high cpu usage on natd / dhcpd
Ian Smith
smithi at nimnet.asn.au
Thu Feb 7 12:40:14 UTC 2013
On Thu, 7 Feb 2013 08:08:59 +0000, Eggert, Lars wrote:
> On Jan 31, 2013, at 16:03, Matthew Luckie <mjl at luckie.org.nz> wrote:
> >
> > 00510 allow ip from me to not me out via em1
> > 00550 divert 8668 ip from any to any via em1
> >
> > Rule 510 fixes it.
>
> Yep, it does. Can I ask someone to commit this to rc.firewall?
The ruleset Matthew posted bears no resemblance to rc.firewall, so I
don't see that (or how) it solves any generic problem.
> (And I wonder if the rules for the ipfw kernel firewall need a
> similar addition, because the system locks up under heavy network
> load if I use that instead of natd.)
>
> Lars
Which rc.firewall ruleset are you referring to? There certainly are
problems with the 'simple' ruleset relating to use of $natd_enable vs
$firewall_nat_enable (not to mention the denial of ALL icmp traffic)
that I posted patches to a couple of years ago in ipfw@ to rc.firewall
and /etc/rc.d/{ipfw,natd) addressing about 4 PRs .. sadly to no avail.
I suggest following up to ipfw@ (cc'd) rather than net@
cheers, Ian
More information about the freebsd-net
mailing list