was written to give 
> you impression that I'm not just a guy with FreeBSD server at home, 
> holding a couple of movies).
> 
> So. About VPNs. Another annoying passage about common ways and caveats. 
> Otherwise most of the reading ppl will say 'Why the hell if_ipsec ?' 
> (ppl that are aware of the VPNs can really skip this part). The 
> conventional way to build vpn is to build a tunnel of some sort. This 
> can be an encrypted tunnel, or an unencrypted tunnel. Unencrypted 
> tunnel  (gre/ipinip) is obviously unencrypted, but gives you an 
> interface which could be using in routing. Encrypted tunnel (and I'm 
> talking about ipsec) cannot be used for rounting, but is encrypted. 
> Plus, you have to care about policies, and when multiple routers are 
> involved, with hundreds of networks behind them, you have to care about 
> tonns of policies, and this is painful. So, the industry invented a 
> method: you use a gre/ipinip tunnel, you pass the dynamic routing 
> information (you don't care bout networks, you only care abouth the 
> endpoints), and you encrypt this tunnel with ipsec. So, gre + ipsec (of 
> gif + ipsec). This way is supported by all of the major vendors, you can 
> build gre(ipinip)+ipsec tunnel to any Cisco/Juniper device. Though 
> building in to JunOS requires some skill and a deep knowledge. :)
> 
> (here the idea starts) But what is an gre or gif tunnel ? This is not an 
> interface, but a way to tell the system, that it needs to encapsulate 
> some of the payload with another header, and send it somewhere. So, 
> using ipsec you add an extra header, and using gre(ipinip) you add an 
> extra header. What if we will add an additional ability to understand 
> that some of the ipsec packets are destined to the security gateway 
> (which adds the extra header) itself,  like it's possible with 
> gre/ipinip, so we can get rid of one extra header ? Cisco/Juniper did 
> that. So, Cisco has the 'tun mode ipsec ipvX' interface, and Juniper has 
> the st (secure tunnel) interface. How does it work: it's a convenstional 
> ISAKMP  IPsec with the ability to treat some of the packets with a 
> particular IP like destined to the local (by this I mean 'this') host. 
> Besides this it's the old IPsec. It's even interoperable between 
> different vendors devices. I don't see any reason why FreeBSD cannot 
> have this ability, since it does have a working Ipsec and working 
> ISAKMP. In order to obtain this functionality FreeBSD needs to have a 
> way to define the templates for the SPD entries, and  the way to create 
> these SPD entries after the creation of the interface, based on it's 
> address information. This will really simplify the VPN creating and 
> management.
> 
> So... here was the idea. :)
> It came to my head after configuring the Juniper/Cisco VPN (and the 
> config was really short), and after reading quagga-users@ maillist, 
> where some of the subscribers asked about 'tun mode ipsec'. Plus, as far 
> as I know, Linux does not support this too, so we could really score 
> some points.

I'm not sure I've understood what you're asking.  As a network engineer,
I'm sure you know there are two modes with IPSec: tunnel and transport.

Tunnel mode is weird because it practically creates an encrypted tunnel,
but the later is invisible from the OS, IIRC.  With transport mode just
encrypt the payload (that is, the data after the IP header) when the SPD
says so.

What it usually done for convenience is to create a gif(4) or gre(4)

Re: if_ipsec

2012-06-09 Thread Eugene Grosbein 
10.06.2012 00:07, Jeremie Le Hen пишет:

> I'm not sure I've understood what you're asking.  As a network engineer,
> I'm sure you know there are two modes with IPSec: tunnel and transport.
> 
> Tunnel mode is weird because it practically creates an encrypted tunnel,
> but the later is invisible from the OS, IIRC.

Basically, he wants tunnel mode to create full-blown network interface
without overhead for extra gre/gif packet header.

Eugene Grosbein
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Michael Spratt 
I have Linux & FreeBSD systems running ipfw with 80 rules with 70Mb/s 
symmetric, passing traffic for about 1000-1200 hosts.


Alexander V. Chernikov wrote:

On 09.06.2012 01:56, Sami Halabi wrote:

Hi,

I Manage a FreeBSD server as an edge router&  firewall.
the setup has 10G interfaces (ixgbe-82599EB) and 1G 
interfaces(em-82571EB&

bce-BCM5709) connected to 10G/1G switches.

With the following setup i get higher cpu usage:
bce1-upstream provider with little bandwidth, so i use pipes to limit
users, and subnets
ix0 - Internet Exchange

some rules.
.
.
.from 4000 starts pipes for specefic ips bandwidth allocations
0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 
to any

out xmit bce1
04100   412898975373064110648124 pipe 1004 ip from any to 
182.46.92.13

in recv bce1
You should use pipe tablearg for that. Traversing 4k rules effectively 
kills all performance.



.
.
.
.7000 is the wider pipeline for the whole block
0700091271547244651308720315 pipe 1000 ip from  
182.46.92.0/24 to

any out xmit bce1
071004837016828 458027989917 pipe 1002 ip from any to
182.46.92.0/24 in recv bce1
last rule default to accept...

specefic pipes (1003-...) have limits say between 1-10Mbps, and the 
wider
pipe (1000 and 1002) has a global limit of 40MBps that should be 
reached by

all other non-specefic ips, config like this:
#Wide
ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes
ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes
#specefic
ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes
ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes
ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes
ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes
ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes


with this configuration when i have lots of traffic (3-6GB) going via 
ix0
(not necessarly the ips described above, lets say to a server in my 
net ip
1832.46.93.4 and users behind the Internet Exchange) i see high cpu 
usage

(70-90%).

my first test was to: ipfw add 1 allow all from any to any, and cpu 
usage

drops immediatly to 10-15%.
but that not why i want (i wantto keep thelimits) so I add rule right
before 4000 and the cpu usage drops down to 10-20%:
03020 1669463072808 1493341413029803 allow ip from any to any via ix0


Any advice why this happens? or should it be there in the first place?
I use FreeBSD 8.1-R-p10-amd64.

Thanks in advance,






___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ipfw rules consuming CPU

2012-06-09 Thread Sami Halabi 
on my box with 130 rules 100Mbit the cpu don't go above 5%.
I daily manage 1.5-6GB.

Thanks in advance,
Sami

On Sat, Jun 9, 2012 at 11:21 PM, Michael Spratt <
m...@magicislandtechnologies.com> wrote:

> I have Linux & FreeBSD systems running ipfw with 80 rules with 70Mb/s
> symmetric, passing traffic for about 1000-1200 hosts.
>
>
> Alexander V. Chernikov wrote:
>
>> On 09.06.2012 01:56, Sami Halabi wrote:
>>
>>> Hi,
>>>
>>> I Manage a FreeBSD server as an edge router&  firewall.
>>> the setup has 10G interfaces (ixgbe-82599EB) and 1G
>>> interfaces(em-82571EB&
>>> bce-BCM5709) connected to 10G/1G switches.
>>>
>>> With the following setup i get higher cpu usage:
>>> bce1-upstream provider with little bandwidth, so i use pipes to limit
>>> users, and subnets
>>> ix0 - Internet Exchange
>>>
>>> some rules.
>>> .
>>> .
>>> .from 4000 starts pipes for specefic ips bandwidth allocations
>>> 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to
>>> any
>>> out xmit bce1
>>> 04100   412898975373064110648124 pipe 1004 ip from any to
>>> 182.46.92.13
>>> in recv bce1
>>>
>> You should use pipe tablearg for that. Traversing 4k rules effectively
>> kills all performance.
>>
>>  .
>>> .
>>> .
>>> .7000 is the wider pipeline for the whole block
>>> 0700091271547244651308720315 pipe 1000 ip from  182.46.92.0/24to
>>> any out xmit bce1
>>> 071004837016828 458027989917 pipe 1002 ip from any to
>>> 182.46.92.0/24 in recv bce1
>>> last rule default to accept...
>>>
>>> specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider
>>> pipe (1000 and 1002) has a global limit of 40MBps that should be reached
>>> by
>>> all other non-specefic ips, config like this:
>>> #Wide
>>> ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes
>>> ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes
>>> #specefic
>>> ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes
>>> ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes
>>> ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes
>>> ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes
>>> ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes
>>> ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes
>>> ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes
>>> ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes
>>>
>>>
>>> with this configuration when i have lots of traffic (3-6GB) going via ix0
>>> (not necessarly the ips described above, lets say to a server in my net
>>> ip
>>> 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage
>>> (70-90%).
>>>
>>> my first test was to: ipfw add 1 allow all from any to any, and cpu usage
>>> drops immediatly to 10-15%.
>>> but that not why i want (i wantto keep thelimits) so I add rule right
>>> before 4000 and the cpu usage drops down to 10-20%:
>>> 03020 1669463072808 1493341413029803 allow ip from any to any via ix0
>>>
>>>
>>> Any advice why this happens? or should it be there in the first place?
>>> I use FreeBSD 8.1-R-p10-amd64.
>>>
>>> Thanks in advance,
>>>
>>>
>>
>>
>


-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[commit approval request] sbin/ipfw

2012-06-09 Thread Alexander V. Chernikov 

Hello Andrey, Konstantin!

Please approve the following commit:

--
Update maximum number of tables available in ipfw to reflect
changes done in r233478.


Approved by:  (mentor)
MFC after:3 days
--


--
WBR, Alexander
Index: sbin/ipfw/ipfw.8
===
--- sbin/ipfw/ipfw.8(revision 236818)
+++ sbin/ipfw/ipfw.8(working copy)
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 9, 2012
+.Dd June 10, 2012
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -1733,7 +1733,7 @@
 Lookup tables are useful to handle large sparse sets of
 addresses or other search keys (e.g. ports, jail IDs, interface names).
 In the rest of this section we will use the term ``address''.
-There may be up to 4096 different lookup tables, numbered 0 to 4095.
+There may be up to 65535 different lookup tables, numbered 0 to 65534.
 .Pp
 Each entry is represented by an
 .Ar addr Ns Op / Ns Ar masklen
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: ifconfig accepting hostname as ipv4 address

2012-06-09 Thread Kevin Oberman 
On Sat, Jun 9, 2012 at 12:37 AM, Garrett Cooper  wrote:
> On Sat, Jun 9, 2012 at 12:23 AM, Wojciech Puchar
>  wrote:
>>> input.
>>> Moreover, ifconfig em0 some_valid_fqdn/MASK silently ignores it, so you
>>> can't set valid CIDR address using this notation.
>>>
>>> Classful era has ended more than 10 years ago, do we still want to keep
>>> this behavior?
>>>
>> were not aware of that option, and it is rather stupid option - you should
>> work on addresses not names when configuring network
>
>    I agree that it's not the best configuration in the world, as it
> would only work 100% if a machine had proper DNS records or a
> definitive hosts file.
>    There are already enough bugs with static IP configurations and
> hostnames as-is *I'm looking at you mountlate* -- no sense to
> introduce more potentially buggy interoperability that only works in a
> handful of niche cases.

The idea was that you could enter all of the local interface names in
/etc/hosts and than just put the names into the ifconfig commands. It
was handy for keeping track of what port connected where on systems
that had numerous interfaces, though this was more common in the day
of async serial lines and modems.

I'll admit that I have mixed feelings about its practicality today,
though it does not hurt anything, as far as I can tell.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

82599EB not supported by ixgbe(4)

2012-06-09 Thread Nikolay Denev 
Hello Jack,

It seems the following controller is not yet supported by ixgbe(4) :

none4@pci0:3:0:0:   class=0x02 card=0x7b118086 chip=0x154d8086 rev=0x01 
hdr=0x00
vendor = 'Intel Corporation'
device = '82599EB 10-Gigabit SFP+ Network Connection'
class  = network
subclass   = ethernet
none5@pci0:3:0:1:   class=0x02 card=0x7b118086 chip=0x154d8086 rev=0x01 
hdr=0x00
vendor = 'Intel Corporation'
device = '82599EB 10-Gigabit SFP+ Network Connection'
class  = network
subclass   = ethernet

Any ideas on how to get that working? Is it just a matter of adding the PCI ID 
to the source? (I'll try that now) or are
there any other differences.

Regards,
Nikolay___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"