I can confirm that this problem still exists in FreeBSD7.0-STABLE.

Hardware is Dell PowerEdge 2550 with on-board bge interface. And yes, = the problem is most reliably triggered by csup.

FreeBSD bienvenue 7.0-STABLE FreeBSD 7.0-STABLE #1: Mon Jul 7 16= :14:42 WST 2008 root@bienvenue:/usr/obj/usr/src/sys= /BIENVENUE i386

Jul 11 03:50:46 bienvenue kernel: bge0: watchdog timeout -- resetting<= /div>

Jul 11 03:50:46 bienvenue kernel: bge0: link state changed to DOWN

Jul 11 03:50:48 bienvenue kernel: bge0: link state changed to UP

Jul 12 03:55:09 bienvenue kernel: bge0: watchdog timeout -- resetting<= /div>

Jul 12 03:55:09 bienvenue kernel: bge0: link state changed to DOWN

Jul 12 03:55:11 bienvenue kernel: bge0: link state changed to UP

--_000_3710094049A65F4EA7CA1DC0D39D0E8B01EC139D17EXWAMBX01nexu_-- From Mark.Favas at csiro.au Fri Jul 11 21:40:08 2008 From: Mark.Favas at csiro.au (Mark.Favas@csiro.au) Date: Fri Jul 11 21:40:15 2008 Subject: kern/123347: [bge] bge1: watchdog timeout -- linkstate changed to DOWN Message-ID: <200807112140.m6BLe8Ao094258@freefall.freebsd.org> The following reply was made to PR kern/123347; it has been noted by GNATS. From: To: , Cc: Subject: Re: kern/123347: [bge] bge1: watchdog timeout -- linkstate changed to DOWN Date: Sat, 12 Jul 2008 05:03:21 +0800 --_000_3710094049A65F4EA7CA1DC0D39D0E8B01EC139D16EXWAMBX01nexu_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am currently seeing the same issue with a single bge interface on FreeBSD= 7.0-STABLE. pciconf -lv | grep -A 3 bge bge0@pci0:1:8:0: class=3D0x020000 card=3D0x00d11028 chip=3D0x164414e= 4 rev=3D0x10 hdr=3D0x00 vendor =3D 'Broadcom Corporation' device =3D 'BCM5751F NetXtreme Gigabit Ethernet Controller' class =3D network Jul 11 03:50:46 bienvenue kernel: bge0: watchdog timeout -- resetting Jul 11 03:50:46 bienvenue kernel: bge0: link state changed to DOWN Jul 11 03:50:48 bienvenue kernel: bge0: link state changed to UP Jul 12 03:55:09 bienvenue kernel: bge0: watchdog timeout -- resetting Jul 12 03:55:09 bienvenue kernel: bge0: link state changed to DOWN Jul 12 03:55:11 bienvenue kernel: bge0: link state changed to UP FreeBSD bienvenue 7.0-STABLE FreeBSD 7.0-STABLE #1: Mon Jul 7 16:14:42 WST= 2008 root@bienvenue:/usr/obj/usr/src/sys/BIENVENUE i386 --_000_3710094049A65F4EA7CA1DC0D39D0E8B01EC139D16EXWAMBX01nexu_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I am currently seeing the same issue with a single bge interface on Fr= eeBSD 7.0-STABLE.

pciconf -lv | grep -A 3 bge

bge0@pci0:1:8:0: class=3D0x0= 20000 card=3D0x00d11028 chip=3D0x164414e4 rev=3D0x10 hdr=3D0x00

vendor =3D 'Broadcom Corpor= ation'

device =3D 'BCM5751F NetXtr= eme Gigabit Ethernet Controller'

class =3D network

Jul 11 03:50:46 bienvenue kernel: bge0: watchdog timeout -- resetting<= /div>

Jul 11 03:50:46 bienvenue kernel: bge0: link state changed to DOWN

Jul 11 03:50:48 bienvenue kernel: bge0: link state changed to UP

Jul 12 03:55:09 bienvenue kernel: bge0: watchdog timeout -- resetting<= /div>

Jul 12 03:55:09 bienvenue kernel: bge0: link state changed to DOWN

Jul 12 03:55:11 bienvenue kernel: bge0: link state changed to UP

FreeBSD bienvenue 7.0-STABLE FreeBSD 7.0-STABLE #1: Mon Jul 7 16= :14:42 WST 2008 root@bienvenue:/usr/obj/usr/src/sys= /BIENVENUE i386

--_000_3710094049A65F4EA7CA1DC0D39D0E8B01EC139D16EXWAMBX01nexu_-- From brian.mcginty at gmail.com Sat Jul 12 06:44:54 2008 From: brian.mcginty at gmail.com (Brian McGinty) Date: Sat Jul 12 06:45:01 2008 Subject: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp] In-Reply-To: References: <4867420D.7090406@gtcomm.net> <486A8F24.5010000@gtcomm.net> <486A9A0E.6060308@elischer.org> <486B41D5.3060609@gtcomm.net> <4871E85C.8090907@freebsd.org> <48726422.7050703@gtcomm.net> <200807080107.m6817XxO021966@lava.sentex.ca> <601bffc40807081346q454c1f40td47a0f54806d8a8c@mail.gmail.com> Message-ID: <601bffc40807112344n7a683f81y516f540e24d87389@mail.gmail.com> > Hi Brian > I very much doubt that this is ceteris paribus. This is 384 random IPs > -> 384 random IP addresses with a flow lookup for each packet. Also, > I've read through igb on Linux - it has a lot of optimizations that > the FreeBSD driver lacks and I have yet to implement. Hey Kip, when will you push the optimization into FreeBSD? Cheers, Brian From bzeeb-lists at lists.zabbadoz.net Sat Jul 12 12:45:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Jul 12 12:45:33 2008 Subject: Route messages In-Reply-To: <200807021355.m62Dtpli092002@lava.sentex.ca> References: <4852E23E.2040505@gtcomm.net> <4854EBF1.7020708@FreeBSD.org> <200807010606.m6166jFe084204@lava.sentex.ca> <4869EC1E.8060009@freebsd.org> <20080701084933.W57089@maildrop.int.zabbadoz.net> <20080701092254.T57089@maildrop.int.zabbadoz.net> <486B87DB.3080007@freebsd.org> <200807021355.m62Dtpli092002@lava.sentex.ca> Message-ID: <20080712124250.M57089@maildrop.int.zabbadoz.net> On Wed, 2 Jul 2008, Mike Tancsa wrote: Hi, > It works for me in the lab and on one production machine I patched early this > morning. I just MFCed this to 7-STABLE. So if you update your trees make sure you have rev. 1.332.2.3 of ip_input.c. /bz >>> Index: sys/netinet/ip_input.c >>> =================================================================== >>> RCS file: /shared/mirror/FreeBSD/r/ncvs/src/sys/netinet/ip_input.c,v >>> retrieving revision 1.332.2.2 >>> diff -u -p -r1.332.2.2 ip_input.c >>> --- sys/netinet/ip_input.c 22 Apr 2008 12:02:55 -0000 1.332.2.2 >>> +++ sys/netinet/ip_input.c 1 Jul 2008 09:23:08 -0000 >>> @@ -1363,7 +1363,6 @@ ip_forward(struct mbuf *m, int srcrt) >>> * the ICMP_UNREACH_NEEDFRAG "Next-Hop MTU" field described in >>> RFC1191. >>> */ >>> bzero(&ro, sizeof(ro)); >>> - rtalloc_ign(&ro, RTF_CLONING); >>> error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From gavin at FreeBSD.org Sun Jul 13 17:11:00 2008 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Sun Jul 13 17:11:07 2008 Subject: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics Message-ID: <200807131711.m6DHB0ni082660@freefall.freebsd.org> Old Synopsis: [ndis] with wep enters kdb.enter.unknown, panics New Synopsis: [ndis] [patch] with wep enters kdb.enter.unknown, panics State-Changed-From-To: feedback->open State-Changed-By: gavin State-Changed-When: Sun Jul 13 17:06:03 UTC 2008 State-Changed-Why: Over to maintainers for evaluation Responsible-Changed-From-To: gavin->freebsd-net Responsible-Changed-By: gavin Responsible-Changed-When: Sun Jul 13 17:06:03 UTC 2008 Responsible-Changed-Why: Submitter reports my patch fixes things for him http://www.freebsd.org/cgi/query-pr.cgi?pr=125181 From bugmaster at FreeBSD.org Mon Jul 14 11:07:02 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 14 11:08:24 2008 Subject: Current problem reports assigned to freebsd-net@FreeBSD.org Message-ID: <200807141107.m6EB72wk014490@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/27474 net [ipf] [ppp] Interactive use of user PPP and ipfilter c o kern/35442 net [sis] [patch] Problem transmitting runts in if_sis dri a kern/38554 net changing interface ipaddress doesn't seem to work s kern/39937 net ipstealth issue s kern/77195 net [ipf] [patch] ipfilter ioctl SIOCGNATL does not match o kern/79895 net [ipf] 5.4-RC2 breaks ipfilter NAT when using netgraph s kern/81147 net [net] [patch] em0 reinitialization while adding aliase o kern/86103 net [ipf] Illegal NAT Traversal in IPFilter s kern/86920 net [ndis] ifconfig: SIOCS80211: Invalid argument [regress o kern/87521 net [ipf] [panic] using ipfilter "auth" keyword leads to k o kern/92090 net [bge] bge0: watchdog timeout -- resetting f kern/92552 net A serious bug in most network drivers from 5.X to 6.X o kern/95288 net [pppd] [tty] [panic] if_ppp panic in sys/kern/tty_subr o kern/98978 net [ipf] [patch] ipfilter drops OOW packets under 6.1-Rel o kern/101948 net [ipf] [panic] Kernel Panic Trap No 12 Page Fault - cau f kern/102344 net [ipf] Some packets do not pass through network interfa o bin/105925 net problems with ifconfig(8) and vlan(4) [regression] s kern/105943 net Network stack may modify read-only mbuf chain copies o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets o kern/106438 net [ipf] ipfilter: keep state does not seem to allow repl o kern/108542 net [bce]: Huge network latencies with 6.2-RELEASE / STABL o bin/108895 net pppd(8): PPPoE dead connections on 6.2 [regression] o kern/109308 net [pppd] [panic] Multiple panics kernel ppp suspected [r o kern/109733 net [bge] bge link state issues [regression] o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112722 net [udp] IP v4 udp fragmented packet reject o kern/113842 net [ip6] PF_INET6 proto domain state can't be cleared wit o kern/114714 net [gre][patch] gre(4) is not MPSAFE and does not support o kern/114839 net [fxp] fxp looses ability to speak with traffic o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/116077 net [ip] [patch] 6.2-STABLE panic during use of multi-cast o kern/116185 net [iwi] if_iwi driver leads system to reboot o kern/116328 net [bge]: Solid hang with bge interface o kern/116747 net [ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o kern/116837 net [tun] [panic] [patch] ifconfig tunX destroy: panic o kern/117043 net [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM o kern/117271 net [tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117423 net [vlan] Duplicate IP on different interfaces o kern/117448 net [carp] 6.2 kernel crash [regression] o kern/118880 net [ip6] IP_RECVDSTADDR & IP_SENDSRCADDR not implemented o kern/119225 net [wi] 7.0-RC1 no carrier with Prism 2.5 wifi card [regr o kern/119345 net [ath] Unsuported Atheros 5424/2424 and CPU speedstep n o kern/119361 net [bge] bge(4) transmit performance problem o kern/119945 net [rum] [panic] rum device in hostap mode, cause kernel o kern/120130 net [carp] [panic] carp causes kernel panics in any conste o kern/120266 net [panic] gnugk causes kernel panic when closing UDP soc o kern/120304 net [netgraph] [patch] netgraph source assumes 32-bit time o kern/120966 net [rum] kernel panic with if_rum and WPA encryption o kern/121080 net [bge] IPv6 NUD problem on multi address config on bge0 o kern/121181 net [panic] Fatal trap 3: breakpoint instruction fault whi o kern/121298 net [em] [panic] Fatal trap 12: page fault while in kernel o kern/121437 net [vlan] Routing to layer-2 address does not work on VLA o kern/121555 net [panic] Fatal trap 12: current process = 12 (swi1: net o kern/121624 net [em] [regression] Intel em WOL fails after upgrade to o kern/121872 net [wpi] driver fails to attach on a fujitsu-siemens s711 o kern/121983 net [fxp] fxp0 MBUF and PAE o kern/122033 net [ral] [lor] Lock order reversal in ral0 at bootup [reg o kern/122058 net [em] [panic] Panic on em1: taskq o kern/122082 net [in_pcb] NULL pointer dereference in in_pcbdrop o kern/122195 net [ed] Alignment problems in if_ed f kern/122252 net [ipmi] [bge] IPMI problem with BCM5704 (does not work o kern/122290 net [netgraph] [panic] Netgraph related "kmem_map too smal o kern/122427 net [apm] [panic] apm and mDNSResponder cause panic during o kern/122551 net [bge] Broadcom 5715S no carrier on HP BL460c blade usi o kern/122685 net It is not visible passing packets in tcpdump o kern/122743 net [panic] vm_page_unwire: invalid wire count: 0 o kern/122772 net [em] em0 taskq panic, tcp reassembly bug causes radix f kern/122794 net [lagg] Kernel panic after brings lagg(8) up if NICs ar f conf/122858 net [nsswitch.conf] nsswitch in 7.0 is f*cked up o kern/122954 net [lagg] IPv6 EUI64 incorrectly chosen for lagg devices o kern/122989 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/123066 net [ipsec] [panic] kernel trap with ipsec o kern/123160 net [ip] Panic and reboot at sysctl kern.polling.enable=0 f kern/123172 net [bce] Watchdog timeout problems with if_bce f kern/123200 net [netgraph] Server failure due to netgraph mpd and dhcp o conf/123330 net [nsswitch.conf] Enabling samba wins in nsswitch.conf c o kern/123347 net [bge] bge1: watchdog timeout -- linkstate changed to D o kern/123429 net [nfe] [hang] "ifconfig nfe up" causes a hard system lo o kern/123463 net [ipsec] [panic] repeatable crash related to ipsec-tool o bin/123465 net [ip6] route(8): route add -inet6 -interfac o kern/123559 net [iwi] iwi periodically disassociates/associates [regre o kern/123603 net [tcp] tcp_do_segment and Received duplicate SYN o kern/123617 net [tcp] breaking connection when client downloading file o bin/123633 net ifconfig(8) doesn't set inet and ether address in one o kern/123796 net [ipf] FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not o kern/123881 net [tcp] Turning on TCP blackholing causes slow localhost o kern/123968 net [rum] [panic] rum driver causes kernel panic with WPA. o kern/124021 net [ip6] [panic] page fault in nd6_output() o kern/124127 net [msk] watchdog timeout (missed Tx interrupts) -- recov o kern/124753 net [ieee80211] net80211 discards power-save queue packets o kern/124904 net [fxp] EEPROM corruption with Compaq NC3163 NIC o kern/125079 net [ppp] host routes added by ppp with gateway flag (regr f kern/125195 net [fxp] fxp(4) driver failed to initialize device Intel o kern/125442 net [carp][lagg] CARP combined with LAGG causes system pan 95 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/23063 net [PATCH] for static ARP tables in rc.network o kern/34665 net [ipf] [hang] ipfilter rcmd proxy "hangs". s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr o kern/54383 net [nfs] [patch] NFS root configurations without dynamic s kern/60293 net FreeBSD arp poison patch o kern/64556 net [sis] if_sis short cable fix problems with NetGear FA3 o kern/70904 net [ipf] ipfilter ipnat problem with h323 proxy support o kern/77273 net [ipf] ipfilter breaks ipv6 statefull filtering on 5.3 o kern/77913 net [wi] [patch] Add the APDL-325 WLAN pccard to wi(4) o kern/78090 net [ipf] ipf filtering on bridged packets doesn't work if o bin/79228 net [patch] extend arp(8) to be able to create blackhole r o kern/91594 net [em] FreeBSD > 5.4 w/ACPI fails to detect Intel Pro/10 s kern/91777 net [ipf] [patch] wrong behaviour with skip rule inside an o kern/93378 net [tcp] Slow data transfer in Postfix and Cyrus IMAP (wo o kern/95267 net packet drops periodically appear o kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/102035 net [plip] plip networking disables parallel port printing o conf/102502 net [patch] ifconfig name does't rename netgraph node in n o conf/107035 net [patch] bridge interface given in rc.conf not taking a o kern/109470 net [wi] Orinoco Classic Gold PC Card Can't Channel Hop o kern/112179 net [sis] [patch] sis driver for natsemi DP83815D autonego o bin/112557 net [patch] ppp(8) lock file should not use symlink name o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o bin/116643 net [patch] [request] fstat(1): add INET/INET6 socket deta o bin/117339 net [patch] route(8): loading routing management commands o kern/118727 net [netgraph] [patch] [request] add new ng_pf module a kern/118879 net [bge] [patch] bge has checksum problems on the 5703 ch o bin/118987 net ifconfig(8): ifconfig -l (address_family) does not wor o kern/119432 net [arp] route add -host -iface causes arp e f kern/119516 net [ip6] [panic] _mtx_lock_sleep: recursed on non-recursi o kern/119617 net [nfs] nfs error on wpa network when reseting/shutdown o kern/119791 net [nfs] UDP NFS mount of aliased IP addresses from a Sol o kern/120232 net [nfe] [patch] Bring in nfe(4) to RELENG_6 o kern/120566 net [request]: ifconfig(8) make order of arguments more fr o kern/121257 net [tcp] TSO + natd -> slow outgoing tcp traffic o kern/121443 net [gif] LOR icmp6_input/nd6_lookup o kern/121706 net [netinet] [patch] "rtfree: 0xc4383870 has 1 refs" emit s kern/121774 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/122068 net [ppp] ppp can not set the correct interface with pptpd o kern/122295 net [bge] bge Ierr rate increase (since 6.0R) [regression] o kern/122319 net [wi] imposible to enable ad-hoc demo mode with Orinoco o kern/122697 net [ath] Atheros card is not well supported o kern/122780 net [lagg] tcpdump on lagg interface during high pps wedge f kern/122839 net [multicast] FreeBSD 7 multicast routing problem o kern/122928 net [em] interface watchdog timeouts and stops receiving p o kern/123892 net [tap] [patch] No buffer space available p kern/123961 net [vr] [patch] Allow vr interface to handle vlans o bin/124004 net ifconfig(8): Cannot assign both an IP and a MAC addres o kern/124160 net [libc] connect(2) function loops indefinitely o kern/124341 net [ral] promiscuous mode for wireless device ral0 looses o kern/124609 net [ipsec] [panic] ipsec 'remainder too big' panic with p o kern/124767 net [iwi] Wireless connection using iwi0 driver (Intel 220 o kern/125003 net [gif] incorrect EtherIP header format. o kern/125181 net [ndis] [patch] with wep enters kdb.enter.unknown, pani o kern/125239 net [gre] kernel crash when using gre o kern/125258 net [socket] socket's SO_REUSEADDR option does not work f kern/125502 net [ral] ifconfig ral0 scan produces no output unless in 58 problems total. From brde at optusnet.com.au Mon Jul 14 12:35:04 2008 From: brde at optusnet.com.au (Bruce Evans) Date: Mon Jul 14 12:35:11 2008 Subject: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp] In-Reply-To: <20080707142018.U63144@fledge.watson.org> References: <4867420D.7090406@gtcomm.net> <486A7E45.3030902@gtcomm.net> <486A8F24.5010000@gtcomm.net> <486A9A0E.6060308@elischer.org> <486B41D5.3060609@gtcomm.net> <486B4F11.6040906@gtcomm.net> <486BC7F5.5070604@gtcomm.net> <20080703160540.W6369@delplex.bde.org> <486C7F93.7010308@gtcomm.net> <20080703195521.O6973@delplex.bde.org> <486D35A0.4000302@gtcomm.net> <486DF1A3.9000409@gtcomm.net> <486E65E6.3060301@gtcomm.net> <4871DB8E.5070903@freebsd.org> <20080707191918.B4703@besplex.bde.org> <4871FB66.1060406@freebsd.org> <20080707213356.G7572@besplex.bde.org> <20080707134036.S63144@fledge.watson.org> <20080707224659.B7844@besplex.bde.org> <20080707142018.U63144@fledge.watson.org> Message-ID: <20080714212912.D885@besplex.bde.org> On Mon, 7 Jul 2008, Robert Watson wrote: > On Mon, 7 Jul 2008, Bruce Evans wrote: > >>> (1) sendto() to a specific address and port on a socket that has been >>> bound to >>> INADDR_ANY and a specific port. >>> >>> (2) sendto() on a specific address and port on a socket that has been >>> bound to >>> a specific IP address (not INADDR_ANY) and a specific port. >>> >>> (3) send() on a socket that has been connect()'d to a specific IP address >>> and >>> a specific port, and bound to INADDR_ANY and a specific port. >>> >>> (4) send() on a socket that has been connect()'d to a specific IP address >>> and a specific port, and bound to a specific IP address (not >>> INADDR_ANY) >>> and a specific port. >>> >>> The last of these should really be quite a bit faster than the first of >>> these, but I'd be interested in seeing specific measurements for each if >>> that's possible! >> >> Not sure if I understand networking well enough to set these up quickly. >> Does netrate use one of (3) or (4) now? > > (3) and (4) are effectively the same thing, I think, since connect(2) should > force the selection of a source IP address, but I think it's not a bad idea > to confirm that. :-) > > The structure of the desired micro-benchmark here is basically: > ... I hacked netblast.c to do this: % --- /usr/src/tools/tools/netrate/netblast/netblast.c Fri Dec 16 17:02:44 2005 % +++ netblast.c Mon Jul 14 21:26:52 2008 % @@ -44,9 +44,11 @@ % { % % - fprintf(stderr, "netblast [ip] [port] [payloadsize] [duration]\n"); % - exit(-1); % + fprintf(stderr, "netblast ip port payloadsize duration bind connect\n"); % + exit(1); % } % % +static int gconnected; % static int global_stop_flag; % +static struct sockaddr_in *gsin; % % static void % @@ -116,6 +118,13 @@ % counter++; % } % - if (send(s, packet, packet_len, 0) < 0) % + if (gconnected && send(s, packet, packet_len, 0) < 0) { % send_errors++; % + usleep(1000); % + } % + if (!gconnected && sendto(s, packet, packet_len, 0, % + (struct sockaddr *)gsin, sizeof(*gsin)) < 0) { % + send_errors++; % + usleep(1000); % + } % send_calls++; % } % @@ -146,9 +155,10 @@ % struct sockaddr_in sin; % char *dummy, *packet; % - int s; % + int bind_desired, connect_desired, s; % % - if (argc != 5) % + if (argc != 7) % usage(); % % + gsin = &sin; % bzero(&sin, sizeof(sin)); % sin.sin_len = sizeof(sin); % @@ -176,4 +186,7 @@ % usage(); % % + bind_desired = (strcmp(argv[5], "b") == 0); % + connect_desired = (strcmp(argv[6], "c") == 0); % + % packet = malloc(payloadsize); % if (packet == NULL) { % @@ -189,7 +202,19 @@ % } % % - if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { % - perror("connect"); % - return (-1); % + if (bind_desired) { % + struct sockaddr_in osin; % + % + osin = sin; % + if (inet_aton("0", &sin.sin_addr) == 0) % + perror("inet_aton(0)"); % + if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) % + err(-1, "bind"); % + sin = osin; % + } % + % + if (connect_desired) { % + if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) % + err(-1, "connect"); % + gconnected = 1; % } % This also fixes some bugs in usage() (bogus [] around non-optional args and bogus exit code) and adds a sleep after send failure. Without the sleep, netblast distorts the measurements by taking 100% CPU. This depends on kernel queues having enough buffering to not run dry during the sleep time (rounded up to a tick boundary). I use ifq_maxlen = DRIVER_TX_RING_CNT + imax(2 * tick / 4, 10000) = 10512 for DRIVER = bge and HZ = 100. This is actually wrong now. The magic 2 is to round up to a tick boundary and the magic 4 is for bge taking a minimum of 4 usec per packet on old hadware, but bge actually takes about 1.5 usec on the test hardware and I'd like it to take 0.66 usec. The queues rarely run dry in practice, but running dry just a few times for a few msec each would explain some anomalies. Old SGI ttcp uses a select timeout of 18 msec here. nttcp and netsend use more sophisticated methods that don't work unless HZ is too small. It's just impossible for a program to schedule its sleeps with a fine enough resolution to ensure waking up before the queue runs dry, unless HZ is too small or the queue is too large. select() for writing doesn't work for the queue part of socket i/o. Results: ~5.2 sendto (1): 630 kpps 98% CPU 11 cm/p (cache misses/packet (min)) -cur sendto: 590 kpps 100% CPU 10 cm/p (July 8 -current) (2): no significant difference - see below ~5.2 send (3): 620 kpps 75% CPU 9.5 cm/p -cur send: 520 kpps 60% CPU 8 cm/p (4): no significant difference - see below send() has lower CPU overheads as expected. For some reason, send() gets lower throughput than sendto(). I think the reason is just that the queue runs dry due to the lower CPU overhead making it possible for the userland sender to outrun the hardware -- userland sees more ENOBUFS and sleeps more often, so it sometimes sleeps too long due to my out of date hack for increasing the queue length. For some reason, this affects -current much more than ~5.2 (the bge drivers in each have lots of modifications which are supposed to be equivalent here). Probably the same reason. sendto() still 5-10% higher overhead in -current than in ~5.2 and runs out of CPU. It runs out under ~5.2 testing ttcp too. > If you look at the design of the higher performance UDP applications, they > will generally bind a specific IP (perhaps every IP on the host with its own > socket), and if they do sustained communication to a specific endpoint they > will use connect(2) rather than providing an address for each send(2) system > call to the kernel. I couldn't see any effect from binding. I'm only testing sending, and it doesn't seem to be possible to bind to anything except local addresses (0.0.0.0, the NIC's address and 127.0.0.1) but these seem to be equivalent (with no extra work for translation on every packet?) and seem to be used by default anyway. In the above, sin.sin_addr has to be set to the receiver's ip from the command line (else it defaults to a local address), and the above temporarily sets it back to 0.0.0.0 so as to use the same sin for the local bind()). > udp_output(2) makes the trade-offs there fairly clear: with the most recent > rev, the optimal case is one connect(2) has been called, allowing a single > inpcb read lock and no global data structure access, vs. an application > calling sendto(2) for each system call and the local binding remaining > INADDR_ANY. Middle ground applications, such as named(8) will force a local > binding using bind(2), but then still have to pass an address to each > sendto(2). In the future, this case will be further optimized in our code by > using a global read lock rather than a global write lock: we have to check > for collisions, but we don't actually have to reserve the new 4-tuple for the > UDP socket as it's an ephemeral association rather than a connect(2). The July 8 -current should have this rev. Note that I'm not testing SMP or stessing locking, or nontrivial routine tables, or forwarding, and don't plan to. UP with a direct connection is hard enough and short of CPU enough to understand and make efficient. Locking barely shows up in older tests, only partly because it is mostly inline. Bruce From bms at FreeBSD.org Mon Jul 14 13:44:35 2008 From: bms at FreeBSD.org (Bruce M. Simpson) Date: Mon Jul 14 13:44:41 2008 Subject: BPF problems on FreeBSD 7.0 In-Reply-To: <20080711202737.GB27418@icir.org> References: <20080711202737.GB27418@icir.org> Message-ID: <487B5840.3000401@FreeBSD.org> Robin Sommer wrote: > Hi all, > > we're seeing some strange effects with our libpcap-based application > (the Bro network intrusion detection system) on a FreeBSD 7-RELEASE > system. As the application has always been running fine on 6.x, > we're wondering whether this might be triggered by any of the > changes that went into 7. > ... > I'm wondering whether anybody here has seen something similar or > might have an idea where to start looking for the cause. Any ideas? > One place to start might be: netstat -B output in 7.x (I *think* this got MFCed), this will let us see what the drop count is for the Bro process, and what the flags are for the open BPF descriptors in the system. I'm not hot on current BPF internals, but I hazard a guess this is related to BPF descriptor buffering -- an area where there have been changes, some of which I've eyeballed. cheers BMS From gnn at FreeBSD.org Mon Jul 14 17:42:46 2008 From: gnn at FreeBSD.org (gnn@FreeBSD.org) Date: Mon Jul 14 17:42:53 2008 Subject: What's the deal with hardware checksum and net.inet.udp.checksum? In-Reply-To: <20080710220201.K34050@fledge.watson.org> References: <20080710114028.T34050@fledge.watson.org> <20080710220201.K34050@fledge.watson.org> Message-ID: Ahhhh, thanks, George From gnn at freebsd.org Mon Jul 14 21:45:56 2008 From: gnn at freebsd.org (gnn@freebsd.org) Date: Mon Jul 14 21:46:02 2008 Subject: igb doesn't compile in STABLE? Message-ID: Howdy, As of today, this afternoon, I see the following: linking kernel.debug e1000_api.o(.text+0xad9): In function `e1000_setup_init_funcs': ../../../dev/em/e1000_api.c:343: undefined reference to `e1000_init_function_pointers_80003es2lan' e1000_api.o(.text+0xae8):../../../dev/em/e1000_api.c:340: undefined reference to `e1000_init_function_pointers_82571' e1000_api.o(.text+0xafa):../../../dev/em/e1000_api.c:334: undefined reference to `e1000_init_function_pointers_82541' e1000_api.o(.text+0xb0c):../../../dev/em/e1000_api.c:328: undefined reference to `e1000_init_function_pointers_82540' e1000_api.o(.text+0xb1e):../../../dev/em/e1000_api.c:321: undefined reference to `e1000_init_function_pointers_82543' e1000_api.o(.text+0xb30):../../../dev/em/e1000_api.c:316: undefined reference to `e1000_init_function_pointers_82542' e1000_ich8lan.o(.text+0x98c): In function `e1000_valid_nvm_bank_detect_ich8lan': ../../../dev/em/e1000_ich8lan.c:1032: undefined reference to `e1000_translate_register_82542' e1000_ich8lan.o(.text+0xc32): In function `e1000_acquire_swflag_ich8lan': ../../../dev/em/e1000_ich8lan.c:424: undefined reference to `e1000_translate_register_82542' e1000_ich8lan.o(.text+0xc6e):../../../dev/em/e1000_ich8lan.c:426: undefined reference to `e1000_translate_register_82542' e1000_ich8lan.o(.text+0xc9d):../../../dev/em/e1000_ich8lan.c:422: undefined reference to `e1000_translate_register_82542' e1000_ich8lan.o(.text+0xced):../../../dev/em/e1000_ich8lan.c:436: undefined reference to `e1000_translate_register_82542' e1000_ich8lan.o(.text+0x16bf):../../../dev/em/e1000_ich8lan.c:2700: more undefined references to `e1000_translate_register_82542' follow *** Error code 1 Thoughts? Later, George From jfvogel at gmail.com Mon Jul 14 22:17:37 2008 From: jfvogel at gmail.com (Jack Vogel) Date: Mon Jul 14 22:17:45 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: References: Message-ID: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> Just guessing, did someone change conf/files maybe?? Jack On Mon, Jul 14, 2008 at 2:44 PM, wrote: > Howdy, > > As of today, this afternoon, I see the following: > > linking kernel.debug > e1000_api.o(.text+0xad9): In function `e1000_setup_init_funcs': > ../../../dev/em/e1000_api.c:343: undefined reference to `e1000_init_function_pointers_80003es2lan' > e1000_api.o(.text+0xae8):../../../dev/em/e1000_api.c:340: undefined reference to `e1000_init_function_pointers_82571' > e1000_api.o(.text+0xafa):../../../dev/em/e1000_api.c:334: undefined reference to `e1000_init_function_pointers_82541' > e1000_api.o(.text+0xb0c):../../../dev/em/e1000_api.c:328: undefined reference to `e1000_init_function_pointers_82540' > e1000_api.o(.text+0xb1e):../../../dev/em/e1000_api.c:321: undefined reference to `e1000_init_function_pointers_82543' > e1000_api.o(.text+0xb30):../../../dev/em/e1000_api.c:316: undefined reference to `e1000_init_function_pointers_82542' > e1000_ich8lan.o(.text+0x98c): In function `e1000_valid_nvm_bank_detect_ich8lan': > ../../../dev/em/e1000_ich8lan.c:1032: undefined reference to `e1000_translate_register_82542' > e1000_ich8lan.o(.text+0xc32): In function `e1000_acquire_swflag_ich8lan': > ../../../dev/em/e1000_ich8lan.c:424: undefined reference to `e1000_translate_register_82542' > e1000_ich8lan.o(.text+0xc6e):../../../dev/em/e1000_ich8lan.c:426: undefined reference to `e1000_translate_register_82542' > e1000_ich8lan.o(.text+0xc9d):../../../dev/em/e1000_ich8lan.c:422: undefined reference to `e1000_translate_register_82542' > e1000_ich8lan.o(.text+0xced):../../../dev/em/e1000_ich8lan.c:436: undefined reference to `e1000_translate_register_82542' > e1000_ich8lan.o(.text+0x16bf):../../../dev/em/e1000_ich8lan.c:2700: more undefined references to `e1000_translate_register_82542' follow > *** Error code 1 > > > Thoughts? > > Later, > George > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From freebsdlists at bsdunix.ch Tue Jul 15 12:31:50 2008 From: freebsdlists at bsdunix.ch (Thomas Vogt) Date: Tue Jul 15 12:31:57 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) Message-ID: <487C9457.5080609@bsdunix.ch> Hello Since i updated my FreeBSD 6.3 dns server with the latest bind version in the ports (dns/bind94) my system is flooding my log with "too many open file descriptors" messages. Is there something i can do? Example: Jul 15 12:08:38 intern named[50840]: socket: too many open file descriptors Jul 15 12:09:05 intern last message repeated 68 times sysctl: kern.ipc.somaxconn=4096 kern.ipc.nmbclusters=65536 kern.ipc.maxsockets=204800 net.inet.tcp.sendspace=65535 net.inet.tcp.recvspace=65535 net.inet.udp.recvspace=65535 loder.conf userconfig_script_load="YES" kern.maxdsiz="900M" net.inet.tcp.syncache.hashsize=1024 net.inet.tcp.syncache.bucketlimit=100 System: FreeBSD intern.lan 6.3-RELEASE-p2 FreeBSD 6.3-RELEASE-p2 #4: Fri May 16 11:40:24 UTC 2008 root@intern.lan:/usr/obj/usr/src/sys/UP6 i386 netstat -m 517/773/1290 mbufs in use (current/cache/total) 513/261/774/65536 mbuf clusters in use (current/cache/total/max) 513/255 mbuf+clusters out of packet secondary zone in use (current/cache) 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) 1155K/715K/1870K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/7/6656 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 105 calls to protocol drain routines Regards, Thomas From kris at FreeBSD.org Tue Jul 15 13:14:25 2008 From: kris at FreeBSD.org (Kris Kennaway) Date: Tue Jul 15 13:14:37 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <487C9457.5080609@bsdunix.ch> References: <487C9457.5080609@bsdunix.ch> Message-ID: <487CA29F.6080500@FreeBSD.org> Thomas Vogt wrote: > Hello > > Since i updated my FreeBSD 6.3 dns server with the latest bind version > in the ports (dns/bind94) my system is flooding my log with "too many > open file descriptors" messages. > > Is there something i can do? > > Example: > Jul 15 12:08:38 intern named[50840]: socket: too many open file descriptors > Jul 15 12:09:05 intern last message repeated 68 times Is this a busy name server handling thousands of queries per second? If so, the solution, perhaps not surprisingly, is to increase the number of file descriptors :) kern.maxfiles: 12328 kern.maxfilesperproc: 11095 Kris From gnn at freebsd.org Tue Jul 15 17:04:25 2008 From: gnn at freebsd.org (gnn@freebsd.org) Date: Tue Jul 15 17:04:32 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> References: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> Message-ID: At Mon, 14 Jul 2008 14:53:16 -0700, Jack Vogel wrote: > > Just guessing, did someone change conf/files maybe?? > If you build a STABLE kernel with igb AND em then things work and the kernel uses em. I'm not sure which thing needs to be changed in conf/files or otherwise though. Later, George From jfvogel at gmail.com Tue Jul 15 17:07:24 2008 From: jfvogel at gmail.com (Jack Vogel) Date: Tue Jul 15 17:07:35 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: References: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> Message-ID: <2a41acea0807151007q29a783c4r2ae63c5a631952ba@mail.gmail.com> Oh, so the problem is if igb alone is defined? On Tue, Jul 15, 2008 at 10:04 AM, wrote: > At Mon, 14 Jul 2008 14:53:16 -0700, > Jack Vogel wrote: >> >> Just guessing, did someone change conf/files maybe?? >> > > If you build a STABLE kernel with igb AND em then things work and the > kernel uses em. > > I'm not sure which thing needs to be changed in conf/files or > otherwise though. > > Later, > George > From gnn at freebsd.org Tue Jul 15 17:32:07 2008 From: gnn at freebsd.org (gnn@freebsd.org) Date: Tue Jul 15 17:32:14 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: <2a41acea0807151007q29a783c4r2ae63c5a631952ba@mail.gmail.com> References: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> <2a41acea0807151007q29a783c4r2ae63c5a631952ba@mail.gmail.com> Message-ID: At Tue, 15 Jul 2008 10:07:22 -0700, Jack Vogel wrote: > > Oh, so the problem is if igb alone is defined? > Yes. Best, George From jfvogel at gmail.com Tue Jul 15 17:35:59 2008 From: jfvogel at gmail.com (Jack Vogel) Date: Tue Jul 15 17:36:10 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: References: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> <2a41acea0807151007q29a783c4r2ae63c5a631952ba@mail.gmail.com> Message-ID: <2a41acea0807151035w291269abt4ed99989ae45cc8b@mail.gmail.com> OK, will put on my todo list :) On Tue, Jul 15, 2008 at 10:31 AM, wrote: > At Tue, 15 Jul 2008 10:07:22 -0700, > Jack Vogel wrote: >> >> Oh, so the problem is if igb alone is defined? >> > > Yes. > > Best, > George > From Jinmei_Tatuya at isc.org Tue Jul 15 18:12:55 2008 From: Jinmei_Tatuya at isc.org (JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=) Date: Tue Jul 15 18:13:02 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <487C9457.5080609@bsdunix.ch> References: <487C9457.5080609@bsdunix.ch> Message-ID: At Tue, 15 Jul 2008 14:13:11 +0200, Thomas Vogt wrote: > Since i updated my FreeBSD 6.3 dns server with the latest bind version > in the ports (dns/bind94) my system is flooding my log with "too many > open file descriptors" messages. > > Is there something i can do? How many sockets is named actually using while it makes this log message? Try, e.g, % sockstat | grep named | wc -l --- JINMEI, Tatuya Internet Systems Consortium, Inc. From freebsdlists at bsdunix.ch Tue Jul 15 20:54:15 2008 From: freebsdlists at bsdunix.ch (Thomas Vogt) Date: Tue Jul 15 20:54:22 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: References: <487C9457.5080609@bsdunix.ch> Message-ID: <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> Hello Am 15.07.2008 um 20:12 schrieb JINMEI Tatuya / ????: > At Tue, 15 Jul 2008 14:13:11 +0200, > Thomas Vogt wrote: > >> Since i updated my FreeBSD 6.3 dns server with the latest bind >> version >> in the ports (dns/bind94) my system is flooding my log with "too many >> open file descriptors" messages. >> >> Is there something i can do? > > How many sockets is named actually using while it makes this log > message? Try, e.g, > % sockstat | grep named | wc -l Not that many: sockstat | grep named | wc -l 996 Regards, Thomas Thomas Vogt From Jinmei_Tatuya at isc.org Tue Jul 15 20:59:07 2008 From: Jinmei_Tatuya at isc.org (JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=) Date: Tue Jul 15 20:59:14 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> References: <487C9457.5080609@bsdunix.ch> <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> Message-ID: At Tue, 15 Jul 2008 22:54:11 +0200, Thomas Vogt wrote: > >> Since i updated my FreeBSD 6.3 dns server with the latest bind > >> version > >> in the ports (dns/bind94) my system is flooding my log with "too many > >> open file descriptors" messages. > >> > >> Is there something i can do? > > > > How many sockets is named actually using while it makes this log > > message? Try, e.g, > > % sockstat | grep named | wc -l > > Not that many: > sockstat | grep named | wc -l > 996 Ah, it's actually quite a lot in this context:-) If that's regularly happening, I'm afraid recent P1 versions don't handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. --- JINMEI, Tatuya Internet Systems Consortium, Inc. From kris at FreeBSD.org Tue Jul 15 21:09:28 2008 From: kris at FreeBSD.org (Kris Kennaway) Date: Tue Jul 15 21:09:35 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: References: <487C9457.5080609@bsdunix.ch> <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> Message-ID: <487D120A.6010001@FreeBSD.org> JINMEI Tatuya / ???? wrote: > At Tue, 15 Jul 2008 22:54:11 +0200, > Thomas Vogt wrote: > >>>> Since i updated my FreeBSD 6.3 dns server with the latest bind >>>> version >>>> in the ports (dns/bind94) my system is flooding my log with "too many >>>> open file descriptors" messages. >>>> >>>> Is there something i can do? >>> How many sockets is named actually using while it makes this log >>> message? Try, e.g, >>> % sockstat | grep named | wc -l >> Not that many: >> sockstat | grep named | wc -l >> 996 > > Ah, it's actually quite a lot in this context:-) > > If that's regularly happening, I'm afraid recent P1 versions don't > handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. Or increase the number of file descriptors as a workaround, per my email :) Kris From Jinmei_Tatuya at isc.org Tue Jul 15 21:18:41 2008 From: Jinmei_Tatuya at isc.org (JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=) Date: Tue Jul 15 21:18:48 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <487D120A.6010001@FreeBSD.org> References: <487C9457.5080609@bsdunix.ch> <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> <487D120A.6010001@FreeBSD.org> Message-ID: At Tue, 15 Jul 2008 23:09:30 +0200, Kris Kennaway wrote: > > If that's regularly happening, I'm afraid recent P1 versions don't > > handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. > > Or increase the number of file descriptors as a workaround, per my email :) Does FreeBSD allow an application to increase FD_SETSIZE (at its compilation time)? I thought FD_SETSIZE defaults to 1024. Any 9.x.y-P1 versions can only open FD_SETSIZE sockets, regardless of the # FDs limit. Besides, I guess that the P1 versions severely suffer from heavy overhead of select(2) when it regularly opens more than 1000 sockets. Even if 'too many open file' messages are gone, many users won't accept the increased load due to the overhead. Beta versions use kqueue, eliminating the fundamental overhead as well as the (too low) limitation of # of descriptors. --- JINMEI, Tatuya Internet Systems Consortium, Inc. From robin at icir.org Tue Jul 15 21:20:13 2008 From: robin at icir.org (Robin Sommer) Date: Tue Jul 15 21:20:20 2008 Subject: BPF problems on FreeBSD 7.0 In-Reply-To: <487B5840.3000401@FreeBSD.org> References: <20080711202737.GB27418@icir.org> <487B5840.3000401@FreeBSD.org> Message-ID: <20080715212013.GA91123@icir.org> On Mon, Jul 14, 2008 at 14:44 +0100, Bruce M. Simpson wrote: > One place to start might be: netstat -B output in 7.x (I *think* this got > MFCed), this will let us see what the drop count is for the Bro process, > and what the flags are for the open BPF descriptors in the system. Thanks for the suggestion. Here's the netstat -B output at the time it has stalled (after about 6 hours of working normally): Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 2162189525 32514465 42815457 4194248 4194258 bro Top shows: PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 14557 bro 1 -58 0 272M 267M 5 25:53 0.00% bro A few minutes after starting the process, when Bro was still working fine, a netstat -B output was: # netstat -B Pid Netif Flags Recv Drop Match Sblen Hblen Command 14557 nxge0 p--s--- 4779235 0 94967 0 0 bro Thanks, Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin@icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From julian at elischer.org Tue Jul 15 21:27:36 2008 From: julian at elischer.org (Julian Elischer) Date: Tue Jul 15 21:28:00 2008 Subject: BPF problems on FreeBSD 7.0 In-Reply-To: <20080715212013.GA91123@icir.org> References: <20080711202737.GB27418@icir.org> <487B5840.3000401@FreeBSD.org> <20080715212013.GA91123@icir.org> Message-ID: <487D15C7.3040700@elischer.org> Robin Sommer wrote: > On Mon, Jul 14, 2008 at 14:44 +0100, Bruce M. Simpson wrote: > >> One place to start might be: netstat -B output in 7.x (I *think* this got >> MFCed), this will let us see what the drop count is for the Bro process, >> and what the flags are for the open BPF descriptors in the system. > > Thanks for the suggestion. Here's the netstat -B output at the time > it has stalled (after about 6 hours of working normally): > > Pid Netif Flags Recv Drop Match Sblen Hblen Command > 14557 nxge0 p--s--- 2162189525 32514465 42815457 4194248 4194258 br the Recv number is JUST past 2^31. at your rate of receiving packets, it passed that value about 2 minutes before this snapshot was taken.. > > Top shows: > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > 14557 bro 1 -58 0 272M 267M 5 25:53 0.00% bro > > > > A few minutes after starting the process, when Bro was still working > fine, a netstat -B output was: > > # netstat -B > Pid Netif Flags Recv Drop Match Sblen Hblen Command > 14557 nxge0 p--s--- 4779235 0 94967 0 0 bro > > Thanks, > > Robin > From kris at FreeBSD.org Tue Jul 15 21:28:21 2008 From: kris at FreeBSD.org (Kris Kennaway) Date: Tue Jul 15 21:28:39 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: References: <487C9457.5080609@bsdunix.ch> <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> <487D120A.6010001@FreeBSD.org> Message-ID: <487D1677.8010900@FreeBSD.org> JINMEI Tatuya / ???? wrote: > At Tue, 15 Jul 2008 23:09:30 +0200, > Kris Kennaway wrote: > >>> If that's regularly happening, I'm afraid recent P1 versions don't >>> handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. >> Or increase the number of file descriptors as a workaround, per my email :) > > Does FreeBSD allow an application to increase FD_SETSIZE (at its > compilation time)? I thought FD_SETSIZE defaults to 1024. Any > 9.x.y-P1 versions can only open FD_SETSIZE sockets, regardless of the > # FDs limit. > > Besides, I guess that the P1 versions severely suffer from heavy > overhead of select(2) when it regularly opens more than 1000 sockets. > Even if 'too many open file' messages are gone, many users won't > accept the increased load due to the overhead. Beta versions use > kqueue, eliminating the fundamental overhead as well as the (too low) > limitation of # of descriptors. Ah yes, I hadnt thought about select limitations. Kris From robin at icir.org Tue Jul 15 21:51:21 2008 From: robin at icir.org (Robin Sommer) Date: Tue Jul 15 21:51:27 2008 Subject: BPF problems on FreeBSD 7.0 In-Reply-To: <487D15C7.3040700@elischer.org> References: <20080711202737.GB27418@icir.org> <487B5840.3000401@FreeBSD.org> <20080715212013.GA91123@icir.org> <487D15C7.3040700@elischer.org> Message-ID: <20080715215120.GB92009@icir.org> On Tue, Jul 15, 2008 at 14:25 -0700, you wrote: >> Thanks for the suggestion. Here's the netstat -B output at the time >> it has stalled (after about 6 hours of working normally): [...] > at your rate of receiving packets, it passed that value about > 2 minutes before this snapshot was taken.. Sorry, I wasn't precise: the process stalled after about 6 hours but the netstat output is actually from much later (the next day in fact, because it stalled latet a night) when it was still in that state. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin@icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bakul at bitblocks.com Tue Jul 15 22:12:33 2008 From: bakul at bitblocks.com (Bakul Shah) Date: Tue Jul 15 22:12:38 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: Your message of "Tue, 15 Jul 2008 14:18:41 PDT." Message-ID: <20080715221231.E087C5B46@mail.bitblocks.com> On Tue, 15 Jul 2008 14:18:41 PDT JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= wrote: > At Tue, 15 Jul 2008 23:09:30 +0200, > Kris Kennaway wrote: > > > > If that's regularly happening, I'm afraid recent P1 versions don't > > > handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. > > > > Or increase the number of file descriptors as a workaround, per my email :) > > Does FreeBSD allow an application to increase FD_SETSIZE (at its > compilation time)? I thought FD_SETSIZE defaults to 1024. Any > 9.x.y-P1 versions can only open FD_SETSIZE sockets, regardless of the > # FDs limit. $ cvs log /sys/kern/kern_generic.c ... revision 1.19 date: 1996/08/20 07:17:48; author: smpatel; state: Exp; lines: +43 -15 Remove the kernel FD_SETSIZE limit for select(). ... Unless things have changed, you can completely ignore FD_SETSIZE (& struct fd_set) and decide at runtime how many fds you want in a select read/write set (subject to the openfiles limit). Hmm... things have reverted back.... cvs blame -r1.71 /sys/kern/kern_generic.c # the earliest reversal I can find ... 1.71 (peter 07-Feb-01): * This is kinda bogus. We have fd limi ts, but that doesn't 1.71 (peter 07-Feb-01): * map too well to the size of the pfd[] array. Make sure 1.71 (peter 07-Feb-01): * we let the process use at least FD_SETSIZE entries. 1.71 (peter 07-Feb-01): * The specs say we only have to support OPEN_MAX entries (64). 1.71 (peter 07-Feb-01): */ 1.71 (peter 07-Feb-01): lim = min((int)p->p_rlimit[RLIMIT_NOFILE].rlim_cur, maxfilesperproc); 1.71 (peter 07-Feb-01): lim = min(lim, FD_SETSIZE); 1.71 (peter 07-Feb-01): if (nfds > lim) 1.71 (peter 07-Feb-01): return (EINVAL); Sigh.... This is a mistake. I don't see why a user is not allowed to select on all the fds he can open. The corresponding log indicates perhaps the author didn't know select used to work for # of fds > FD_SETSIZE. revision 1.71 date: 2001/02/07 23:28:01; author: peter; state: Exp; lines: +16 -8 The code I picked up from NetBSD in '97 had a nasty bug. It limited the index of the pollfd array to the number of fd's currently open, not the maximum number of fd's. ie: if you had 0,1,2 open, you could not use pollfd slots higher than 20. The specs say we only have to support OPEN_MAX [64] entries but we allow way more than that. > Besides, I guess that the P1 versions severely suffer from heavy > overhead of select(2) when it regularly opens more than 1000 sockets. > Even if 'too many open file' messages are gone, many users won't > accept the increased load due to the overhead. Beta versions use > kqueue, eliminating the fundamental overhead as well as the (too low) > limitation of # of descriptors. Or more portably you can use poll(2). From Jinmei_Tatuya at isc.org Tue Jul 15 22:39:10 2008 From: Jinmei_Tatuya at isc.org (JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=) Date: Tue Jul 15 22:39:16 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <20080715221231.E087C5B46@mail.bitblocks.com> References: <20080715221231.E087C5B46@mail.bitblocks.com> Message-ID: At Tue, 15 Jul 2008 15:12:31 -0700, Bakul Shah wrote: > > Besides, I guess that the P1 versions severely suffer from heavy > > overhead of select(2) when it regularly opens more than 1000 sockets. > > Even if 'too many open file' messages are gone, many users won't > > accept the increased load due to the overhead. Beta versions use > > kqueue, eliminating the fundamental overhead as well as the (too low) > > limitation of # of descriptors. > > Or more portably you can use poll(2). I've not played with poll(2) in BIND9, but as far as I understand it, it doesn't solve the fundamental overhead issue here. For example, the application should examine all possible descriptors even if only a few of them are readable. Anyway, since this is a FreeBSD specific list, I believe we can safely assume the existence of kqueue, unless we are talking about a very old version:-) --- JINMEI, Tatuya Internet Systems Consortium, Inc. From bakul at bitblocks.com Tue Jul 15 23:09:19 2008 From: bakul at bitblocks.com (Bakul Shah) Date: Tue Jul 15 23:09:29 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: Your message of "Tue, 15 Jul 2008 15:39:09 PDT." Message-ID: <20080715230917.DAC3B5B46@mail.bitblocks.com> On Tue, 15 Jul 2008 15:39:09 PDT JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= wrote: > At Tue, 15 Jul 2008 15:12:31 -0700, > Bakul Shah wrote: > > > > Besides, I guess that the P1 versions severely suffer from heavy > > > overhead of select(2) when it regularly opens more than 1000 sockets. > > > Even if 'too many open file' messages are gone, many users won't > > > accept the increased load due to the overhead. Beta versions use > > > kqueue, eliminating the fundamental overhead as well as the (too low) > > > limitation of # of descriptors. > > > > Or more portably you can use poll(2). > > I've not played with poll(2) in BIND9, but as far as I understand it, > it doesn't solve the fundamental overhead issue here. For example, > the application should examine all possible descriptors even if only a > few of them are readable. IIRC, when poll() returns n, you only look at the first n values in the pollfd array so it is a win when you expect a very small number of fds to be ready. In the select case you have to test the bit array until you see the last ready fd. > Anyway, since this is a FreeBSD specific list, I believe we can safely > assume the existence of kqueue, unless we are talking about a very old > version:-) Presumably kqueue has a lower cpu usage until the system gets loaded at which point polling might win. From julian at elischer.org Tue Jul 15 23:19:15 2008 From: julian at elischer.org (Julian Elischer) Date: Tue Jul 15 23:19:23 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <20080715230917.DAC3B5B46@mail.bitblocks.com> References: <20080715230917.DAC3B5B46@mail.bitblocks.com> Message-ID: <487D2FF0.7000706@elischer.org> Bakul Shah wrote: > On Tue, 15 Jul 2008 15:39:09 PDT JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= wrote: >> At Tue, 15 Jul 2008 15:12:31 -0700, >> Bakul Shah wrote: >> >>>> Besides, I guess that the P1 versions severely suffer from heavy >>>> overhead of select(2) when it regularly opens more than 1000 sockets. >>>> Even if 'too many open file' messages are gone, many users won't >>>> accept the increased load due to the overhead. Beta versions use >>>> kqueue, eliminating the fundamental overhead as well as the (too low) >>>> limitation of # of descriptors. >>> Or more portably you can use poll(2). >> I've not played with poll(2) in BIND9, but as far as I understand it, >> it doesn't solve the fundamental overhead issue here. For example, >> the application should examine all possible descriptors even if only a >> few of them are readable. > > IIRC, when poll() returns n, you only look at the first n > values in the pollfd array so it is a win when you expect a > very small number of fds to be ready. In the select case you > have to test the bit array until you see the last ready fd. > >> Anyway, since this is a FreeBSD specific list, I believe we can safely >> assume the existence of kqueue, unless we are talking about a very old >> version:-) > > Presumably kqueue has a lower cpu usage until the system gets > loaded at which point polling might win. I don't think so, since kqueue only runs code associated with events that have actually happened, and then only once until it's processed where las I looked poll had more to do on each call. also kqueue allows you to associate arbitrary identification informnation with each event so you don't have to have extra code to go from the fd to the event.. It's just way more efficient. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From Jinmei_Tatuya at isc.org Tue Jul 15 23:37:01 2008 From: Jinmei_Tatuya at isc.org (JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=) Date: Tue Jul 15 23:37:07 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <20080715230917.DAC3B5B46@mail.bitblocks.com> References: <20080715230917.DAC3B5B46@mail.bitblocks.com> Message-ID: At Tue, 15 Jul 2008 16:09:17 -0700, Bakul Shah wrote: > IIRC, when poll() returns n, you only look at the first n > values in the pollfd array so it is a win when you expect a > very small number of fds to be ready. In the select case you > have to test the bit array until you see the last ready fd. % uname -a FreeBSD opt1.jinmei.org 7.0-RC1 FreeBSD 7.0-RC1 #0: Fri Jan 25 15:17:04 PST 2008 root@opt1.jinmei.org:/usr/src/sys/amd64/compile/GENERIC_NOSMP amd64 (please ignore "RC1":-) % cat polltest.c (omitted here, see below) % cc -o polltest polltest.c % ./polltest poll returned: 1 999th socket is ready (fd=1002) Perhaps You're probably confused poll(2) with /dev/poll. The latter behaves as you described (but is not portable as poll(2)). --- JINMEI, Tatuya Internet Systems Consortium, Inc. out put of polltest.c #include #include #include #include #include #include #include main() { int i, n; struct pollfd pfds[1000]; struct sockaddr_in sin; socklen_t sin_len; char buf[16]; memset(pfds, 0, sizeof(pfds)); memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_len = sizeof(sin); inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr); for (i = 0; i < 1000; i ++) { if ((pfds[i].fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) { perror("socket"); exit(1); } if (bind(pfds[i].fd, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("bind"); exit(1); } pfds[i].events = POLLIN; } sin_len = sizeof(sin); if (getsockname(pfds[999].fd, (struct sockaddr *)&sin, &sin_len) < 0) { perror("getsockname"); exit(1); } if (sendto(pfds[999].fd, buf, sizeof(buf), 0, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("sendto"); exit(1); } n = poll(pfds, 1000, -1); printf("poll returned: %d\n", n); for (i = 0; i < 1000; i++) { if ((pfds[i].revents & POLLIN) != 0) { printf("%dth socket is ready (fd=%d)\n", i, pfds[i].fd); } } exit(0); } From peterjeremy at optushome.com.au Tue Jul 15 23:43:15 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Tue Jul 15 23:43:23 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <20080715230917.DAC3B5B46@mail.bitblocks.com> References: <20080715230917.DAC3B5B46@mail.bitblocks.com> Message-ID: <20080715234254.GZ62764@server.vk2pj.dyndns.org> On 2008-Jul-15 16:09:17 -0700, Bakul Shah wrote: >IIRC, when poll() returns n, you only look at the first n >values in the pollfd array so it is a win when you expect a >very small number of fds to be ready. In the select case you >have to test the bit array until you see the last ready fd. No. Both poll(2) and select(2) return the number of FDs ready for I/O. You need to scan the pollfd or fd_set array until you find that many FDs ready. poll(2) is a win if you only need to test a small number of FDs compared to the number of FDs that the process has open. In the case of bind, you have a large number of FDs to test, of which you are only expecting a very small number to be ready - if you don't treat fd_set as opaque, select(2) allows you to quickly skip large (roughly wordsize) chunks of un-interesting FDs. Note that, based on sys_generic.c in 7.x and -CURRENT, poll(2) is limited to checking FD_SETSIZE descriptors, whilst select(2) has no upper limit. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080715/2ab6d294/attachment.pgp From smithi at nimnet.asn.au Wed Jul 16 03:40:48 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Wed Jul 16 03:40:56 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <487CA29F.6080500@FreeBSD.org> Message-ID: On Tue, 15 Jul 2008, Kris Kennaway wrote: > Thomas Vogt wrote: > > Hello > > > > Since i updated my FreeBSD 6.3 dns server with the latest bind version > > in the ports (dns/bind94) my system is flooding my log with "too many > > open file descriptors" messages. > > > > Is there something i can do? > > > > Example: > > Jul 15 12:08:38 intern named[50840]: socket: too many open file descriptors > > Jul 15 12:09:05 intern last message repeated 68 times > > Is this a busy name server handling thousands of queries per second? > > If so, the solution, perhaps not surprisingly, is to increase the number > of file descriptors :) > > kern.maxfiles: 12328 > kern.maxfilesperproc: 11095 Can you disclose the magic incantation for those particular numbers? cheers, Ian From alfred at freebsd.org Wed Jul 16 06:10:49 2008 From: alfred at freebsd.org (Alfred Perlstein) Date: Wed Jul 16 06:10:57 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: <20080715234254.GZ62764@server.vk2pj.dyndns.org> References: <20080715230917.DAC3B5B46@mail.bitblocks.com> <20080715234254.GZ62764@server.vk2pj.dyndns.org> Message-ID: <20080716055322.GQ95574@elvis.mu.org> FWIW, the userland scan of the files is not nearly as bad as what happens in the kernel when hundreds or thousands of objects are accessed that blow out the cache, oh and the locking that occurs as well. * Peter Jeremy [080715 16:43] wrote: > On 2008-Jul-15 16:09:17 -0700, Bakul Shah wrote: > >IIRC, when poll() returns n, you only look at the first n > >values in the pollfd array so it is a win when you expect a > >very small number of fds to be ready. In the select case you > >have to test the bit array until you see the last ready fd. > > No. Both poll(2) and select(2) return the number of FDs ready for > I/O. You need to scan the pollfd or fd_set array until you find that > many FDs ready. > > poll(2) is a win if you only need to test a small number of FDs > compared to the number of FDs that the process has open. In the case > of bind, you have a large number of FDs to test, of which you are > only expecting a very small number to be ready - if you don't > treat fd_set as opaque, select(2) allows you to quickly skip large > (roughly wordsize) chunks of un-interesting FDs. > > Note that, based on sys_generic.c in 7.x and -CURRENT, poll(2) is > limited to checking FD_SETSIZE descriptors, whilst select(2) has > no upper limit. > > -- > Peter Jeremy > Please excuse any delays as the result of my ISP's inability to implement > an MTA that is either RFC2821-compliant or matches their claimed behaviour. -- - Alfred Perlstein From bakul at bitblocks.com Wed Jul 16 07:19:26 2008 From: bakul at bitblocks.com (Bakul Shah) Date: Wed Jul 16 07:19:32 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: Your message of "Tue, 15 Jul 2008 16:37:00 PDT." Message-ID: <20080716071925.2F8145B4D@mail.bitblocks.com> On Tue, 15 Jul 2008 16:37:00 PDT JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= wrote: > > Perhaps You're probably confused poll(2) with /dev/poll. The latter > behaves as you described (but is not portable as poll(2)). Indeed I am confused. Not sure where I got that idea. On Tue, 15 Jul 2008 16:17:04 PDT Julian Elischer wrote: > Bakul Shah wrote: > > ... > > Presumably kqueue has a lower cpu usage until the system gets > > loaded at which point polling might win. > > I don't think so, since kqueue only runs code associated with events > that have actually happened, and then only once until it's processed > where las I looked poll had more to do on each call. Yes. poll/select overhead of scanning the entire list is incurred on each system call + the kernel overhead (as Alfred pointed out later). On Wed, 16 Jul 2008 09:42:54 +1000 Peter Jeremy wrote: > Note that, based on sys_generic.c in 7.x and -CURRENT, poll(2) is > limited to checking FD_SETSIZE descriptors, whilst select(2) has > no upper limit. I strike out here as well. I should've read the code much more carefully or tested select() before opening my mouth. All in all it was not a good idea to post anything. My apologies for wasting everyone's time. And thanks all for correcting me without any flaming! From eitans at mellanox.co.il Wed Jul 16 08:08:56 2008 From: eitans at mellanox.co.il (Eitan Shefi) Date: Wed Jul 16 08:09:04 2008 Subject: "ping" with packets larger then 25152 bytes fails. Message-ID: <5D49E7A8952DC44FB38C38FA0D758EAD196E6F@mtlexch01.mtl.com> When I run "ping" between 2 identical FreeBSD hosts, with packets larger then 25152 bytes, "ping" fails. Does someone has an idea what might cause this failure ? Thanks, Eitan From peterjeremy at optushome.com.au Wed Jul 16 11:55:54 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Wed Jul 16 11:56:01 2008 Subject: "ping" with packets larger then 25152 bytes fails. In-Reply-To: <5D49E7A8952DC44FB38C38FA0D758EAD196E6F@mtlexch01.mtl.com> References: <5D49E7A8952DC44FB38C38FA0D758EAD196E6F@mtlexch01.mtl.com> Message-ID: <20080716115548.GJ62764@server.vk2pj.dyndns.org> On 2008-Jul-16 10:41:57 +0300, Eitan Shefi wrote: >When I run "ping" between 2 identical FreeBSD hosts, with packets larger >then 25152 bytes, "ping" fails. Intriguing. >Does someone has an idea what might cause this failure ? No, but a few more datapoints: - it only affects real network connections - localhost is unaffected - The problem also occurs when pinging FreeBSD 7.x from linux but not when the same linux system pings a Winbloze box. - Pinging either linux or winbloze from FreeBSD 7.x fails. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080716/88091133/attachment.pgp From gnn at freebsd.org Wed Jul 16 15:23:54 2008 From: gnn at freebsd.org (gnn@freebsd.org) Date: Wed Jul 16 15:24:06 2008 Subject: igb doesn't compile in STABLE? In-Reply-To: <2a41acea0807151035w291269abt4ed99989ae45cc8b@mail.gmail.com> References: <2a41acea0807141453s7235d894i31a744a0f673fcc0@mail.gmail.com> <2a41acea0807151007q29a783c4r2ae63c5a631952ba@mail.gmail.com> <2a41acea0807151035w291269abt4ed99989ae45cc8b@mail.gmail.com> Message-ID: At Tue, 15 Jul 2008 10:35:57 -0700, Jack Vogel wrote: > > OK, will put on my todo list :) > Thanks. A kernel built that way (i.e. with igb and em) does actually work, which is good, but if you're going to split them up we should get this right before 7.1. Best, George From atkin901 at yahoo.com Wed Jul 16 16:50:37 2008 From: atkin901 at yahoo.com (Mark Atkinson) Date: Wed Jul 16 16:50:43 2008 Subject: "ping" with packets larger then 25152 bytes fails. References: <5D49E7A8952DC44FB38C38FA0D758EAD196E6F@mtlexch01.mtl.com> Message-ID: Eitan Shefi wrote: > When I run "ping" between 2 identical FreeBSD hosts, with packets larger > then 25152 bytes, "ping" fails. > > Does someone has an idea what might cause this failure ?[ My first guess is you're probably hitting the fragment limit for maximum fragments per packet. Which is like 16/packet by default. -- Mark Atkinson atkin901@yahoo.com (!wired)?(coffee++):(wired); From davidch at broadcom.com Wed Jul 16 17:34:35 2008 From: davidch at broadcom.com (David Christensen) Date: Wed Jul 16 17:34:43 2008 Subject: Enabling MSI-X on -CURRENT for New Network Driver Message-ID: <5D267A3F22FD854F8F48B3D2B52381932677F1A0C3@IRVEXCHCCR01.corp.ad.broadcom.com> I'm working on adding MSI-X support for a new network driver and having some difficulty in actually getting an interrupt. Does this look right? /* Select and configure the IRQ. */ sc->bxe_msix_count = pci_msix_count(dev); rid = 1; /* Try allocating MSI-X interrupts. */ if ((sc->bxe_cap_flags & BXE_MSIX_CAPABLE_FLAG) && (bxe_msi_enable >= 2) && (sc->bxe_msix_count > 0)) { int msix_needed = sc->bxe_msix_count; if (pci_alloc_msix(dev, &sc->bxe_msix_count) == 0) { if (sc->bxe_msix_count == msix_needed) { DBPRINT(sc, BXE_INFO_LOAD, "%s(): Using %d MSI-X " "vector(s).\n", __FUNCTION__, sc->bxe_msix_count); sc->bxe_flags |= BXE_USING_MSIX_FLAG; } else { pci_release_msi(dev); sc->bxe_flags &= ~BXE_USING_MSIX_FLAG; sc->bxe_msix_count = 0; } } } /* Try allocating MSI interrupts if we didn't get MSI-X. */ ... /* Try legacy interrupt. */ ... /* Allocate the interrupt and report any errors. */ sc->bxe_res_irq = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid, RF_ACTIVE); /* Report any IRQ allocation errors. */ if (sc->bxe_res_irq == NULL) { BXE_PRINTF("%s(%d): PCI map interrupt failed!\n", __FILE__, __LINE__); rc = ENXIO; goto bxe_attach_fail; } sc->bxe_irq_rid = rid; sc->bxe_intr = bxe_intr; The allocation doesn't fail and I usually see an IRQ allocated to the driver using "vmstat -i" (though not always): ===[root] /usr/src/sys/modules/bxe # vmstat -i interrupt total rate irq1: atkbd0 1 0 irq4: sio0 46432 6 irq6: fdc0 10 0 irq14: ata0 58 0 irq17: atapci1 42684 5 cpu0: timer 15331063 1999 irq256: em0 917 0 cpu3: timer 15330811 1999 cpu1: timer 15330808 1999 cpu2: timer 15330811 1999 cpu5: timer 15330811 1999 cpu6: timer 15330810 1999 cpu4: timer 15330806 1999 cpu7: timer 15330811 1999 irq258: bxe0 2 0 Total 122736835 16010 But my interrupt handler doesn't seem to be called. The goal is to get a single interrupt working first, multiple queue support comes next. Any ideas? Dave From barney_cordoba at yahoo.com Wed Jul 16 20:04:41 2008 From: barney_cordoba at yahoo.com (Barney Cordoba) Date: Wed Jul 16 20:04:47 2008 Subject: "ping" with packets larger then 25152 bytes fails. In-Reply-To: <20080716115548.GJ62764@server.vk2pj.dyndns.org> Message-ID: <813740.41559.qm@web63912.mail.re1.yahoo.com> --- On Wed, 7/16/08, Peter Jeremy wrote: > From: Peter Jeremy > Subject: Re: "ping" with packets larger then 25152 bytes fails. > To: "Eitan Shefi" > Cc: freebsd-net@freebsd.org > Date: Wednesday, July 16, 2008, 7:55 AM > On 2008-Jul-16 10:41:57 +0300, Eitan Shefi > wrote: > >When I run "ping" between 2 identical FreeBSD > hosts, with packets larger > >then 25152 bytes, "ping" fails. > > Intriguing. > > >Does someone has an idea what might cause this failure > ? > > No, but a few more datapoints: > - it only affects real network connections - localhost is > unaffected > - The problem also occurs when pinging FreeBSD 7.x from > linux but not > when the same linux system pings a Winbloze box. > - Pinging either linux or winbloze from FreeBSD 7.x fails. > > -- > Peter Jeremy > Please excuse any delays as the result of my ISP's > inability to implement > an MTA that is either RFC2821-compliant or matches their > claimed behaviour. Isn't this sort of like going to your auto dealer and complaining that you get vibration at 240mph? From peterjeremy at optushome.com.au Wed Jul 16 21:35:31 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Wed Jul 16 21:35:37 2008 Subject: "ping" with packets larger then 25152 bytes fails. In-Reply-To: <813740.41559.qm@web63912.mail.re1.yahoo.com> References: <20080716115548.GJ62764@server.vk2pj.dyndns.org> <813740.41559.qm@web63912.mail.re1.yahoo.com> Message-ID: <20080716211815.GW62764@server.vk2pj.dyndns.org> On 2008-Jul-16 12:37:59 -0700, Barney Cordoba wrote: >> >When I run "ping" between 2 identical FreeBSD hosts, with packets larger >> >then 25152 bytes, "ping" fails. ... >Isn't this sort of like going to your auto dealer and complaining that you get vibration at 240mph? I don't think so. There are no specific limits on the size of ICMP ECHO REQUEST or ICMP ECHO REPLY packets, therefore the only limit should be the IP packet limit (64KB). It does work with other IP stacks and with the loopback interface on FreeBSD. Poking around a bit more, the culprit looks like net.inet.ip.maxfragsperpacket - which is set to 16 by default. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080716/4666e773/attachment.pgp From linxiaosong at keynet.com.cn Thu Jul 17 02:38:15 2008 From: linxiaosong at keynet.com.cn (Wasily Lin) Date: Thu Jul 17 02:38:22 2008 Subject: mpd5.1 MTU problem Message-ID: <487EACC5.1060109@keynet.com.cn> Hello, I set up a PPPoE server on FreeBSD 7.0(amd64) with mpd 5.1 and it works fine for all clients except for my FreeBSD 7.0(i386) Notebook. Connecting has no problem and I get ip but all website can not be access even on PPPoE server itself(Apache installed), so can not ftp site. I've used mpd 5.1_1 and pppoe(built-in) as pppoe client but the problem was same - can not access http/ftp..., only icmp works. I think the problem is MTU then changed that but no effects. Now my configuration: PPPoE Server: startup: set netflow peer 127.0.0.1 1813 set user admin xxxxx admin set user operator xxxxx operator set user user xxxxx user set console open default: load pppoe_server pppoe_server: create bundle template B set ippool add pool 10.0.0.100 10.0.0.200 set iface enable netflow-in set iface enable netflow-out set iface enable ipacct set iface enable proxy-arp set iface mtu 1460 <-----------------------! set ipcp ranges 10.0.0.1/32 ippool pool set ipcp dns 172.18.30.125 create link template common pppoe set link enable pap set link disable chap set link enable multilink set link action bundle B load radius create link template em0 common set link max-children 1000 set pppoe iface em0 set link enable incoming radius: set radius server 127.0.0.1 xxxxxxxx 1812 1813 set radius retries 3 set radius timeout 3 set radius me 127.0.0.1 set auth max-logins 1 set auth acct-update 300 set auth enable radius-auth set auth enable radius-acct set radius enable message-authentic PPPoE client: startup: set user admin xxxxx admin set console open default: load pppoe_client pppoe_client: create bundle static B1 set iface route default set ipcp ranges 0.0.0.0/0 0.0.0.0/0 create link static L1 pppoe set link action bundle B1 set auth authname xxxxxx set auth password xxxxxx set link max-redial 0 set link keep-alive 10 60 set pppoe iface em0 set pppoe service "" open After connected: PPPoE server: ng15: flags=88d1 metric 0 mtu 1460 inet 10.0.0.1 --> 10.0.0.115 netmask 0xffffffff PPPoE client: ng0: flags=88d1 metric 0 mtu 1460 inet 10.0.0.115 --> 10.0.0.1 netmask 0xffffffff tcpdump output: PPPoE server: pppoe# tcpdump -i ng15 -ln host 10.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng15, link-type NULL (BSD loopback), capture size 96 bytes 10:08:44.469993 IP 10.0.0.115.60331 > 10.0.0.1.80: S 2092758811:2092758811(0) win 65535 10:08:44.470056 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:08:47.469997 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:08:53.469978 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:09:05.469918 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:09:44.972709 IP 10.0.0.115.60331 > 10.0.0.1.80: F 1:1(0) ack 1 win 8272 10:09:44.972744 IP 10.0.0.1.80 > 10.0.0.115.60331: R 687014729:687014729(0) win 0 PPPoE client: r00t# tcpdump -i ng0 -ln host 10.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng0, link-type NULL (BSD loopback), capture size 96 bytes 10:12:06.792399 IP 10.0.0.115.60331 > 10.0.0.1.80: S 2092758811:2092758811(0) win 65535 10:12:06.793151 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:12:06.793178 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 10:12:09.793385 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:12:09.793414 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 10:12:15.793331 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:12:15.793358 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 10:12:27.793227 IP 10.0.0.1.80 > 10.0.0.115.60331: S 687014728:687014728(0) ack 2092758812 win 65535 10:12:27.793255 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 10:13:07.294273 IP 10.0.0.115.60331 > 10.0.0.1.80: F 1:1(0) ack 1 win 8272 10:13:07.295358 IP 10.0.0.1.80 > 10.0.0.115.60331: R 687014729:687014729(0) win 0 As you can see, tcp/ack from client can not go through but tcp/syn, tcp/fin are fine. What's the reason? I've used the same client to connect to ISP's ADSL and work fine so what I am sure is the server refused my tcp/ack. But why? Thanks all. BSD4LZX !DSPAM:487eacd27993450375810! From brde at optusnet.com.au Thu Jul 17 03:15:33 2008 From: brde at optusnet.com.au (Bruce Evans) Date: Thu Jul 17 03:15:40 2008 Subject: Enabling MSI-X on -CURRENT for New Network Driver In-Reply-To: <5D267A3F22FD854F8F48B3D2B52381932677F1A0C3@IRVEXCHCCR01.corp.ad.broadcom.com> References: <5D267A3F22FD854F8F48B3D2B52381932677F1A0C3@IRVEXCHCCR01.corp.ad.broadcom.com> Message-ID: <20080717131000.K2693@besplex.bde.org> On Wed, 16 Jul 2008, David Christensen wrote: > I'm working on adding MSI-X support for a new network driver > and having some difficulty in actually getting an interrupt. > Does this look right? I don't know, but on FreeBSD cluster machines running RELENG_8 bce generates too many interrupts -- approx. 46000/second to deliver approx. 2 packets/second. bce works normally on FreeBSD cluster machines running RELENG_7 and earlier (2 interrupts/second to deliver systat -v output). Bruce From sepherosa at gmail.com Thu Jul 17 03:47:07 2008 From: sepherosa at gmail.com (Sepherosa Ziehau) Date: Thu Jul 17 03:47:13 2008 Subject: Enabling MSI-X on -CURRENT for New Network Driver In-Reply-To: <20080717131000.K2693@besplex.bde.org> References: <5D267A3F22FD854F8F48B3D2B52381932677F1A0C3@IRVEXCHCCR01.corp.ad.broadcom.com> <20080717131000.K2693@besplex.bde.org> Message-ID: On Thu, Jul 17, 2008 at 11:15 AM, Bruce Evans wrote: > On Wed, 16 Jul 2008, David Christensen wrote: > >> I'm working on adding MSI-X support for a new network driver >> and having some difficulty in actually getting an interrupt. >> Does this look right? > > I don't know, but on FreeBSD cluster machines running RELENG_8 bce > generates too many interrupts -- approx. 46000/second to deliver On dfly, I set the bce_rx_quick_cons_trip to 24 and bce_rx_ticks to 125, else live lock (>40000/sec) is promised when sinking packets @800kpps. I think bce uses the same coal logic as bge, so bce_rx_quick_cons_trip probably could be set to a larger value like 128; didn't have time to test 128 yet. Best Regards, sephe -- Live Free or Die From sam at freebsd.org Thu Jul 17 04:10:21 2008 From: sam at freebsd.org (Sam Leffler) Date: Thu Jul 17 04:10:27 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <486A45AB.2080609@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> Message-ID: <487EC62A.3070301@freebsd.org> Sam Leffler wrote: > Larry Baird wrote: >>> And how do I know that it works ? >>> Well, when it doesn't work, I do know it, quite quickly most of the >>> time ! >>> >> I have to chime in here. I did most of the initial porting of the >> NAT-T patches from Kame IPSec to FAST_IPSEC. I did look at every >> line of code during this process. I found no security problems during >> the port. Like Yvan, my company uses the NAT-T patches commercially. >> Like he says, if it had problems, we would hear about it. If the >> patches >> don't get commited, I highly suspect Yvan or myself would try to keep >> the >> patches up todate. So far I have done FAST_IPSEC pacthes for FreeBSD >> 4,5,6. Yvan did 7 and 8 by himself. Keeping up gets to be a pain >> after a while. I do plan to look at the FreeBSD 7 patches soon, but >> it sure would be nice >> to see it commited. >> Please test/review the following patch against HEAD: http://people.freebsd.org/~sam/nat_t-20080616.patch This adds only the kernel portion of the NAT-T support; you must provide the user-level code from another place. The main difference from the patches floating around are in the ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP frames. Assuming folks are ok w/ these changes I'll commit to HEAD. Once this stuff goes in we can look at getting the user-mode mods into the tree. Sam PS. Thanks especially to Matthew Grooms who tested an earlier version and fixed a bug. From andrew at modulus.org Thu Jul 17 04:44:31 2008 From: andrew at modulus.org (Andrew Snow) Date: Thu Jul 17 04:44:39 2008 Subject: named.conf: query-source address In-Reply-To: <20080717044106.GA53681@eos.sc1.parodius.com> References: <20080716162042.GA27666@svzserv.kemerovo.su> <487E312E.9090307@infracaninophile.co.uk> <20080717035155.GA81536@svzserv.kemerovo.su> <8DFF6DCD-6619-4251-9944-59CED8DF1B19@mac.com> <20080717044106.GA53681@eos.sc1.parodius.com> Message-ID: <487ECDD7.2050901@modulus.org> Don't forget the souls who find themselves using jails. In this case it is common to want a name server on the parent host but not on any of the jail IPs. From smithi at nimnet.asn.au Thu Jul 17 06:19:44 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Thu Jul 17 06:19:51 2008 Subject: mpd5.1 MTU problem In-Reply-To: <487EACC5.1060109@keynet.com.cn> Message-ID: On Thu, 17 Jul 2008, Wasily Lin wrote: > Hello, > I set up a PPPoE server on FreeBSD 7.0(amd64) with mpd 5.1 and it works > fine for all clients except for my FreeBSD 7.0(i386) Notebook. > Connecting has no problem and I get ip but all website can not be access > even on PPPoE server itself(Apache installed), so can not ftp site. > I've used mpd 5.1_1 and pppoe(built-in) as pppoe client but the > problem was same - can not access http/ftp..., only icmp works. I think > the problem is MTU then changed that but no effects. Now my configuration: > > PPPoE Server: > startup: > set netflow peer 127.0.0.1 1813 > set user admin xxxxx admin > set user operator xxxxx operator > set user user xxxxx user > set console open > > default: > load pppoe_server > > pppoe_server: > > create bundle template B > set ippool add pool 10.0.0.100 10.0.0.200 > set iface enable netflow-in > set iface enable netflow-out > set iface enable ipacct > set iface enable proxy-arp > set iface mtu 1460 <-----------------------! > set ipcp ranges 10.0.0.1/32 ippool pool > set ipcp dns 172.18.30.125 > > create link template common pppoe > set link enable pap > set link disable chap > set link enable multilink > set link action bundle B > load radius > > create link template em0 common > set link max-children 1000 > set pppoe iface em0 > set link enable incoming > > radius: > set radius server 127.0.0.1 xxxxxxxx 1812 1813 > set radius retries 3 > set radius timeout 3 > set radius me 127.0.0.1 > set auth max-logins 1 > set auth acct-update 300 > set auth enable radius-auth > set auth enable radius-acct > set radius enable message-authentic > > PPPoE client: > startup: > set user admin xxxxx admin > set console open > > default: > load pppoe_client > > pppoe_client: > create bundle static B1 > set iface route default > set ipcp ranges 0.0.0.0/0 0.0.0.0/0 > > create link static L1 pppoe > set link action bundle B1 > set auth authname xxxxxx > set auth password xxxxxx > set link max-redial 0 > set link keep-alive 10 60 > set pppoe iface em0 > set pppoe service "" For the same apparent problem, from my working mpd 4.1 client config: # needed? seems so, t23 had trouble with large tcp pkts .. yep, fixed .. set iface enable tcpmssfix which I see is still in http://mpd.sourceforge.net/doc5/mpd28.html cheers, Ian > open > > After connected: > > PPPoE server: > ng15: flags=88d1 metric > 0 mtu 1460 > inet 10.0.0.1 --> 10.0.0.115 netmask 0xffffffff > > PPPoE client: > ng0: flags=88d1 metric 0 > mtu 1460 > inet 10.0.0.115 --> 10.0.0.1 netmask 0xffffffff > > tcpdump output: > > PPPoE server: > pppoe# tcpdump -i ng15 -ln host 10.0.0.1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ng15, link-type NULL (BSD loopback), capture size 96 bytes > 10:08:44.469993 IP 10.0.0.115.60331 > 10.0.0.1.80: S > 2092758811:2092758811(0) win 65535 3,sackOK,timestamp 4639873 0> > 10:08:44.470056 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:08:47.469997 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:08:53.469978 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:09:05.469918 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:09:44.972709 IP 10.0.0.115.60331 > 10.0.0.1.80: F 1:1(0) ack 1 win > 8272 > 10:09:44.972744 IP 10.0.0.1.80 > 10.0.0.115.60331: R > 687014729:687014729(0) win 0 > > PPPoE client: > r00t# tcpdump -i ng0 -ln host 10.0.0.1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ng0, link-type NULL (BSD loopback), capture size 96 bytes > 10:12:06.792399 IP 10.0.0.115.60331 > 10.0.0.1.80: S > 2092758811:2092758811(0) win 65535 3,sackOK,timestamp 4639873 0> > 10:12:06.793151 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:12:06.793178 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 > > 10:12:09.793385 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:12:09.793414 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 > > 10:12:15.793331 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:12:15.793358 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 > > 10:12:27.793227 IP 10.0.0.1.80 > 10.0.0.115.60331: S > 687014728:687014728(0) ack 2092758812 win 65535 3,sackOK,timestamp 1602770998 4639873> > 10:12:27.793255 IP 10.0.0.115.60331 > 10.0.0.1.80: . ack 1 win 8272 > > 10:13:07.294273 IP 10.0.0.115.60331 > 10.0.0.1.80: F 1:1(0) ack 1 win > 8272 > 10:13:07.295358 IP 10.0.0.1.80 > 10.0.0.115.60331: R > 687014729:687014729(0) win 0 > > As you can see, tcp/ack from client can not go through but tcp/syn, > tcp/fin are fine. > > What's the reason? I've used the same client to connect to ISP's ADSL > and work fine so what I am sure is the server refused my tcp/ack. But why? > > Thanks all. > > BSD4LZX From freebsdlists at bsdunix.ch Thu Jul 17 06:52:19 2008 From: freebsdlists at bsdunix.ch (Thomas Vogt) Date: Thu Jul 17 06:52:30 2008 Subject: too many open file descriptors messages since bind 9.4.2-P1 (port dns94) In-Reply-To: References: <487C9457.5080609@bsdunix.ch> <2A7CBD67-7532-4B13-82DD-A6EF5DEAA6BD@bsdunix.ch> Message-ID: Hello Am 15.07.2008 um 22:59 schrieb JINMEI Tatuya / ????: > At Tue, 15 Jul 2008 22:54:11 +0200, > Thomas Vogt wrote: > >>>> Since i updated my FreeBSD 6.3 dns server with the latest bind >>>> version >>>> in the ports (dns/bind94) my system is flooding my log with "too >>>> many >>>> open file descriptors" messages. >>>> >>>> Is there something i can do? >>> >>> How many sockets is named actually using while it makes this log >>> message? Try, e.g, >>> % sockstat | grep named | wc -l >> >> Not that many: >> sockstat | grep named | wc -l >> 996 > > Ah, it's actually quite a lot in this context:-) > > If that's regularly happening, I'm afraid recent P1 versions don't > handle that well, and recommend you try 9.4.3b2 ore 9.5.1b1. I installed 9.4.3b2. I haven't seen any "too many open file descriptors" messages so far. "sockstat | grep named | wc -l" shows me much less listen bind versions. During the whole night and at this early time in the morning we just have 40-150 open binds. Maybe all our customers are enjoying their summer hollydays or 9.4.3b2 handels it much better. Regads, Thomas From mav at FreeBSD.org Thu Jul 17 08:14:31 2008 From: mav at FreeBSD.org (Alexander Motin) Date: Thu Jul 17 08:14:38 2008 Subject: mpd5.1 MTU problem In-Reply-To: <1216275783.00099216.1216262401@10.7.7.3> References: <1216275783.00099216.1216262401@10.7.7.3> Message-ID: <487EF154.5070808@FreeBSD.org> Wasily Lin wrote: > set iface enable netflow-in > set iface enable netflow-out > set iface enable ipacct Strange combination. > set iface enable proxy-arp Are you sure you need it? > set iface mtu 1460 <-----------------------! That's not a problem, but usually 1492 used for PPPoE. Also in some situation 'set iface enable tcpmssfix' could help. > As you can see, tcp/ack from client can not go through but tcp/syn, > tcp/fin are fine. > > What's the reason? I've used the same client to connect to ISP's ADSL > and work fine so what I am sure is the server refused my tcp/ack. But why? As soon as all packets are very small I don't think it is an MTU problem. I would recommend you to use tcpdump on Ethernet interface to understand which side actually drops the packets and probably why. Also check that you are not using any firewall and try to disable some features on server side like ipacct. -- Alexander Motin From biancalana at gmail.com Thu Jul 17 16:02:16 2008 From: biancalana at gmail.com (Alexandre Biancalana) Date: Thu Jul 17 16:02:25 2008 Subject: openospfd+carp Message-ID: <8e10486b0807170902l4a3db309we7f143af6b79235b@mail.gmail.com> Hi list, I'm deploying a new structure between our company and our datacenter that is composed of two L2L (lan-to-lan) 100Mbit links and two redudant gateway/firewall at each side. I configured one vlan per 100Mbit link and used carp (with Max's carpdev patch) to do the failover between machines on each side, the vlan interfaces are configured without ip address, only carp interfaces have ips. I want to use OpenOSPFD to do automatic failover+loadbalance of this L2L links. This works ? Someone have a similar setup ? Any hints ? I'm using FreeBSD 7, OpenOSPFD 4 (from ports) and Max's carpdev patch. Best Regards, Alexandre From cokane at FreeBSD.org Thu Jul 17 16:30:03 2008 From: cokane at FreeBSD.org (Coleman Kane) Date: Thu Jul 17 16:30:10 2008 Subject: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics Message-ID: <200807171630.m6HGU3IZ015801@freefall.freebsd.org> The following reply was made to PR kern/125181; it has been noted by GNATS. From: Coleman Kane To: bug-followup@FreeBSD.org, onemda@gmail.com Cc: thompsa@FreeBSD.org Subject: Re: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics Date: Thu, 17 Jul 2008 12:09:52 -0400 --=-soKy1PZEAkA40vAIl1Y1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Andrew, I got directed to this PR by onemda@gmail.com (Paul D. Mahol), who's been helping me track down some edge cases in the if_ndis locking rewrite. I am not 100% familiar with the locking semantics in play here (IEEE80211 and VAPs), so I wanted to run it by you before I determine that it seems to be working well for me. --=20 Coleman Kane --=-soKy1PZEAkA40vAIl1Y1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAkh/bs8ACgkQcMSxQcXat5cPdQCfbs4UgSOx8VZ7wJOu9H1bYdxA h7sAnRJA4UxSvjdNCGG7tm95Jedhz/Ae =vNY9 -----END PGP SIGNATURE----- --=-soKy1PZEAkA40vAIl1Y1-- From thompsa at FreeBSD.org Thu Jul 17 16:50:05 2008 From: thompsa at FreeBSD.org (Andrew Thompson) Date: Thu Jul 17 16:50:12 2008 Subject: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics Message-ID: <200807171650.m6HGo4aK018239@freefall.freebsd.org> The following reply was made to PR kern/125181; it has been noted by GNATS. From: Andrew Thompson To: Coleman Kane Cc: bug-followup@FreeBSD.org, onemda@gmail.com Subject: Re: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics Date: Thu, 17 Jul 2008 09:43:42 -0700 On Thu, Jul 17, 2008 at 12:09:52PM -0400, Coleman Kane wrote: > Andrew, > > I got directed to this PR by onemda@gmail.com (Paul D. Mahol), who's > been helping me track down some edge cases in the if_ndis locking > rewrite. I am not 100% familiar with the locking semantics in play here > (IEEE80211 and VAPs), so I wanted to run it by you before I determine > that it seems to be working well for me. I dont think ndis should be reaching into the net80211 lock. Now that ndis uses a regular mutex its a good chance to add mtx_asserts in the right places and get the locking up to speed. I will try to post a patch soon unless someone beats be to it. Andrew From julian at elischer.org Thu Jul 17 17:09:18 2008 From: julian at elischer.org (Julian Elischer) Date: Thu Jul 17 17:09:25 2008 Subject: Requesting comments on Multi-routing table usage Message-ID: <487F7C0C.8090303@elischer.org> The current code in -current will add a new interface to all FIBs. So for example when you add a gre interface irt shows up everywhere. This behaviour is probbaly correct for the base NICs on the system when you boot, but it is probably wrong in other cases. For example, when mpd makes tunnels it probably (but not always) wants to add that set of routes into one FIB. Similarly for other apps that can create tunnels. What is needed is a way to allow the caller to somehow specify the behaviour wanted whenever new interfaces are added. various things crossed my minds.. ------------- Maybe real hardware shoudl go everywhere and virtual should go to the FIB of the creator Maybe P2P interfaces should not go everywhere. Maybe a sysctl can be used to 'flip' teh mode from "everywhere" to "specific fib" after boot has completed. (I have code for this but it's not the perfect solution). Maybe ifconfig can set a new flag somewhere somehow. Maybe a process can set a flag for itself saying what its mode is.. ---------- The trouble is that there is not an "always correct" answer. some people may want to see a tunnel turn up on all FIBs and others may not. From smithi at nimnet.asn.au Thu Jul 17 17:54:54 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Thu Jul 17 17:55:01 2008 Subject: Requesting comments on Multi-routing table usage In-Reply-To: <487F7C0C.8090303@elischer.org> Message-ID: On Thu, 17 Jul 2008, Julian Elischer wrote: > The current code in -current will add a new interface to all > FIBs. Consider yanking/reinserting cardbus NICs as one source of fun. > So for example when you add a gre interface irt shows up everywhere. > > This behaviour is probbaly correct for the base NICs on the system > when you boot, but it is probably wrong in other cases. > > For example, when mpd makes tunnels it probably > (but not always) wants to add that set of routes into one > FIB. Similarly for other apps that can create tunnels. > > What is needed is a way to allow the caller to somehow > specify the behaviour wanted whenever new interfaces are added. > > various things crossed my minds.. I'm of two minds myself .. but you seem to have lots more :) > ------------- > Maybe real hardware shoudl go everywhere and virtual should go to > the FIB of the creator > > Maybe P2P interfaces should not go everywhere. > > Maybe a sysctl can be used to 'flip' teh mode from "everywhere" > to "specific fib" after boot has completed. (I have code for this but > it's not the perfect solution). Yes in addition to 'setfib N command' it would be likely useful to have a more global 'setfibto' type command, so you could run whole scripts or shells in a known fib context, to which scripts etc could be oblivious? Tuning by sysctl/s would seem most useful, at least for development? > Maybe ifconfig can set a new flag somewhere somehow. > > Maybe a process can set a flag for itself saying what its mode is.. > ---------- > > > The trouble is that there is not an "always correct" answer. > some people may want to see a tunnel turn up on all FIBs > and others may not. It's the options that drive ya crazy .. but being able to set/tune the forwarding context - one fib, all fibs, or a set of fibs? - may allow flexibility in view of the large set of maybes you (so far) mentioned. Just some popcorn from the peanut gallery .. cheers, Ian From julian at elischer.org Thu Jul 17 19:25:20 2008 From: julian at elischer.org (Julian Elischer) Date: Thu Jul 17 19:25:27 2008 Subject: Requesting comments on Multi-routing table usage In-Reply-To: References: Message-ID: <487F9BED.90402@elischer.org> Ian Smith wrote: > On Thu, 17 Jul 2008, Julian Elischer wrote: > > The current code in -current will add a new interface to all > > FIBs. > > Consider yanking/reinserting cardbus NICs as one source of fun. > > > So for example when you add a gre interface irt shows up everywhere. > > > > This behaviour is probbaly correct for the base NICs on the system > > when you boot, but it is probably wrong in other cases. > > > > For example, when mpd makes tunnels it probably > > (but not always) wants to add that set of routes into one > > FIB. Similarly for other apps that can create tunnels. > > > > What is needed is a way to allow the caller to somehow > > specify the behaviour wanted whenever new interfaces are added. > > > > various things crossed my minds.. > > I'm of two minds myself .. but you seem to have lots more :) > > > ------------- > > Maybe real hardware shoudl go everywhere and virtual should go to > > the FIB of the creator > > > > Maybe P2P interfaces should not go everywhere. > > > > Maybe a sysctl can be used to 'flip' teh mode from "everywhere" > > to "specific fib" after boot has completed. (I have code for this but > > it's not the perfect solution). > > Yes in addition to 'setfib N command' it would be likely useful to have > a more global 'setfibto' type command, so you could run whole scripts or > shells in a known fib context, to which scripts etc could be oblivious? that's already possible with setfib.. setfib N sh script is going to do that.. The issue I have is with the routes that are added to routing tables when an interface is added.. It's a specific instance that is tricky because it's a side effect rather than a directly requested action. what some people have asked to do is have multiple tunnels to the same place but have different routing tables specify different tunnels to get to that place.. e.g. gre0 1.1.1.1 2.2.2.2 gre1 3.3.3.3 2.2.2.2 gre2 4.4.4.4 2.2.2.2 where in fib 0 the route to 2.2.2.2 is via gre0 and in fib1 it is via gre1 and in fib2 it is via gre2 then you can use setfib in ipfw and pf to use different tunnels to get selected traffic to 2.2.2.2.. This is what is being asked for, but you can only add the interfaces like that if ifconfig only effects differnet FIBS for each interface. > > Tuning by sysctl/s would seem most useful, at least for development? > > > Maybe ifconfig can set a new flag somewhere somehow. > > > > Maybe a process can set a flag for itself saying what its mode is.. > > ---------- > > > > > > The trouble is that there is not an "always correct" answer. > > some people may want to see a tunnel turn up on all FIBs > > and others may not. > > It's the options that drive ya crazy .. but being able to set/tune the > forwarding context - one fib, all fibs, or a set of fibs? - may allow > flexibility in view of the large set of maybes you (so far) mentioned. > > Just some popcorn from the peanut gallery .. > > cheers, Ian From julian at elischer.org Thu Jul 17 19:29:51 2008 From: julian at elischer.org (Julian Elischer) Date: Thu Jul 17 19:29:57 2008 Subject: Requesting comments on Multi-routing table usage In-Reply-To: <487F9BED.90402@elischer.org> References: <487F9BED.90402@elischer.org> Message-ID: <487F9CFB.2080901@elischer.org> Julian Elischer wrote: > Ian Smith wrote: >> On Thu, 17 Jul 2008, Julian Elischer wrote: >> > The current code in -current will add a new interface to all >> > FIBs. >> >> Consider yanking/reinserting cardbus NICs as one source of fun. >> >> > So for example when you add a gre interface irt shows up everywhere. >> > > This behaviour is probbaly correct for the base NICs on the >> system > when you boot, but it is probably wrong in other cases. >> > >> > For example, when mpd makes tunnels it probably >> > (but not always) wants to add that set of routes into one >> > FIB. Similarly for other apps that can create tunnels. >> > > What is needed is a way to allow the caller to somehow >> > specify the behaviour wanted whenever new interfaces are added. >> > > various things crossed my minds.. >> >> I'm of two minds myself .. but you seem to have lots more :) >> >> > ------------- >> > Maybe real hardware shoudl go everywhere and virtual should go to >> > the FIB of the creator >> > > Maybe P2P interfaces should not go everywhere. >> > > Maybe a sysctl can be used to 'flip' teh mode from "everywhere" >> > to "specific fib" after boot has completed. (I have code for this >> but > it's not the perfect solution). >> >> Yes in addition to 'setfib N command' it would be likely useful to have >> a more global 'setfibto' type command, so you could run whole scripts or >> shells in a known fib context, to which scripts etc could be oblivious? > > that's already possible with setfib.. > setfib N sh script is going to do that.. > > The issue I have is with the routes that are added to routing tables > when an interface is added.. It's a specific instance that is tricky > because it's a side effect rather than a directly requested action. > > what some people have asked to do is have multiple tunnels to the same > place but have different routing tables specify different tunnels to get > to that place.. > > e.g. > > gre0 1.1.1.1 2.2.2.2 > gre1 3.3.3.3 2.2.2.2 > gre2 4.4.4.4 2.2.2.2 > > where in fib 0 the route to 2.2.2.2 is via gre0 > and in fib1 it is via gre1 > and in fib2 it is via gre2 > then you can use setfib in ipfw and pf to use different tunnels to get > selected traffic to 2.2.2.2.. > > This is what is being asked for, but you can only add the > interfaces like that if ifconfig only effects differnet FIBS for each > interface. hmmm that makes me think that maybe an ifconfig command to associate a FIB with an interface might do the trick... if it's not associated with a FIB it get to all of them, but if you have previously associated it wit a FIB, then only that FIB is affected. That may just be a good enough answer. > > > >> >> Tuning by sysctl/s would seem most useful, at least for development? >> >> > Maybe ifconfig can set a new flag somewhere somehow. >> > > Maybe a process can set a flag for itself saying what its mode is.. >> > ---------- >> > > > The trouble is that there is not an "always correct" answer. >> > some people may want to see a tunnel turn up on all FIBs >> > and others may not. >> >> It's the options that drive ya crazy .. but being able to set/tune the >> forwarding context - one fib, all fibs, or a set of fibs? - may allow >> flexibility in view of the large set of maybes you (so far) mentioned. >> >> Just some popcorn from the peanut gallery .. >> >> cheers, Ian > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From lab at gta.com Thu Jul 17 20:21:42 2008 From: lab at gta.com (Larry Baird) Date: Thu Jul 17 20:21:49 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Message-ID: <20080717202141.GA65940@gta.com> Sam, > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch > > This adds only the kernel portion of the NAT-T support; you must provide > the user-level code from another place. > > The main difference from the patches floating around are in the > ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP > frames. Assuming folks are ok w/ these changes I'll commit to HEAD. > Once this stuff goes in we can look at getting the user-mode mods into > the tree. I should have time to begin to look at this tomorrow. I also have an additional patch that needs adding. In sys/netipsec/ipsec_mbuf.c the function m_makespace() has an assert/comment stating "code doesn't handle clusters". If using NAT-T with crypto acceleration you can hit this case. I'll email this patch to you within the next couple of days. Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: lab@gta.com | TEL 407-380-0220, FAX 407-380-6080 From danger at FreeBSD.org Thu Jul 17 20:22:29 2008 From: danger at FreeBSD.org (Daniel Gerzo) Date: Thu Jul 17 20:22:40 2008 Subject: etc/rc.firewall6 Message-ID: <743720911.20080717222210@rulez.sk> Hello freebsd-net, would somebody more knowledgeable then I am in ip6 review this [1] small patch for /etc/rc.firewall6? May I get an approval from some src/ committer to commit this (please keep me in the CC: list)? Thank you. [1] http://cvsup.sk.freebsd.org/~danger/rc.ipfw6.diff -- Best regards, Daniel mailto:danger@FreeBSD.org From hrs at FreeBSD.org Thu Jul 17 21:48:17 2008 From: hrs at FreeBSD.org (hrs@FreeBSD.org) Date: Thu Jul 17 21:48:24 2008 Subject: kern/125003: [gif] incorrect EtherIP header format. Message-ID: <200807172148.m6HLmHl9043759@freefall.freebsd.org> Synopsis: [gif] incorrect EtherIP header format. Responsible-Changed-From-To: freebsd-net->hrs Responsible-Changed-By: hrs Responsible-Changed-When: Thu Jul 17 21:47:32 UTC 2008 Responsible-Changed-Why: I will handle this. http://www.freebsd.org/cgi/query-pr.cgi?pr=125003 From dougb at FreeBSD.org Thu Jul 17 23:00:04 2008 From: dougb at FreeBSD.org (Doug Barton) Date: Thu Jul 17 23:00:14 2008 Subject: etc/rc.firewall6 In-Reply-To: <743720911.20080717222210@rulez.sk> References: <743720911.20080717222210@rulez.sk> Message-ID: <487FC8B1.4070003@FreeBSD.org> Daniel Gerzo wrote: > Hello freebsd-net, > > would somebody more knowledgeable then I am in ip6 review this [1] > small patch for /etc/rc.firewall6? May I get an approval from some > src/ committer to commit this (please keep me in the CC: list)? > > Thank you. > > [1] http://cvsup.sk.freebsd.org/~danger/rc.ipfw6.diff > Looks like the right direction to go in for the DNS stuff, yes. About the ntp stuff, 2 questions. First, you did not make the same changes in the NTP section in the second hunk as you did in the first, is that intentional? Second, wouldn't it be better to specify the port number (123) on both sides? NTP uses that same port for sending and receiving queries, and I've always built firewalls that way successfully. Doug -- This .signature sanitized for your protection From cswiger at mac.com Thu Jul 17 23:21:31 2008 From: cswiger at mac.com (Chuck Swiger) Date: Thu Jul 17 23:21:37 2008 Subject: etc/rc.firewall6 In-Reply-To: <487FC8B1.4070003@FreeBSD.org> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> Message-ID: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> On Jul 17, 2008, at 3:33 PM, Doug Barton wrote: [ ... ] > About the ntp stuff, 2 questions. First, you did not make the same > changes in the NTP section in the second hunk as you did in the > first, is that intentional? Second, wouldn't it be better to > specify the port number (123) on both sides? NTP uses that same port > for sending and receiving queries, and I've always built firewalls > that way successfully. David Mills' ntpd uses port 123 on both sides, true. Other NTP implementations tend to use ephemeral ports; a quick histogram of 30 seconds or so of traffic to a stratum-2 NTP server suggests about half of the NTP traffic out there uses other ports. Regards, -- -Chuck # tcpdump -w ntp_packets.dump udp port 123 tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes ^C 615 packets captured 897 packets received by filter 0 packets dropped by kernel # tcpdump -nr ntp_packets.dump | wc -l reading from file ntp_packets.dump, link-type EN10MB (Ethernet) 615 # tcpdump -nr ntp_packets.dump | grep '.123 >' | wc -l reading from file ntp_packets.dump, link-type EN10MB (Ethernet) 347 Most of these above were packets sent by my server. The rest have quite an assortment of source ports being used: # tcpdump -nr ntp_packets.dump | grep -v '.123 >' | head reading from file ntp_packets.dump, link-type EN10MB (Ethernet) 19:06:41.598527 IP 69.144.236.104.3186 > 199.103.21.227.123: NTPv4, Client, length 48 19:06:41.620732 IP 70.169.250.10.297 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:06:41.755699 IP 63.118.102.151.47817 > 199.103.21.227.123: NTPv4, Client, length 48 19:06:41.932513 IP 65.7.131.67.61897 > 199.103.21.227.123: NTPv3, Client, length 48 19:06:42.041643 IP 69.48.55.134.6 > 199.103.21.227.123: NTPv3, Client, length 48 19:06:42.098282 IP 64.211.94.227.32839 > 199.103.21.227.123: NTPv4, Client, length 48 19:06:42.248041 IP 74.234.132.214.49846 > 199.103.21.227.123: NTPv3, Client, length 48 19:06:42.263930 IP 66.134.96.79.50420 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:06:42.338483 IP 38.115.128.242.12709 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:06:42.764847 IP 70.169.250.10.429 > 199.103.21.227.123: NTPv3, symmetric active, length 48 # tcpdump -nr ntp_packets.dump | grep -v '.123 >' | tail reading from file ntp_packets.dump, link-type EN10MB (Ethernet) 19:07:09.302753 IP 170.235.223.10.47601 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:07:09.355610 IP 38.105.187.251.278 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:07:09.360286 IP 70.148.188.206.59640 > 199.103.21.227.123: NTPv4, Client, length 48 19:07:09.502241 IP 138.210.238.176.26487 > 199.103.21.227.123: NTPv3, Client, length 48 19:07:09.838130 IP 66.89.121.68.13587 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:07:10.064838 IP 76.201.148.100.2050 > 199.103.21.227.123: NTPv3, Client, length 48 19:07:10.121137 IP 217.96.91.6.37920 > 199.103.21.227.123: NTPv4, Client, length 48 19:07:10.124784 IP 70.169.250.10.24 > 199.103.21.227.123: NTPv3, symmetric active, length 48 19:07:10.203358 IP 24.154.104.34.40289 > 199.103.21.227.123: NTPv4, Client, length 48 19:07:10.234026 IP 64.178.45.44.1 > 199.103.21.227.123: NTPv4, Client, length 48 From max at love2party.net Thu Jul 17 23:35:39 2008 From: max at love2party.net (Max Laier) Date: Thu Jul 17 23:35:46 2008 Subject: etc/rc.firewall6 In-Reply-To: <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> Message-ID: <200807180135.35912.max@love2party.net> On Friday 18 July 2008 01:21:28 Chuck Swiger wrote: > On Jul 17, 2008, at 3:33 PM, Doug Barton wrote: > [ ... ] > > > About the ntp stuff, 2 questions. First, you did not make the same > > changes in the NTP section in the second hunk as you did in the > > first, is that intentional? Second, wouldn't it be better to > > specify the port number (123) on both sides? NTP uses that same port > > for sending and receiving queries, and I've always built firewalls > > that way successfully. > > David Mills' ntpd uses port 123 on both sides, true. Other NTP > implementations tend to use ephemeral ports; a quick histogram of 30 > seconds or so of traffic to a stratum-2 NTP server suggests about half > of the NTP traffic out there uses other ports. Don't forget PNAT. I'd also argue that the rc.firewall6 in base is supposed to work with the ntpd in base. We should, however, not forget about ntpdate, which seems to use ephemeral ports. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From cswiger at mac.com Fri Jul 18 00:07:26 2008 From: cswiger at mac.com (Chuck Swiger) Date: Fri Jul 18 00:07:33 2008 Subject: etc/rc.firewall6 In-Reply-To: <200807180135.35912.max@love2party.net> References: <743720911.20080717222210@rulez.sk> <487FC8B1.4070003@FreeBSD.org> <615CAFFA-48AF-4207-A838-B8AB58B6EE76@mac.com> <200807180135.35912.max@love2party.net> Message-ID: <7CD8CD0E-0150-438C-BD50-D2A8C2210280@mac.com> On Jul 17, 2008, at 4:35 PM, Max Laier wrote: >> David Mills' ntpd uses port 123 on both sides, true. Other NTP >> implementations tend to use ephemeral ports; a quick histogram of 30 >> seconds or so of traffic to a stratum-2 NTP server suggests about >> half >> of the NTP traffic out there uses other ports. > > Don't forget PNAT. I'd also argue that the rc.firewall6 in base is > supposed to work with the ntpd in base. We should, however, not > forget > about ntpdate, which seems to use ephemeral ports. Certainly some forms of NAT might also "scrub" ntpd's use of port 123 to some random higher port, true enough. It's not recommended that machines providing time service to others have NAT in the way, though, so that circumstance wasn't at the top of my mind. :-) -- -Chuck From vanhu at FreeBSD.org Fri Jul 18 08:28:38 2008 From: vanhu at FreeBSD.org (VANHULLEBUS Yvan) Date: Fri Jul 18 08:28:46 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Message-ID: <20080718082834.GA11096@zen.inc> On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: [...] > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch For those who may be interested,I ported Sam's changes to FreeBSD7, the patch is here: http://people.freebsd.org/~vanhu/patch-natt-test-releng7-20080717.diff Please note that this patch has NOT been pushed to the "official" location for NAT-T patches, as I did NOT test it for now (kernel has been compiled successfully, but I'll only be able to switch to it tomorrow, as I actually use the tunnel to that gate to access it). > This adds only the kernel portion of the NAT-T support; you must provide > the user-level code from another place. Note for people who are interested: user-level code comes from ipsec-tools, as for previous versions of the NAT-T patch. Sam's changes have only impacts on the kernel itself, so if you are already running a FreeBSD kernel+userland with NAT-T patchset, you'll only need to repatch/rebuild your kernel, rebuilding world (at least includes) and ipsec-tools is NOT needed. Of course, if you're running a FreeBSD host which actually does know NOTHING about NAT-T, you'll need to apply the patch, rebuild your kernel, at least rebuild includes (or ipsec-tools won't detect NAT-T support), then rebuild ipsec-tools. But that was already the procedure with previous versions of the patch. > The main difference from the patches floating around are in the > ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP > frames. Assuming folks are ok w/ these changes I'll commit to HEAD. > Once this stuff goes in we can look at getting the user-mode mods into > the tree. I reported your changes on locking system (and just changed INP_WLOCKS to INP_LOCKS) on the RELENG7 version, is that ok ? While I'm here, a few words about authors and contributors of the patch, just to ensure it has been told at least once :-) Original authors of the patch are Emmanuel Dreyfus (manu at NetBSD.org, for the NetBSD version) and me (for the FreeBSD version), when patches for both BSDs were very similar. Larry ported the patch to FAST_IPSEC stack (Larry, I'm quite sure you also reported other patches, but I don't remember exactly what). Bjoern reported some fixes. I ported the patch to FreeBSD7 and to actual HEAD, and also made some other various things on it. Sam made the changes we're talking about in that thread. Matthew did a LOT of tests with various implementations and reported bugs. I would also like to thanks Julien VANHERZEELE, which is the guy at my works who does IPSec qualification, and who also set up lots of tests related to NAT-T for years. If some other people reported me some patches / bugs and have not been cited here, please accept my apologies for such a bad memory. If some other people have some patches, bug reports, etc... related to that patch, please report them as soon as possible ! Yvan. -- NETASQ http://www.netasq.com From onemda at gmail.com Fri Jul 18 11:23:28 2008 From: onemda at gmail.com (Paul B. Mahol) Date: Fri Jul 18 11:23:35 2008 Subject: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, panics In-Reply-To: <200807171650.m6HGo4aK018239@freefall.freebsd.org> References: <200807171650.m6HGo4aK018239@freefall.freebsd.org> Message-ID: <3a142e750807180358i4e3baa3m9ebe7cad357fe2cf@mail.gmail.com> On 7/17/08, Andrew Thompson wrote: > The following reply was made to PR kern/125181; it has been noted by GNATS. > > From: Andrew Thompson > To: Coleman Kane > Cc: bug-followup@FreeBSD.org, onemda@gmail.com > Subject: Re: kern/125181: [ndis] [patch] with wep enters kdb.enter.unknown, > panics > Date: Thu, 17 Jul 2008 09:43:42 -0700 > > On Thu, Jul 17, 2008 at 12:09:52PM -0400, Coleman Kane wrote: > > Andrew, > > > > I got directed to this PR by onemda@gmail.com (Paul D. Mahol), who's > > been helping me track down some edge cases in the if_ndis locking > > rewrite. I am not 100% familiar with the locking semantics in play here > > (IEEE80211 and VAPs), so I wanted to run it by you before I determine > > that it seems to be working well for me. > > I dont think ndis should be reaching into the net80211 lock. Now that > ndis uses a regular mutex its a good chance to add mtx_asserts in the > right places and get the locking up to speed. I will try to post a patch > soon unless someone beats be to it. Patch impact on performance is marginal if not completely irrelevant. The only way to improve code in that file is rewritting offending functions. And at end net80211 lock would be still there (called via some other function). From mgrooms at shrew.net Fri Jul 18 14:08:29 2008 From: mgrooms at shrew.net (Matthew Grooms) Date: Fri Jul 18 14:08:36 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <4880973B.2010200@shrew.net> References: <4880973B.2010200@shrew.net> Message-ID: <4880A3D7.5020300@shrew.net> > On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: > > > This adds only the kernel portion of the NAT-T support; you must provide > > the user-level code from another place. > > Note for people who are interested: > user-level code comes from ipsec-tools, as for previous versions of > the NAT-T patch. > > Sam's changes have only impacts on the kernel itself, so if you are > already running a FreeBSD kernel+userland with NAT-T patchset, you'll > only need to repatch/rebuild your kernel, rebuilding world (at least > includes) and ipsec-tools is NOT needed. > > Of course, if you're running a FreeBSD host which actually does know > NOTHING about NAT-T, you'll need to apply the patch, rebuild your > kernel, at least rebuild includes (or ipsec-tools won't detect NAT-T > support), then rebuild ipsec-tools. > For anyone trying to install ipsec-tools to test this patch, its worth mentioning that the port has a build issues on CURRENT. This has been corrected in cvs and the 7-branch of ipsec-tools. As a quick remedy, a patch is attached that can be applied to the port work sources. -Matthew -------------- next part -------------- Index: src/racoon/crypto_openssl.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c,v retrieving revision 1.11.6.1 diff -u -r1.11.6.1 crypto_openssl.c --- src/racoon/crypto_openssl.c 18 Dec 2006 10:18:10 -0000 1.11.6.1 +++ src/racoon/crypto_openssl.c 18 Jul 2008 13:45:05 -0000 @@ -675,7 +675,7 @@ { plog(LLV_ERROR, LOCATION, NULL, "data is not terminated by NUL."); - hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); + racoon_hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); goto end; } Index: src/racoon/eaytest.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/eaytest.c,v retrieving revision 1.7.6.1 diff -u -r1.7.6.1 eaytest.c --- src/racoon/eaytest.c 6 Jun 2007 15:36:38 -0000 1.7.6.1 +++ src/racoon/eaytest.c 18 Jul 2008 13:45:05 -0000 @@ -65,7 +65,7 @@ #include "package_version.h" -#define PVDUMP(var) hexdump((var)->v, (var)->l) +#define PVDUMP(var) racoon_hexdump((var)->v, (var)->l) /*#define CERTTEST_BROKEN */ Index: src/racoon/misc.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/misc.c,v retrieving revision 1.4 diff -u -r1.4 misc.c --- src/racoon/misc.c 9 Sep 2006 16:22:09 -0000 1.4 +++ src/racoon/misc.c 18 Jul 2008 13:45:05 -0000 @@ -73,7 +73,7 @@ #endif int -hexdump(buf0, len) +racoon_hexdump(buf0, len) void *buf0; size_t len; { Index: src/racoon/misc.h =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/misc.h,v retrieving revision 1.4 diff -u -r1.4 misc.h --- src/racoon/misc.h 9 Sep 2006 16:22:09 -0000 1.4 +++ src/racoon/misc.h 18 Jul 2008 13:45:05 -0000 @@ -42,7 +42,7 @@ #define LOCATION debug_location(__FILE__, __LINE__, NULL) #endif -extern int hexdump __P((void *, size_t)); +extern int racoon_hexdump __P((void *, size_t)); extern char *bit2str __P((int, int)); extern void *get_newbuf __P((void *, size_t)); extern const char *debug_location __P((const char *, int, const char *)); Index: src/racoon/racoonctl.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c,v retrieving revision 1.7 diff -u -r1.7 racoonctl.c --- src/racoon/racoonctl.c 2 Oct 2006 07:12:26 -0000 1.7 +++ src/racoon/racoonctl.c 18 Jul 2008 13:45:06 -0000 @@ -303,7 +303,7 @@ err(1, "kmpstat"); if (loglevel) - hexdump(combuf, ((struct admin_com *)combuf)->ac_len); + racoon_hexdump(combuf, ((struct admin_com *)combuf)->ac_len); com_init(); From ticso at cicely7.cicely.de Fri Jul 18 14:32:53 2008 From: ticso at cicely7.cicely.de (Bernd Walter) Date: Fri Jul 18 14:33:13 2008 Subject: TCP zombie connections with 7-RELEASE and STABLE from 15th june Message-ID: <20080718135931.GA48087@cicely7.cicely.de> 14:45:58.109631 IP 213.83.6.106.3270 > 85.159.14.110.443: S 470580731:470580731(0) win 32768 14:45:58.109753 IP 85.159.14.110.443 > 213.83.6.106.3270: S 1364510055:1364510055(0) ack 470580732 win 65535 14:45:58.114324 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 1 win 33304 14:45:59.816810 IP 213.83.6.106.3270 > 85.159.14.110.443: F 1:1(0) ack 1 win 33304 14:45:59.816900 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 2 win 8326 14:45:59.818445 IP 85.159.14.110.443 > 213.83.6.106.3270: F 1:1(0) ack 2 win 8326 14:45:59.822859 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.415401 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 1 win 0 14:46:00.420082 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.420139 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.424772 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.424847 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.429065 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.429089 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.433247 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.433305 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.437641 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.437700 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.442408 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.442445 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.447231 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.447291 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.451525 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.451587 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.455957 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.456024 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.460666 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.460732 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:00.465092 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:00.465150 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 [...] 14:46:31.182624 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:31.182978 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.183006 IP 85.159.14.110.443 > 213.83.6.106.3270: . ack 1 win 65535 14:46:31.183146 IP 85.159.14.110.443 > 213.83.6.106.3270: F 1:1(0) ack 1 win 65535 14:46:31.183173 IP 85.159.14.110.443 > 213.83.6.106.3270: F 1:1(0) ack 1 win 65535 14:46:31.184038 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.184124 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.184157 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.184740 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.185174 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.186762 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.187366 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.187380 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 14:46:31.187573 IP 213.83.6.106.3270 > 85.159.14.110.443: . ack 2 win 33303 443 is a self written server, but it also happens with port 80 and sslproxy. The client is a telnet, which disconnects directly after connecting, so the disconnect is initiated from the client, which seems to be important for this problem to trigger. You can see that the FIN handshake completes and netstat on the client box shows the connection in TIME_WAIT. The server however has the connection still in ESTABLISHED state. What happens in the application code looks quite silly. I do a typical accept loop and then I process the data in a new thread. After my thread terminates and closes it's filedescriptor the select loop accepts the old connection again. This doesn't happen in every case but almost always. Finally after 30 seconds without data to read my newly created thread closes the zombie connection again. The question is why accept returns me a filedescriptor for a connection which was already returned and should have been closed? -- B.Walter http://www.bwct.de Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm. From mgrooms at shrew.net Fri Jul 18 19:43:54 2008 From: mgrooms at shrew.net (Matthew Grooms) Date: Fri Jul 18 19:44:01 2008 Subject: Help with tap device configuration oddity Message-ID: <4880F273.1090802@shrew.net> All, I noticed a problem with some software I wrote for FreeBSD using tap devices. It would appear that you get inconsistent results from ioctl calls SIOCSIFADDR and SIOCSIFNETMASK when used with tap than when used with a real Ethernet device. I wrote a quick test program to demonstrate this which can be found at the following url ... http://hole.shrew.net/~mgrooms/files/taptest.cpp g++ taptest.cpp -o taptest USAGE : taptest

[ifname] Specify the ifname parameter to configure an existing adapter. Omit the ifname paramter to create a tap device and configure it instead. When I use this with an Ethernet device on CURRENT, I get normal results ... # ./taptest 10.1.2.3 255.255.255.0 1350 le1 ii : configured adapter le1 [10.1.2.3/255.255.255.0 MTU 1350] le1: flags=8843 metric 0 mtu 1350 options=8 ether 00:0c:29:bd:60:2b inet 10.1.2.3 netmask 0xffffff00 broadcast 10.1.2.255 media: Ethernet autoselect status: active # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.aa.bbb.c UGS 0 89 le0 10.1.2.0/24 link#2 UC 0 0 le1 ... When I use this with a tap device on CURRENT, I always get a wacky 10/8 route added and no 10.2.3/24 route like you would expect ... # ./taptest 10.2.3.4 255.255.255.0 1350 creating tap device ii : opened tap device /dev/tap0 ii : configured adapter tap0 [10.2.3.4/255.255.255.0 MTU 1350] tap0: flags=8843 metric 0 mtu 1350 ether 00:bd:59:d2:02:00 inet 10.1.2.3 netmask 0xffffff00 broadcast 10.1.2.255 Opened by PID 1497 # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.aa.bbb.c UGS 0 89 le0 10.0.0.0/8 link#5 UC 0 0 tap0 This really messes with traffic that should go out the default route. I tested this on 6.2-RELEASE as well and got similar results ... # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.a.b.c UGS 0 5940 lnc0 10 link#7 UC 0 0 tap0 Can someone please explain this to me? Thanks in advance, -Matthew From lab at gta.com Sat Jul 19 01:40:53 2008 From: lab at gta.com (Larry Baird) Date: Sat Jul 19 01:41:00 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Message-ID: <20080719014051.GA80850@gta.com> Sam, > The main difference from the patches floating around are in the > ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP > frames. Assuming folks are ok w/ these changes I'll commit to HEAD. > Once this stuff goes in we can look at getting the user-mode mods into > the tree. Didn't get the free time I thought I would have today. Hopefully over the weekend I will get time to finish reviewing the patch. I have attached the patch against head for ipsec_mbuf.c. Now that FreeBSD has a svn respository, creating diffs against head is trivial. (-: Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: lab@gta.com | TEL 407-380-0220, FAX 407-380-6080 From smithi at nimnet.asn.au Sat Jul 19 03:39:51 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Sat Jul 19 03:40:02 2008 Subject: Requesting comments on Multi-routing table usage In-Reply-To: <487F9CFB.2080901@elischer.org> Message-ID: On Thu, 17 Jul 2008, Julian Elischer wrote: > Julian Elischer wrote: > > Ian Smith wrote: > >> On Thu, 17 Jul 2008, Julian Elischer wrote: > >> > The current code in -current will add a new interface to all > >> > FIBs. [..] > >> Yes in addition to 'setfib N command' it would be likely useful to have > >> a more global 'setfibto' type command, so you could run whole scripts or > >> shells in a known fib context, to which scripts etc could be oblivious? > > > > that's already possible with setfib.. > > setfib N sh script is going to do that.. Yeah, guess I was thinking more of setting fixed FIB context 'from now on' which I think your ifconfig solution below probably best addresses. > > The issue I have is with the routes that are added to routing tables > > when an interface is added.. It's a specific instance that is tricky > > because it's a side effect rather than a directly requested action. > > > > what some people have asked to do is have multiple tunnels to the same > > place but have different routing tables specify different tunnels to get > > to that place.. > > > > e.g. > > > > gre0 1.1.1.1 2.2.2.2 > > gre1 3.3.3.3 2.2.2.2 > > gre2 4.4.4.4 2.2.2.2 > > > > where in fib 0 the route to 2.2.2.2 is via gre0 > > and in fib1 it is via gre1 > > and in fib2 it is via gre2 > > then you can use setfib in ipfw and pf to use different tunnels to get > > selected traffic to 2.2.2.2.. > > > > This is what is being asked for, but you can only add the > > interfaces like that if ifconfig only effects differnet FIBS for each > > interface. > > hmmm that makes me think that maybe an ifconfig command to associate > a FIB with an interface might do the trick... > if it's not associated with a FIB it get to all of them, but if > you have previously associated it wit a FIB, then only that FIB is > affected. > > That may just be a good enough answer. Do you have some suggested syntax for the ifconfig command? I may well just be blowing smoke here, and only lightly browsed this stuff earlier (with interest) but I wonder whether a choice between all FIBs and just one is too, well, binary for all possible situations, and whether some situations might wish to refer to some set of FIBs? And if so, rather than any complicated set manipulation, this could be accomplished - if needed - by having a '-option' syntax as is common to ifconfig arguments, to remove a particular FIB(s) from the ALL set? Just till someone equipped with proper net-fu turns up to comment :) cheers, Ian From gonzo at FreeBSD.org Sat Jul 19 13:24:24 2008 From: gonzo at FreeBSD.org (gonzo@FreeBSD.org) Date: Sat Jul 19 13:24:31 2008 Subject: kern/125442: [carp][lagg] CARP combined with LAGG causes system panic - 7.0/amd64 Message-ID: <200807191324.m6JDONgi019873@freefall.freebsd.org> Synopsis: [carp][lagg] CARP combined with LAGG causes system panic - 7.0/amd64 State-Changed-From-To: open->feedback State-Changed-By: gonzo State-Changed-When: Sat Jul 19 13:23:55 UTC 2008 State-Changed-Why: I'll take it. Responsible-Changed-From-To: freebsd-net->gonzo Responsible-Changed-By: gonzo Responsible-Changed-When: Sat Jul 19 13:23:55 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=125442 From kungfujesus06 at gmail.com Sat Jul 19 19:08:22 2008 From: kungfujesus06 at gmail.com (Adam Stylinski) Date: Sat Jul 19 19:08:28 2008 Subject: nfe driver Message-ID: <96af083b0807191144p38d49087kdfd3979f9c155ae8@mail.gmail.com> I have an mcp67 nforce networking controller using the nfe driver. I currently cannot set my MTU to anything higher than 1500. The controller definitely supports jumbo frames. Is there any hope of the BSD driver supporting it? I'm more than willing to test things out. I guess another question to ask would be if the newer kernel sources in freebsd-stable have support for jumbo frames on the MCP67 in the nfe driver. From brad at comstyle.com Sat Jul 19 19:28:04 2008 From: brad at comstyle.com (Brad) Date: Sat Jul 19 19:28:10 2008 Subject: nfe driver In-Reply-To: <96af083b0807191144p38d49087kdfd3979f9c155ae8@mail.gmail.com> References: <96af083b0807191144p38d49087kdfd3979f9c155ae8@mail.gmail.com> Message-ID: <200807191527.53302.brad@comstyle.com> On Saturday 19 July 2008 14:44:02 Adam Stylinski wrote: > The controller definitely supports jumbo frames. What proof do you have of this? > I guess another question to ask would be if the newer kernel sources in > freebsd-stable have support for jumbo frames on the MCP67 in the nfe > driver. No. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kip.macy at gmail.com Sun Jul 20 01:11:24 2008 From: kip.macy at gmail.com (Kip Macy) Date: Sun Jul 20 01:11:32 2008 Subject: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp] In-Reply-To: <601bffc40807112344n7a683f81y516f540e24d87389@mail.gmail.com> References: <4867420D.7090406@gtcomm.net> <486A9A0E.6060308@elischer.org> <486B41D5.3060609@gtcomm.net> <4871E85C.8090907@freebsd.org> <48726422.7050703@gtcomm.net> <200807080107.m6817XxO021966@lava.sentex.ca> <601bffc40807081346q454c1f40td47a0f54806d8a8c@mail.gmail.com> <601bffc40807112344n7a683f81y516f540e24d87389@mail.gmail.com> Message-ID: On Fri, Jul 11, 2008 at 11:44 PM, Brian McGinty wrote: >> Hi Brian >> I very much doubt that this is ceteris paribus. This is 384 random IPs >> -> 384 random IP addresses with a flow lookup for each packet. Also, >> I've read through igb on Linux - it has a lot of optimizations that >> the FreeBSD driver lacks and I have yet to implement. > > Hey Kip, > when will you push the optimization into FreeBSD? Hi Brian, I'm hoping to get to it some time in August. I'm a bit behind in my contracts at the moment. FYI: I'm actually able to forward 2.3Mpps between 2 10Gig interfaces on an 8-core system. I'm hoping to push it up to 3Mpps. Thanks, Kip From brian.mcginty at gmail.com Sun Jul 20 02:17:46 2008 From: brian.mcginty at gmail.com (Brian McGinty) Date: Sun Jul 20 02:17:52 2008 Subject: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp] In-Reply-To: References: <4867420D.7090406@gtcomm.net> <486B41D5.3060609@gtcomm.net> <4871E85C.8090907@freebsd.org> <48726422.7050703@gtcomm.net> <200807080107.m6817XxO021966@lava.sentex.ca> <601bffc40807081346q454c1f40td47a0f54806d8a8c@mail.gmail.com> <601bffc40807112344n7a683f81y516f540e24d87389@mail.gmail.com> Message-ID: <601bffc40807191917g131bacao6485376365304f55@mail.gmail.com> G'day Kip, > I'm hoping to get to it some time in August. I'm a bit behind in my > contracts at the moment. A few weeks ago, I did a quick comparison of the driver between FreeBSD and Linux, and found quite a few differences that's worth pulling over. The guy from Intel working on FreeBSD, Jack?, is he the one that does this sort of sync-up of the drivers between the two distribution, or you? There's been a lot of changes recently, including full support for multiple Rx/Tx queues that significantly ups the ante on performance. FreeBSD doesn't support multiple Rx/Tx, or does something half arsed. > FYI: I'm actually able to forward 2.3Mpps between 2 10Gig interfaces > on an 8-core system. I'm hoping to push it up to 3Mpps. Is this no-loss number, and how did you test it? I don't have throughput numbers for the Oplin. I'm waiting to get some time on the Ixia at work to generate performance numbers for 1G and 10G for all packet sizes, on FreeBSD and Linux, on a 16 core system, and blast it to the list. I expect Linux to do 2-3 times better :-) Later, Brian From kip.macy at gmail.com Sun Jul 20 02:28:06 2008 From: kip.macy at gmail.com (Kip Macy) Date: Sun Jul 20 02:28:13 2008 Subject: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp] In-Reply-To: <601bffc40807191917g131bacao6485376365304f55@mail.gmail.com> References: <4867420D.7090406@gtcomm.net> <4871E85C.8090907@freebsd.org> <48726422.7050703@gtcomm.net> <200807080107.m6817XxO021966@lava.sentex.ca> <601bffc40807081346q454c1f40td47a0f54806d8a8c@mail.gmail.com> <601bffc40807112344n7a683f81y516f540e24d87389@mail.gmail.com> <601bffc40807191917g131bacao6485376365304f55@mail.gmail.com> Message-ID: On Sat, Jul 19, 2008 at 7:17 PM, Brian McGinty wrote: > G'day Kip, > >> I'm hoping to get to it some time in August. I'm a bit behind in my >> contracts at the moment. > > A few weeks ago, I did a quick comparison of the driver between > FreeBSD and Linux, and found quite a few differences that's worth > pulling over. The guy from Intel working on FreeBSD, Jack?, is he the > one that does this sort of sync-up of the drivers between the two > distribution, or you? There's been a lot of changes recently, > including full support for multiple Rx/Tx queues that significantly > ups the ante on performance. FreeBSD doesn't support multiple Rx/Tx, > or does something half arsed. This is on a variant of RELENG_6 FreeBSD with a recent version of ULE and running the Checkpoint firewall. It also uses the full number of queues available to igb (4) and #queues == #cores (8 in this case) for ixgbe. The drivers in CVS have some bugs that I have fixed in this FreeBSD variant. FreeBSD's CVS version of the Intel drivers definitely lags Linux in terms of some optimizations. Even my version doesn't have some of the linux optimizations. >> FYI: I'm actually able to forward 2.3Mpps between 2 10Gig interfaces >> on an 8-core system. I'm hoping to push it up to 3Mpps. This is testing with an IXIA I don't currently have zero loss numbers. This is not fully loaded. However, ixgbe spews out pause frames when rx gets backed up so losses never get much above 0.1%. > Is this no-loss number, and how did you test it? I don't have > throughput numbers for the Oplin. I'm waiting to get some time on the > Ixia at work to generate performance numbers for 1G and 10G for all > packet sizes, on FreeBSD and Linux, on a 16 core system, and blast it > to the list. I expect Linux to do 2-3 times better :-) Sure, if you don't care about packet reordering. On their own box Checkpoint claims that Linux is currently able to do 20% better than we are seeing. Even they don't claim 200% - 300%. I know people who are switching off of Linux for memcache because they simply can't make it perform. So you're mileage really varies depending on the workload. I'm not sure where you get your numbers from. I would really like to get a hold of this magical Linux distribution to do a side by side comparison on the same workload. A 200% - 300% performance delta would definitely justify switching. Thanks, Kip From luigi.iannone at uclouvain.be Sun Jul 20 13:25:13 2008 From: luigi.iannone at uclouvain.be (Luigi Iannone) Date: Sun Jul 20 13:25:21 2008 Subject: OpenLISP Message-ID: Hello FreeBSD Networking Community, During the last years, there have been many discussions about the scalability of the Internet architecture notably within the IRTF RRG. With IPv6, thanks to its huge addressing space, it is possible to design protocols and mechanisms that are more scalable and more powerful than with IPv4. A typical example is the multihoming problem. This problem occurs when a site is attached to several Internet Service providers. With IPv4, the classical solution is for the site to obtain one IPv4 prefix and advertise it by using BGP. This solution works and traffic engineering is possible, but unfortunately, it contributes to a significant growth of the BGP routing tables in the global Internet. Approaches to better scale the Internet architecture are being discussed, notably within the Routing Research Group of the Internet Research Task Force. Several of these approaches rely on separating the two roles of IP addresses: the locator role and the identifier role. In today's IPv4 Internet, IPv4 addresses are used both to indicate the location in the Internet topology of a host (the locator role) and to terminate the transport flows on end-hosts (the identifier role). This means that it is difficult to change the IP address of a host without disrupting transport flows. The techniques that separate identifiers from locators take a different approach. First, an identifier is attached to each end- host. This identifier is used to terminate the transport flows. Second, each identifier may be reachable through multiple locators and a mapping mechanism is used to map an identifier (or a set of identifiers) onto a set of locators. This improves the scalability of the routing system as only the locators need to be distributed by BGP provided, of course, that the mapping system remains scalable. Furthermore, separating identifiers and locators has several additional benefits in terms of path diversity and performance. Some approaches propose to attach locators to hosts while other prefer to attach locators only to routers. The latter approach is the solution chosen by the proponents of the Locator/Identifier Separation Protocol (LISP). LISP is a router-based solution to solve the scaling problems of the Internet architecture that is currently being developed by Cisco. There are still many open questions concerning notably the mapping between identifiers and locators. To allow researchers and network operators to experiment with LISP, the IP Networking Lab of UCLouvain releases OpenLISP. OpenLISP is the first publicly available implementation of LISP on the FreeBSD kernel. OpenLISP was designed and implemented by Luigi Iannone. You can find more details about OpenLISP from http://inl.info.ucl.ac.be Any feedback from the FreeBSD Networking community is more than welcome. Best regards, Luigi Iannone luigi.iannone@uclouvain.be From julian at elischer.org Sun Jul 20 18:33:00 2008 From: julian at elischer.org (Julian Elischer) Date: Sun Jul 20 18:33:06 2008 Subject: OpenLISP In-Reply-To: References: Message-ID: <488384E5.3060608@elischer.org> Luigi Iannone wrote: > Hello FreeBSD Networking Community, > hello to you too :-) > The latter approach is the solution chosen by the proponents of the > Locator/Identifier Separation Protocol (LISP). LISP is a router-based > solution to solve the scaling problems of the Internet architecture that > is currently being developed by Cisco. Couldn't possibly come up with a better acronym? "lisp" is kinda taken.. are there any documents with PICTURES you can recommend to us? Does this connect at all with SCTP's capacity to multihome? jelische@cisco.com From Luigi.Iannone at uclouvain.be Sun Jul 20 18:45:53 2008 From: Luigi.Iannone at uclouvain.be (Luigi Iannone) Date: Sun Jul 20 18:46:03 2008 Subject: OpenLISP In-Reply-To: <488384E5.3060608@elischer.org> References: <488384E5.3060608@elischer.org> Message-ID: Hi, Le 20-juil.-08 ? 20:33, Julian Elischer a ?crit : > Luigi Iannone wrote: >> Hello FreeBSD Networking Community, > > hello to you too :-) > > >> The latter approach is the solution chosen by the proponents of >> the Locator/Identifier Separation Protocol (LISP). LISP is a >> router-based solution to solve the scaling problems of the >> Internet architecture that is currently being developed by Cisco. > > Couldn't possibly come up with a better acronym? "lisp" is kinda > taken.. > > are there any documents with PICTURES you can recommend to us? > Well, the official document can be found here: http://www.ietf.org/internet-drafts/draft-farinacci-lisp-08.txt If you want some _pictures_ you can get a look here: http://rosie.ripe.net/ripe/meetings/ripe-56/presentations/uploads/ Tuesday/Plenary%2016:00/upl/Fuller-LISP_Intro_and_Update.gNyX.pps > Does this connect at all with SCTP's capacity to multihome? > Not really. As far as I know SCTP is an end-to-end solution, where end-to-end stand for end-hosts. LISP is meant to be deployed mainly on border routers of stub domains. Cheers Luigi > > > jelische@cisco.com Luigi Iannone luigi.iannone@uclouvain.be From max at love2party.net Sun Jul 20 18:51:06 2008 From: max at love2party.net (Max Laier) Date: Sun Jul 20 18:51:13 2008 Subject: OpenLISP In-Reply-To: <488384E5.3060608@elischer.org> References: <488384E5.3060608@elischer.org> Message-ID: <200807202051.04431.max@love2party.net> On Sunday 20 July 2008 20:33:09 Julian Elischer wrote: > Luigi Iannone wrote: > > Hello FreeBSD Networking Community, > > hello to you too :-) > > > The latter approach is the solution chosen by the proponents of the > > Locator/Identifier Separation Protocol (LISP). LISP is a router-based > > solution to solve the scaling problems of the Internet architecture > > that is currently being developed by Cisco. > > Couldn't possibly come up with a better acronym? "lisp" is kinda > taken.. > > are there any documents with PICTURES you can recommend to us? The draft is quite readable: http://tools.ietf.org/html/draft-farinacci-lisp-08 > Does this connect at all with SCTP's capacity to multihome? (AFAIK) Not at all. They try to solve similar problems (or at least there is some intersection). A word about the implementation. The interception mechanism for LISP tunneled packets in ip_input/forward is *horrible*! Some of that is due to the design, but I believe it can be implemented much cleaner if you were to use the pfil(9) API. I'd really like to avoid putting this kind of stuff into the main ip code as it hurts readability a lot. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From Luigi.Iannone at uclouvain.be Sun Jul 20 19:00:31 2008 From: Luigi.Iannone at uclouvain.be (Luigi Iannone) Date: Sun Jul 20 19:00:38 2008 Subject: OpenLISP In-Reply-To: <200807202051.04431.max@love2party.net> References: <488384E5.3060608@elischer.org> <200807202051.04431.max@love2party.net> Message-ID: <4711A2FE-DFB4-44C0-9FA6-D69BD1B05C2E@uclouvain.be> > Hi, > A word about the implementation. The interception mechanism for LISP > tunneled packets in ip_input/forward is *horrible*! Some of that > is due > to the design, but I believe it can be implemented much cleaner if you > were to use the pfil(9) API. I'd really like to avoid putting this > kind > of stuff into the main ip code as it hurts readability a lot. > Thanks for the hint I'll get a look at that. Cheers Luigi > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Luigi Iannone luigi.iannone@uclouvain.be From julian at elischer.org Sun Jul 20 19:49:27 2008 From: julian at elischer.org (Julian Elischer) Date: Sun Jul 20 19:49:34 2008 Subject: OpenLISP In-Reply-To: <4711A2FE-DFB4-44C0-9FA6-D69BD1B05C2E@uclouvain.be> References: <488384E5.3060608@elischer.org> <200807202051.04431.max@love2party.net> <4711A2FE-DFB4-44C0-9FA6-D69BD1B05C2E@uclouvain.be> Message-ID: <488396CE.1060008@elischer.org> Luigi Iannone wrote: >> > > Hi, > > >> A word about the implementation. The interception mechanism for LISP >> tunneled packets in ip_input/forward is *horrible*! Some of that is due >> to the design, but I believe it can be implemented much cleaner if you >> were to use the pfil(9) API. I'd really like to avoid putting this kind >> of stuff into the main ip code as it hurts readability a lot. >> > > Thanks for the hint I'll get a look at that. my head hurts after reading that :-) I think I only 'got' half of it.. I'll read it again later.. The aim of this is to reduce routing table size and allow multihoming with the destination being able to suggest to a remote sight how to route back to it right? > > Cheers > > Luigi > > From Luigi.Iannone at uclouvain.be Sun Jul 20 19:58:00 2008 From: Luigi.Iannone at uclouvain.be (Luigi Iannone) Date: Sun Jul 20 19:58:06 2008 Subject: OpenLISP In-Reply-To: <488396CE.1060008@elischer.org> References: <488384E5.3060608@elischer.org> <200807202051.04431.max@love2party.net> <4711A2FE-DFB4-44C0-9FA6-D69BD1B05C2E@uclouvain.be> <488396CE.1060008@elischer.org> Message-ID: Le 20-juil.-08 ? 21:49, Julian Elischer a ?crit : > Luigi Iannone wrote: >>> >> Hi, >>> A word about the implementation. The interception mechanism for >>> LISP tunneled packets in ip_input/forward is *horrible*! Some of >>> that is due to the design, but I believe it can be implemented >>> much cleaner if you were to use the pfil(9) API. I'd really like >>> to avoid putting this kind of stuff into the main ip code as it >>> hurts readability a lot. >>> >> Thanks for the hint I'll get a look at that. > > my head hurts after reading that :-) > > I think I only 'got' half of it.. > I'll read it again later.. > The aim of this is to reduce routing table size and allow multihoming > You got it. > with the destination being able to suggest to a remote sight how to > route back to it right? > or at least suggest where to go through ... L. > >> Cheers >> Luigi > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Luigi Iannone luigi.iannone@uclouvain.be From kmacy at freebsd.org Sun Jul 20 22:38:35 2008 From: kmacy at freebsd.org (Kip Macy) Date: Sun Jul 20 22:39:04 2008 Subject: moving sockbuf in to its own header Message-ID: <3c1674c90807201514o5bafba72r6be84de6e37a5525@mail.gmail.com> TOE drivers need to be able to directly enqueue data in to a socket buffer and thus benefit from having knowledge of sockbuf internals. However, there is no need for them to know about other socket definitions. Thus I would like to move sockbuf and accompanying definitions to their own header. This is a fairly straightforward change so I don't really see the need to wait more than a few days for feedback: http://www.fsmware.com/sockbuf.h.diff From kip.macy at gmail.com Sun Jul 20 23:07:30 2008 From: kip.macy at gmail.com (Kip Macy) Date: Sun Jul 20 23:07:36 2008 Subject: moving sockbuf in to its own header In-Reply-To: <3c1674c90807201514o5bafba72r6be84de6e37a5525@mail.gmail.com> References: <3c1674c90807201514o5bafba72r6be84de6e37a5525@mail.gmail.com> Message-ID: Actually, I'd like to re-factor multiple parts of socketvar in to separate files. Please provide feedback on the following: http://www.fsmware.com/socketvar_refactor.diff Thanks, Kip On Sun, Jul 20, 2008 at 3:14 PM, Kip Macy wrote: > TOE drivers need to be able to directly enqueue data in to a socket > buffer and thus benefit from having knowledge of sockbuf internals. > However, there is no need for them to know about other socket > definitions. Thus I would like to move sockbuf and accompanying > definitions to their own header. > > This is a fairly straightforward change so I don't really see the need > to wait more than a few days for feedback: > > http://www.fsmware.com/sockbuf.h.diff > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From vanhu at FreeBSD.org Mon Jul 21 08:31:13 2008 From: vanhu at FreeBSD.org (VANHULLEBUS Yvan) Date: Mon Jul 21 08:31:20 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Message-ID: <20080721083110.GA21786@zen.inc> On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: [...] > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch I have tested the RELENG7 version of the patch, and it works well. But I noticed a misplaced #endif at the beginning of udp_ctloutput(), which will generate problems if INET6 is not defined: if (sopt->sopt_level != IPPROTO_UDP) { #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) { INP_WUNLOCK(inp); error = ip6_ctloutput(so, sopt); #endif } else { INP_WUNLOCK(inp); error = ip_ctloutput(so, sopt); #ifdef INET6 } #endif return (error); } The code should be: if (sopt->sopt_level != IPPROTO_UDP) { #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) { INP_WUNLOCK(inp); error = ip6_ctloutput(so, sopt); } else { #endif INP_WUNLOCK(inp); error = ip_ctloutput(so, sopt); #ifdef INET6 } #endif return (error); } Yvan. From bzeeb-lists at lists.zabbadoz.net Mon Jul 21 09:30:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jul 21 09:30:14 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Message-ID: <20080721085325.B57089@maildrop.int.zabbadoz.net> On Wed, 16 Jul 2008, Sam Leffler wrote: Hi, > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch > > This adds only the kernel portion of the NAT-T support; you must provide the > user-level code from another place. > > The main difference from the patches floating around are in the ctloutput > path (adding proper locking for HEAD) and decap of ESP-in-UDP frames. > Assuming folks are ok w/ these changes I'll commit to HEAD. Once this stuff > goes in we can look at getting the user-mode mods into the tree. I have skipped through the patch. My main concern at the moment is the API (pfkey stuff) to userland as Yvan had stated in <20080626075307.GA1401@zen.inc>. I know that at the moment there seems to be one public (pseudo) reference implementation this all works together but there might be/are other people not using libipsec from ipsec-tools. The point is changing the API once this hits the tree will be hard to detect at a later point if at all (unless with a __FreeBSD_version or (another) library version bump/sym versioning). We are still missing other things I think not mentioned elswhere like partial checksum recalculation. I still wonder if we'd have all the information (at the right place) in the kernel so we could easily add support for that at a later time w/o having to change APIs again. Considering that it seems noone using this patch in products has implemented this .. I dunno. It's something that is already mentioned in the introduction of RFC 3947 and in 3.1.2. of 3948 and thus should be very obvious to anyone ever seriously thought of finishing a proper more than "it works for me" version of the patch. Some minor things I had seen not reported so far: I have seen two printfs that should be changed to proper logging, ... /NAT-T OA present s,bave,have, in "...in the SPD: This means we bave a non-generated" but maybe change the entire comment. "non-generated SPD" is kind of wrong wording. I'd happily go through another patch once the missing/to be corrected things were addressed. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Jul 21 11:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 21 11:08:18 2008 Subject: Current problem reports assigned to freebsd-net@FreeBSD.org Message-ID: <200807211106.m6LB6x0X031944@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/27474 net [ipf] [ppp] Interactive use of user PPP and ipfilter c o kern/35442 net [sis] [patch] Problem transmitting runts in if_sis dri a kern/38554 net [patch] changing interface ipaddress doesn't seem to w s kern/39937 net ipstealth issue s kern/77195 net [ipf] [patch] ipfilter ioctl SIOCGNATL does not match o kern/79895 net [ipf] 5.4-RC2 breaks ipfilter NAT when using netgraph s kern/81147 net [net] [patch] em0 reinitialization while adding aliase o kern/86103 net [ipf] Illegal NAT Traversal in IPFilter s kern/86920 net [ndis] ifconfig: SIOCS80211: Invalid argument [regress o kern/87521 net [ipf] [panic] using ipfilter "auth" keyword leads to k o kern/92090 net [bge] bge0: watchdog timeout -- resetting f kern/92552 net A serious bug in most network drivers from 5.X to 6.X o kern/95288 net [pppd] [tty] [panic] if_ppp panic in sys/kern/tty_subr o kern/98978 net [ipf] [patch] ipfilter drops OOW packets under 6.1-Rel o kern/101948 net [ipf] [panic] Kernel Panic Trap No 12 Page Fault - cau f kern/102344 net [ipf] Some packets do not pass through network interfa o bin/105925 net problems with ifconfig(8) and vlan(4) [regression] s kern/105943 net Network stack may modify read-only mbuf chain copies o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets o kern/106438 net [ipf] ipfilter: keep state does not seem to allow repl o kern/108542 net [bce]: Huge network latencies with 6.2-RELEASE / STABL o bin/108895 net pppd(8): PPPoE dead connections on 6.2 [regression] o kern/109308 net [pppd] [panic] Multiple panics kernel ppp suspected [r o kern/109733 net [bge] bge link state issues [regression] o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112722 net [udp] IP v4 udp fragmented packet reject o kern/113842 net [ip6] PF_INET6 proto domain state can't be cleared wit o kern/114714 net [gre][patch] gre(4) is not MPSAFE and does not support o kern/114839 net [fxp] fxp looses ability to speak with traffic o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/116077 net [ip] [patch] 6.2-STABLE panic during use of multi-cast o kern/116185 net [iwi] if_iwi driver leads system to reboot o kern/116328 net [bge]: Solid hang with bge interface o kern/116747 net [ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o kern/116837 net [tun] [panic] [patch] ifconfig tunX destroy: panic o kern/117043 net [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM o kern/117271 net [tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117423 net [vlan] Duplicate IP on different interfaces o kern/117448 net [carp] 6.2 kernel crash [regression] o kern/118880 net [ip6] IP_RECVDSTADDR & IP_SENDSRCADDR not implemented o kern/119225 net [wi] 7.0-RC1 no carrier with Prism 2.5 wifi card [regr o kern/119345 net [ath] Unsuported Atheros 5424/2424 and CPU speedstep n o kern/119361 net [bge] bge(4) transmit performance problem o kern/119945 net [rum] [panic] rum device in hostap mode, cause kernel o kern/120130 net [carp] [panic] carp causes kernel panics in any conste o kern/120266 net [panic] gnugk causes kernel panic when closing UDP soc o kern/120304 net [netgraph] [patch] netgraph source assumes 32-bit time o kern/120966 net [rum] kernel panic with if_rum and WPA encryption o kern/121080 net [bge] IPv6 NUD problem on multi address config on bge0 o kern/121181 net [panic] Fatal trap 3: breakpoint instruction fault whi o kern/121298 net [em] [panic] Fatal trap 12: page fault while in kernel o kern/121437 net [vlan] Routing to layer-2 address does not work on VLA o kern/121555 net [panic] Fatal trap 12: current process = 12 (swi1: net o kern/121624 net [em] [regression] Intel em WOL fails after upgrade to o kern/121872 net [wpi] driver fails to attach on a fujitsu-siemens s711 o kern/121983 net [fxp] fxp0 MBUF and PAE o kern/122033 net [ral] [lor] Lock order reversal in ral0 at bootup [reg o kern/122058 net [em] [panic] Panic on em1: taskq o kern/122082 net [in_pcb] NULL pointer dereference in in_pcbdrop o kern/122195 net [ed] Alignment problems in if_ed f kern/122252 net [ipmi] [bge] IPMI problem with BCM5704 (does not work o kern/122290 net [netgraph] [panic] Netgraph related "kmem_map too smal o kern/122427 net [apm] [panic] apm and mDNSResponder cause panic during o kern/122551 net [bge] Broadcom 5715S no carrier on HP BL460c blade usi o kern/122685 net It is not visible passing packets in tcpdump o kern/122743 net [panic] vm_page_unwire: invalid wire count: 0 o kern/122772 net [em] em0 taskq panic, tcp reassembly bug causes radix f kern/122794 net [lagg] Kernel panic after brings lagg(8) up if NICs ar f conf/122858 net [nsswitch.conf] nsswitch in 7.0 is f*cked up o kern/122954 net [lagg] IPv6 EUI64 incorrectly chosen for lagg devices o kern/122989 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/123066 net [ipsec] [panic] kernel trap with ipsec o kern/123160 net [ip] Panic and reboot at sysctl kern.polling.enable=0 f kern/123172 net [bce] Watchdog timeout problems with if_bce f kern/123200 net [netgraph] Server failure due to netgraph mpd and dhcp o conf/123330 net [nsswitch.conf] Enabling samba wins in nsswitch.conf c o kern/123347 net [bge] bge1: watchdog timeout -- linkstate changed to D o kern/123429 net [nfe] [hang] "ifconfig nfe up" causes a hard system lo o kern/123463 net [ipsec] [panic] repeatable crash related to ipsec-tool o bin/123465 net [ip6] route(8): route add -inet6 -interfac o kern/123559 net [iwi] iwi periodically disassociates/associates [regre o kern/123603 net [tcp] tcp_do_segment and Received duplicate SYN o kern/123617 net [tcp] breaking connection when client downloading file o bin/123633 net ifconfig(8) doesn't set inet and ether address in one o kern/123796 net [ipf] FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not o kern/123881 net [tcp] Turning on TCP blackholing causes slow localhost o kern/123968 net [rum] [panic] rum driver causes kernel panic with WPA. o kern/124021 net [ip6] [panic] page fault in nd6_output() o kern/124127 net [msk] watchdog timeout (missed Tx interrupts) -- recov o kern/124753 net [ieee80211] net80211 discards power-save queue packets o kern/124904 net [fxp] EEPROM corruption with Compaq NC3163 NIC o kern/125079 net [ppp] host routes added by ppp with gateway flag (regr f kern/125195 net [fxp] fxp(4) driver failed to initialize device Intel 94 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/23063 net [PATCH] for static ARP tables in rc.network o kern/34665 net [ipf] [hang] ipfilter rcmd proxy "hangs". s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr o kern/54383 net [nfs] [patch] NFS root configurations without dynamic s kern/60293 net FreeBSD arp poison patch o kern/64556 net [sis] if_sis short cable fix problems with NetGear FA3 o kern/70904 net [ipf] ipfilter ipnat problem with h323 proxy support o kern/77273 net [ipf] ipfilter breaks ipv6 statefull filtering on 5.3 o kern/77913 net [wi] [patch] Add the APDL-325 WLAN pccard to wi(4) o kern/78090 net [ipf] ipf filtering on bridged packets doesn't work if o bin/79228 net [patch] extend arp(8) to be able to create blackhole r o kern/91594 net [em] FreeBSD > 5.4 w/ACPI fails to detect Intel Pro/10 s kern/91777 net [ipf] [patch] wrong behaviour with skip rule inside an o kern/93378 net [tcp] Slow data transfer in Postfix and Cyrus IMAP (wo o kern/95267 net packet drops periodically appear o kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/102035 net [plip] plip networking disables parallel port printing o conf/102502 net [patch] ifconfig name does't rename netgraph node in n o conf/107035 net [patch] bridge interface given in rc.conf not taking a o kern/109470 net [wi] Orinoco Classic Gold PC Card Can't Channel Hop o kern/112179 net [sis] [patch] sis driver for natsemi DP83815D autonego o bin/112557 net [patch] ppp(8) lock file should not use symlink name o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o bin/116643 net [patch] [request] fstat(1): add INET/INET6 socket deta o bin/117339 net [patch] route(8): loading routing management commands o kern/118727 net [netgraph] [patch] [request] add new ng_pf module a kern/118879 net [bge] [patch] bge has checksum problems on the 5703 ch o bin/118987 net ifconfig(8): ifconfig -l (address_family) does not wor o kern/119432 net [arp] route add -host -iface causes arp e f kern/119516 net [ip6] [panic] _mtx_lock_sleep: recursed on non-recursi o kern/119617 net [nfs] nfs error on wpa network when reseting/shutdown o kern/119791 net [nfs] UDP NFS mount of aliased IP addresses from a Sol o kern/120232 net [nfe] [patch] Bring in nfe(4) to RELENG_6 o kern/120566 net [request]: ifconfig(8) make order of arguments more fr o kern/121257 net [tcp] TSO + natd -> slow outgoing tcp traffic o kern/121443 net [gif] LOR icmp6_input/nd6_lookup o kern/121706 net [netinet] [patch] "rtfree: 0xc4383870 has 1 refs" emit s kern/121774 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/122068 net [ppp] ppp can not set the correct interface with pptpd o kern/122295 net [bge] bge Ierr rate increase (since 6.0R) [regression] o kern/122319 net [wi] imposible to enable ad-hoc demo mode with Orinoco o kern/122697 net [ath] Atheros card is not well supported o kern/122780 net [lagg] tcpdump on lagg interface during high pps wedge f kern/122839 net [multicast] FreeBSD 7 multicast routing problem o kern/122928 net [em] interface watchdog timeouts and stops receiving p o kern/123892 net [tap] [patch] No buffer space available p kern/123961 net [vr] [patch] Allow vr interface to handle vlans o bin/124004 net ifconfig(8): Cannot assign both an IP and a MAC addres o kern/124160 net [libc] connect(2) function loops indefinitely o kern/124341 net [ral] promiscuous mode for wireless device ral0 looses o kern/124609 net [ipsec] [panic] ipsec 'remainder too big' panic with p o kern/124767 net [iwi] Wireless connection using iwi0 driver (Intel 220 o kern/125181 net [ndis] [patch] with wep enters kdb.enter.unknown, pani o kern/125239 net [gre] kernel crash when using gre o kern/125258 net [socket] socket's SO_REUSEADDR option does not work f kern/125502 net [ral] ifconfig ral0 scan produces no output unless in 57 problems total. From gavin at FreeBSD.org Mon Jul 21 13:57:58 2008 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Mon Jul 21 13:58:05 2008 Subject: kern/125816: [carp] [bridge] carp stuck in init when using bridge interface Message-ID: <200807211357.m6LDvwPB049993@freefall.freebsd.org> Old Synopsis: carp stuck in init when using bridge interface New Synopsis: [carp] [bridge] carp stuck in init when using bridge interface Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: gavin Responsible-Changed-When: Mon Jul 21 13:53:12 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). Hopefully somebody can establish if this is an issue with carp or with bridge. http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 From vanhu at FreeBSD.org Mon Jul 21 14:13:30 2008 From: vanhu at FreeBSD.org (VANHULLEBUS Yvan) Date: Mon Jul 21 14:13:38 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <20080721083110.GA21786@zen.inc> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721083110.GA21786@zen.inc> Message-ID: <20080721141327.GA24677@zen.inc> On Mon, Jul 21, 2008 at 10:31:10AM +0200, VANHULLEBUS Yvan wrote: > On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: > [...] > > Please test/review the following patch against HEAD: > > > > http://people.freebsd.org/~sam/nat_t-20080616.patch > > I have tested the RELENG7 version of the patch, and it works well. > > > But I noticed a misplaced #endif at the beginning of udp_ctloutput(), > which will generate problems if INET6 is not defined: [....] After some more testing, I found another issue: in udp4_espdecap(), when payload <= sizeof(uint64_t) + sizeof(struct esp), packet should not be discarded, but just returned for normal processing. And I also have doubts about a change in udp_ctloutput(), in the switch statement which process optval and searches for an UDP_ENCAP_ESPINUDP* flag. The way you changed it forces a flags cleanup anytime. I don't see why someone would set both UDP_ENCAP_ESPINUDP and UDP_ENCAP_ESPINUDP_NON_IKE, but as I was tracking down a problem, I changed it again to be processed "the old way" to ensure it was not the source of the issue. Sam, did you have a good reason to change that part of the code, or was it mostly to have a more compliant coding style ? Updated patches are available for HEAD, RELENG7 and RELENG63 (yeah :-) here: http://people.freebsd.org/~vanhu/NAT-T/ Please all notice that there is still the word "test" in patches names..... Yvan. From vanhu at FreeBSD.org Mon Jul 21 14:27:00 2008 From: vanhu at FreeBSD.org (VANHULLEBUS Yvan) Date: Mon Jul 21 14:27:07 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <20080721085325.B57089@maildrop.int.zabbadoz.net> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721085325.B57089@maildrop.int.zabbadoz.net> Message-ID: <20080721142657.GB24677@zen.inc> [Larry, I kept you in an explicit CC, even if I guess you suscribed to the list] On Mon, Jul 21, 2008 at 09:26:15AM +0000, Bjoern A. Zeeb wrote: > On Wed, 16 Jul 2008, Sam Leffler wrote: > > Hi, Hi. [...] > My main concern at the moment is the API (pfkey stuff) to userland as > Yvan had stated in <20080626075307.GA1401@zen.inc>. It is also one of my main concerns actually. > I know that at the moment there seems to be one public (pseudo) reference > implementation this all works together but there might be/are other > people not using libipsec from ipsec-tools. Well, people who use another libipsec are expected to "just" not see NAT-T extensions. The only "real issue" is that, actually, NAT-T ports are sent though sockaddr structs, when RFC 2367 says that zeroing ports MUST be done (section 2.3.3). There is already an open ticket on ipsec-tools side to cleanup that part of the code on userland's size of PFKey interface, and I hope it will be done for 0.8.0 release (sorry, no release date for now). As soon as I'll have a working patch on userland, I'll do the work on FreeBSD's kernel side. I hope everything will be done within a few weeks, but I already know that we'll have backward compatibility issues with various kernels (ipsec-tools runs at least on FreeBSD, NetBSD, Linux and MacOSX). Yvan. From sam at freebsd.org Mon Jul 21 15:20:57 2008 From: sam at freebsd.org (Sam Leffler) Date: Mon Jul 21 15:21:04 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <20080721085325.B57089@maildrop.int.zabbadoz.net> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721085325.B57089@maildrop.int.zabbadoz.net> Message-ID: <4884A956.5060108@freebsd.org> Bjoern A. Zeeb wrote: > On Wed, 16 Jul 2008, Sam Leffler wrote: > > Hi, > >> Please test/review the following patch against HEAD: >> >> http://people.freebsd.org/~sam/nat_t-20080616.patch >> >> This adds only the kernel portion of the NAT-T support; you must >> provide the user-level code from another place. >> >> The main difference from the patches floating around are in the >> ctloutput path (adding proper locking for HEAD) and decap of >> ESP-in-UDP frames. Assuming folks are ok w/ these changes I'll commit >> to HEAD. Once this stuff goes in we can look at getting the >> user-mode mods into the tree. > > I have skipped through the patch. > > My main concern at the moment is the API (pfkey stuff) to userland as > Yvan had stated in <20080626075307.GA1401@zen.inc>. > > I know that at the moment there seems to be one public (pseudo) reference > implementation this all works together but there might be/are other > people not using libipsec from ipsec-tools. > > The point is changing the API once this hits the tree will be hard to > detect at a later point if at all (unless with a __FreeBSD_version or > (another) library version bump/sym versioning). > > > We are still missing other things I think not mentioned elswhere like > partial checksum recalculation. Please send me your specific issues; I haven't seen any comments about "partial checksum recalculations". > I still wonder if we'd have all the information (at the right place) in > the kernel so we could easily add support for that at a later time > w/o having to change APIs again. Considering that it seems noone using > this patch in products has implemented this .. I dunno. > It's something that is already mentioned in the introduction of RFC 3947 > and in 3.1.2. of 3948 and thus should be very obvious to anyone ever > seriously thought of finishing a proper more than "it works for me" > version of the patch. I don't see any of the above blocking this work going in. Forcing people to maintain out-of-tree patches for years because of vague concerns is unproductive. This code is used by at least 2 vendors shipping products. > > > Some minor things I had seen not reported so far: > > I have seen two printfs that should be changed to proper logging, ... > /NAT-T OA present > > s,bave,have, in "...in the SPD: This means we bave a non-generated" > but maybe change the entire comment. "non-generated SPD" is kind of > wrong wording. > > > I'd happily go through another patch once the missing/to be corrected > things were addressed. > Please apply your changes to the p4 branch or fix 'em when the code hits CVS. I've see no concrete rationale for holding this work out. Sam From sam at freebsd.org Mon Jul 21 15:33:58 2008 From: sam at freebsd.org (Sam Leffler) Date: Mon Jul 21 15:34:04 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <20080721141327.GA24677@zen.inc> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721083110.GA21786@zen.inc> <20080721141327.GA24677@zen.inc> Message-ID: <4884AC65.7020605@freebsd.org> VANHULLEBUS Yvan wrote: > On Mon, Jul 21, 2008 at 10:31:10AM +0200, VANHULLEBUS Yvan wrote: > >> On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: >> [...] >> >>> Please test/review the following patch against HEAD: >>> >>> http://people.freebsd.org/~sam/nat_t-20080616.patch >>> >> I have tested the RELENG7 version of the patch, and it works well. >> >> >> But I noticed a misplaced #endif at the beginning of udp_ctloutput(), >> which will generate problems if INET6 is not defined: >> > [....] > > > After some more testing, I found another issue: in udp4_espdecap(), > when payload <= sizeof(uint64_t) + sizeof(struct esp), packet should > not be discarded, but just returned for normal processing. > Please edit the sam_nat_t branch in p4 or send a patch I can apply. > And I also have doubts about a change in udp_ctloutput(), in the > switch statement which process optval and searches for an > UDP_ENCAP_ESPINUDP* flag. > > The way you changed it forces a flags cleanup anytime. > I don't see why someone would set both UDP_ENCAP_ESPINUDP and > UDP_ENCAP_ESPINUDP_NON_IKE, but as I was tracking down a problem, I > changed it again to be processed "the old way" to ensure it was not > the source of the issue. > Sorry but I'm not clear on what you are saying. The code changed the behaviour of setting udp encapsulation so that only one of UDP_ENCAP_ESPINUDP and UDP_ENCAP_ESPINUDP_NON_IKE can be set a time. The original code from you permitted both flags to be set but the code that handled the encap/decap assumed only one was set. > Sam, did you have a good reason to change that part of the code, or > was it mostly to have a more compliant coding style ? > See above. > > Updated patches are available for HEAD, RELENG7 and RELENG63 (yeah :-) > here: > http://people.freebsd.org/~vanhu/NAT-T/ > > Please all notice that there is still the word "test" in patches > names..... > Sorry again I don't understand what you write. Sam > > > Yvan. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > From sam at freebsd.org Mon Jul 21 15:42:34 2008 From: sam at freebsd.org (Sam Leffler) Date: Mon Jul 21 15:42:41 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <20080721142657.GB24677@zen.inc> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721085325.B57089@maildrop.int.zabbadoz.net> <20080721142657.GB24677@zen.inc> Message-ID: <4884AE67.4020204@freebsd.org> VANHULLEBUS Yvan wrote: > [Larry, I kept you in an explicit CC, even if I guess you suscribed to > the list] > > On Mon, Jul 21, 2008 at 09:26:15AM +0000, Bjoern A. Zeeb wrote: > >> On Wed, 16 Jul 2008, Sam Leffler wrote: >> >> Hi, >> > > Hi. > > > [...] > >> My main concern at the moment is the API (pfkey stuff) to userland as >> Yvan had stated in <20080626075307.GA1401@zen.inc>. >> > > It is also one of my main concerns actually. > > > >> I know that at the moment there seems to be one public (pseudo) reference >> implementation this all works together but there might be/are other >> people not using libipsec from ipsec-tools. >> > > Well, people who use another libipsec are expected to "just" not see > NAT-T extensions. > > The only "real issue" is that, actually, NAT-T ports are sent though > sockaddr structs, when RFC 2367 says that zeroing ports MUST be done > (section 2.3.3). > > > There is already an open ticket on ipsec-tools side to cleanup that > part of the code on userland's size of PFKey interface, and I hope > it will be done for 0.8.0 release (sorry, no release date for now). > > As soon as I'll have a working patch on userland, I'll do the work on > FreeBSD's kernel side. I hope everything will be done within a few > weeks, but I already know that we'll have backward compatibility > issues with various kernels (ipsec-tools runs at least on FreeBSD, > NetBSD, Linux and MacOSX). > With regard to changing the kernel API. First, this is HEAD and api's can change. I intentionally have said nothing about MFC and didn't touch user code. Getting the support into the kernel enables use and testing which was the point of getting the logjam broken so full NAT-T support can ship w/ 8.0. I committed to get everything necessary in the tree in time for 8.0 but now that you have direct access to freebsd's repo I think that's less important. Sam From davidch at broadcom.com Mon Jul 21 17:36:13 2008 From: davidch at broadcom.com (David Christensen) Date: Mon Jul 21 17:36:20 2008 Subject: Status of Multi-Queue (RSS) Support in -CURRENT Message-ID: <5D267A3F22FD854F8F48B3D2B52381932678025873@IRVEXCHCCR01.corp.ad.broadcom.com> I'm working on implementing multi-queue support for a 10Gb device on FreeBSD and I wanted to find out the current state of the OS with regards to supporting this. It seems that support for multiple receive queues can be done today since most of the routing is done in hardware but the transmit side is a different story. I've seen some things in the cxgb driver that suggest changes to the OS (such as a m_pkthdr.rss_hash field) but I don't see any OS code to back that usage model up. What's the state of the art in multi-queue support for FreeBSD? Dave From mgrooms at shrew.net Mon Jul 21 18:27:04 2008 From: mgrooms at shrew.net (Matthew Grooms) Date: Mon Jul 21 18:27:10 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <4884C28F.4020402@shrew.net> References: <4884C28F.4020402@shrew.net> Message-ID: <4884D4F9.4050707@shrew.net> On Mon, Jul 21, 2008 at 10:31:10AM +0200, VANHULLEBUS Yvan wrote: > > After some more testing, I found another issue: in udp4_espdecap(), > when payload <= sizeof(uint64_t) + sizeof(struct esp), packet should > not be discarded, but just returned for normal processing. > I noticed this too. But the only situation that I could think of where a valid ISAKMP packet will be smaller than this is a NAT-T keep-alive. These are handled previously in the code path so I don't think there is an issue from a functional standpoint. > And I also have doubts about a change in udp_ctloutput(), in the > switch statement which process optval and searches for an > UDP_ENCAP_ESPINUDP* flag. > > The way you changed it forces a flags cleanup anytime. > I don't see why someone would set both UDP_ENCAP_ESPINUDP and > UDP_ENCAP_ESPINUDP_NON_IKE, but as I was tracking down a problem, I > changed it again to be processed "the old way" to ensure it was not > the source of the issue. > It should be disallowed as in Sams patch. Allowing them to be mixed would cause problems using any of the patches I have seen. There is no way to distinguish between a Draft 00/01 ISAKMP packet and an RFC ESP packet without matching the port value to a SAD NAT-T mapping. And as you mentioned, I also don't see why anyone would try to set them both. There should never be a situation where you need to evaluate a NON-ESP NAT-T marker on an ISAKMP socket, only NON-ISAKMP markers. On a related note, I noticed the patch unconditionally uses a source port of 500 when processing outbound Draft 00/01 packets. Should this value be obtained from the SAD NAT-T mapping to support an IKE daemon bound to a non standard port? Thanks, -Matthew From vanhu at FreeBSD.org Mon Jul 21 19:16:39 2008 From: vanhu at FreeBSD.org (VANHULLEBUS Yvan) Date: Mon Jul 21 19:16:47 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <4884D4F9.4050707@shrew.net> References: <4884C28F.4020402@shrew.net> <4884D4F9.4050707@shrew.net> Message-ID: <20080721191635.GA2846@zen.inc> On Mon, Jul 21, 2008 at 01:27:05PM -0500, Matthew Grooms wrote: > On Mon, Jul 21, 2008 at 10:31:10AM +0200, VANHULLEBUS Yvan wrote: >> >> After some more testing, I found another issue: in udp4_espdecap(), >> when payload <= sizeof(uint64_t) + sizeof(struct esp), packet should >> not be discarded, but just returned for normal processing. >> > > I noticed this too. But the only situation that I could think of where a > valid ISAKMP packet will be smaller than this is a NAT-T keep-alive. > These are handled previously in the code path so I don't think there is > an issue from a functional standpoint. That's what I also supposed when I noticed that, but I was tracking down a negociation problem (as an initiator, responder's first exchange in Main mode was seen on tcpdump but not on racoon's log), and it has been solved by fixing that part of the code.... [...] > It should be disallowed as in Sams patch. Allowing them to be mixed > would cause problems using any of the patches I have seen. There is no > way to distinguish between a Draft 00/01 ISAKMP packet and an RFC ESP > packet without matching the port value to a SAD NAT-T mapping. And as > you mentioned, I also don't see why anyone would try to set them both. > There should never be a situation where you need to evaluate a NON-ESP > NAT-T marker on an ISAKMP socket, only NON-ISAKMP markers. Yes. As I said, I was tracking down a problem on a gate which used to run for a long time with previous patches, so every difference was suspect for me :-) > On a related note, I noticed the patch unconditionally uses a source > port of 500 when processing outbound Draft 00/01 packets. Should this > value be obtained from the SAD NAT-T mapping to support an IKE daemon > bound to a non standard port? It should really really not happen..... but yes, it would be cleaner to get it from SAD than setting 500 anytime. Yvan. From bzeeb-lists at lists.zabbadoz.net Mon Jul 21 19:30:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jul 21 19:30:14 2008 Subject: FreeBSD NAT-T patch integration [CFR/CFT] In-Reply-To: <4884A956.5060108@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721085325.B57089@maildrop.int.zabbadoz.net> <4884A956.5060108@freebsd.org> Message-ID: <20080721180626.V57089@maildrop.int.zabbadoz.net> On Mon, 21 Jul 2008, Sam Leffler wrote: Hi Sam, >> We are still missing other things I think not mentioned elswhere like >> partial checksum recalculation. > > Please send me your specific issues; I haven't seen any comments about > "partial checksum recalculations". So what has kept you from reading the RFCs for the patch you were working on? "It works for me" does not mean "It's right and all done". /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From rehsack at web.de Mon Jul 21 20:39:53 2008 From: rehsack at web.de (Jens Rehsack) Date: Mon Jul 21 20:40:01 2008 Subject: lo0 not in ioctl( SIOCGIFCONF ) Message-ID: <4884F401.4050103@web.de> Hi, maybe this question is better asked in this list ... I was searching why ports/net/p5-Net-Interface was not working as expected and found some reasons. Most of them I can answer by implementing some test code as attached, but now I'm wondering why em0 is shown twice and lo0 is not included. The same situation on another machine .. --- BEGIN ifconfig -a (waldorf) em0: flags=8843 metric 0 mtu 1500 options=19b ether 00:15:17:10:84:6c inet 10.62.10.3 netmask 0xffffff00 broadcast 10.62.10.255 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8802 metric 0 mtu 1500 options=19b ether 00:15:17:10:84:6d media: Ethernet autoselect status: no carrier lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 --- END ifconfig -a (waldorf) ./netif em0 em0 em1 --- BEGIN ifconfig -a (STINGRAY) ifconfig -a fxp0: flags=8843 metric 0 mtu 1500 options=8 ether 00:a0:c9:ce:c8:64 inet 10.62.10.12 netmask 0xffffff00 broadcast 10.62.10.255 media: Ethernet autoselect (100baseTX ) status: active fxp1: flags=8843 metric 0 mtu 1500 options=8 ether 00:a0:c9:ce:db:83 media: Ethernet autoselect (100baseTX ) status: active pflog0: flags=141 metric 0 mtu 33204 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 vlan0: flags=8843 metric 0 mtu 1500 ether 00:a0:c9:ce:db:83 media: Ethernet autoselect (100baseTX ) status: active vlan: 7 parent interface: fxp1 tun0: flags=8051 metric 0 mtu 1492 inet 87.149.231.190 --> 217.0.119.167 netmask 0xffffffff Opened by PID 27503 --- END ifconfig -a (STINGRAY) ./netif32 fxp0 fxp0 fxp1 Why aren't lo0, vlan0 and tun0 not included? What can I do to get these entries (portable way, please). Best regards, Jens From brooks at freebsd.org Mon Jul 21 20:47:42 2008 From: brooks at freebsd.org (Brooks Davis) Date: Mon Jul 21 20:47:49 2008 Subject: lo0 not in ioctl( SIOCGIFCONF ) In-Reply-To: <4884F401.4050103@web.de> References: <4884F401.4050103@web.de> Message-ID: <20080721204820.GE1699@lor.one-eyed-alien.net> > Hi, > > maybe this question is better asked in this list ... > > I was searching why ports/net/p5-Net-Interface was not working as > expected and found some reasons. Most of them I can answer by implementing > some test code as attached, but now I'm wondering why em0 is shown twice > and lo0 is not included. > The same situation on another machine .. The attachment didn't make it through. -- Brooks On Mon, Jul 21, 2008 at 08:39:29PM +0000, Jens Rehsack wrote: > > --- BEGIN ifconfig -a (waldorf) > em0: flags=8843 metric 0 mtu 1500 > options=19b > ether 00:15:17:10:84:6c > inet 10.62.10.3 netmask 0xffffff00 broadcast 10.62.10.255 > media: Ethernet autoselect (100baseTX ) > status: active > em1: flags=8802 metric 0 mtu 1500 > options=19b > ether 00:15:17:10:84:6d > media: Ethernet autoselect > status: no carrier > lo0: flags=8049 metric 0 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > --- END ifconfig -a (waldorf) > ./netif > em0 > em0 > em1 > > --- BEGIN ifconfig -a (STINGRAY) > ifconfig -a > fxp0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:a0:c9:ce:c8:64 > inet 10.62.10.12 netmask 0xffffff00 broadcast 10.62.10.255 > media: Ethernet autoselect (100baseTX ) > status: active > fxp1: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:a0:c9:ce:db:83 > media: Ethernet autoselect (100baseTX ) > status: active > pflog0: flags=141 metric 0 mtu 33204 > lo0: flags=8049 metric 0 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > vlan0: flags=8843 metric 0 mtu 1500 > ether 00:a0:c9:ce:db:83 > media: Ethernet autoselect (100baseTX ) > status: active > vlan: 7 parent interface: fxp1 > tun0: flags=8051 metric 0 mtu 1492 > inet 87.149.231.190 --> 217.0.119.167 netmask 0xffffffff > Opened by PID 27503 > --- END ifconfig -a (STINGRAY) > ./netif32 > fxp0 > fxp0 > fxp1 > > Why aren't lo0, vlan0 and tun0 not included? What can I do to get these > entries (portable way, please). > > Best regards, > Jens > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080721/398aecb1/attachment.pgp From kip.macy at gmail.com Mon Jul 21 21:27:15 2008 From: kip.macy at gmail.com (Kip Macy) Date: Mon Jul 21 21:27:21 2008 Subject: Status of Multi-Queue (RSS) Support in -CURRENT In-Reply-To: <5D267A3F22FD854F8F48B3D2B52381932678025873@IRVEXCHCCR01.corp.ad.broadcom.com> References: <5D267A3F22FD854F8F48B3D2B52381932678025873@IRVEXCHCCR01.corp.ad.broadcom.com> Message-ID: On Mon, Jul 21, 2008 at 10:36 AM, David Christensen wrote: > I'm working on implementing multi-queue support for a 10Gb > device on FreeBSD and I wanted to find out the current state > of the OS with regards to supporting this. It seems that > support for multiple receive queues can be done today since > most of the routing is done in hardware but the transmit > side is a different story. I've seen some things in the > cxgb driver that suggest changes to the OS (such as a > m_pkthdr.rss_hash field) but I don't see any OS code to > back that usage model up. What's the state of the art > in multi-queue support for FreeBSD? Unfortunately nothing has gone in yet. Robert has a prototype interface and I *think* that he may have come around to accepting my approach. The right way to integrate QoS and multi-queue cleanly isn't 100% obvious. I think it isn't unreasonable to expect that the new interfaces will go in in time for 7.2 but 7.1 is basically impossible at this point given that the freeze will be happening in the next month. Thanks, Kip From rehsack at web.de Mon Jul 21 21:31:03 2008 From: rehsack at web.de (Jens Rehsack) Date: Mon Jul 21 21:31:09 2008 Subject: lo0 not in ioctl( SIOCGIFCONF ) In-Reply-To: <20080721204820.GE1699@lor.one-eyed-alien.net> References: <4884F401.4050103@web.de> <20080721204820.GE1699@lor.one-eyed-alien.net> Message-ID: <4884FFFF.9090908@web.de> Brooks Davis wrote: >> Hi, >> >> maybe this question is better asked in this list ... >> >> I was searching why ports/net/p5-Net-Interface was not working as >> expected and found some reasons. Most of them I can answer by implementing >> some test code as attached, but now I'm wondering why em0 is shown twice >> and lo0 is not included. >> The same situation on another machine .. > > The attachment didn't make it through. > > -- Brooks Copy&Paste starts here ... #include #include #include #include #include #include #include #include #ifndef _SIZEOF_ADDR_IFREQ #define _SIZEOF_ADDR_IFREQ(ifr) \ ((ifr).ifr_addr.sa_len > sizeof(struct sockaddr) ? \ (sizeof(struct ifreq) - sizeof(struct sockaddr) + \ (ifr).ifr_addr.sa_len) : sizeof(struct ifreq)) #endif int main() { struct ifconf ifc; struct ifreq *ifr, *lifr; int fd; unsigned int n; fd = socket( AF_INET, SOCK_STREAM, 0 ); bzero(&ifc, sizeof(ifc)); n = 3; ifr = calloc( ifc.ifc_len, sizeof(*ifr) ); do { n *= 2; ifr = realloc( ifr, sizeof(*ifr) * n ); bzero( ifr, sizeof(*ifr) * n ); ifc.ifc_req = ifr; ifc.ifc_len = n * sizeof(*ifr); } while( ( ioctl( fd, SIOCGIFCONF, &ifc ) == -1 ) || ( ifc.ifc_len == n * sizeof(*ifr)) ); lifr = (struct ifreq *)&ifc.ifc_buf[ifc.ifc_len]; while (ifr < lifr) { printf( "%s\n", ifr->ifr_name ); ifr = (struct ifreq *)(((char *)ifr) + _SIZEOF_ADDR_IFREQ(*ifr)); } return 0; } From brooks at freebsd.org Mon Jul 21 22:23:37 2008 From: brooks at freebsd.org (Brooks Davis) Date: Mon Jul 21 22:23:43 2008 Subject: lo0 not in ioctl( SIOCGIFCONF ) In-Reply-To: <4884FFFF.9090908@web.de> References: <4884F401.4050103@web.de> <20080721204820.GE1699@lor.one-eyed-alien.net> <4884FFFF.9090908@web.de> Message-ID: <20080721222416.GG1699@lor.one-eyed-alien.net> On Mon, Jul 21, 2008 at 09:30:39PM +0000, Jens Rehsack wrote: > Brooks Davis wrote: >>> Hi, >>> >>> maybe this question is better asked in this list ... >>> >>> I was searching why ports/net/p5-Net-Interface was not working as >>> expected and found some reasons. Most of them I can answer by implementing >>> some test code as attached, but now I'm wondering why em0 is shown twice >>> and lo0 is not included. >>> The same situation on another machine .. >> >> The attachment didn't make it through. >> >> -- Brooks > > Copy&Paste starts here ... > #include > #include > #include > #include > #include > #include > #include > #include > > #ifndef _SIZEOF_ADDR_IFREQ > #define _SIZEOF_ADDR_IFREQ(ifr) \ > ((ifr).ifr_addr.sa_len > sizeof(struct sockaddr) ? \ > (sizeof(struct ifreq) - sizeof(struct sockaddr) + \ > (ifr).ifr_addr.sa_len) : sizeof(struct ifreq)) > #endif > > int > main() > { > struct ifconf ifc; > struct ifreq *ifr, *lifr; > int fd; > unsigned int n; > > fd = socket( AF_INET, SOCK_STREAM, 0 ); > bzero(&ifc, sizeof(ifc)); > n = 3; > ifr = calloc( ifc.ifc_len, sizeof(*ifr) ); > do > { > n *= 2; > ifr = realloc( ifr, sizeof(*ifr) * n ); > bzero( ifr, sizeof(*ifr) * n ); > ifc.ifc_req = ifr; > ifc.ifc_len = n * sizeof(*ifr); > } while( ( ioctl( fd, SIOCGIFCONF, &ifc ) == -1 ) || ( ifc.ifc_len > == n * sizeof(*ifr)) ); There are several problems with this loop. First, icoctl won't return an error in the overflow case because that's not how SIOCGIFCONF works. SIOCGIFCONF is badly designed in a number of ways, but that's how it is. Second, checking that the array is completely full isn't at all reliable because what is returned is actually ifreq structures which might or might not vary in length as they contain addresses. Thus you need <=. Third, you should start by allocating a significant amount of space. Yes, your algorithm is O(sqrt(n)), but allocating a larger value has effectively no cost so you might as well save some system calls on average. > lifr = (struct ifreq *)&ifc.ifc_buf[ifc.ifc_len]; > > while (ifr < lifr) > { > printf( "%s\n", ifr->ifr_name ); > ifr = (struct ifreq *)(((char *)ifr) + _SIZEOF_ADDR_IFREQ(*ifr)); > } This loop has two problems. First, the ifr's are variable length so you immediately go off into the weeds. Second, there is at least one per interface and one per address so you to keep track of the last interface name and not repeat them. -- Brooks > > return 0; > } > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080721/7f05d287/attachment.pgp From rehsack at web.de Mon Jul 21 22:37:48 2008 From: rehsack at web.de (Jens Rehsack) Date: Mon Jul 21 22:37:54 2008 Subject: lo0 not in ioctl( SIOCGIFCONF ) In-Reply-To: <20080721222416.GG1699@lor.one-eyed-alien.net> References: <4884F401.4050103@web.de> <20080721204820.GE1699@lor.one-eyed-alien.net> <4884FFFF.9090908@web.de> <20080721222416.GG1699@lor.one-eyed-alien.net> Message-ID: <48850F72.90204@web.de> Brooks Davis wrote: > On Mon, Jul 21, 2008 at 09:30:39PM +0000, Jens Rehsack wrote: >> Brooks Davis wrote: >>>> Hi, >>>> >>>> maybe this question is better asked in this list ... >>>> >>>> I was searching why ports/net/p5-Net-Interface was not working as >>>> expected and found some reasons. Most of them I can answer by implementing >>>> some test code as attached, but now I'm wondering why em0 is shown twice >>>> and lo0 is not included. >>>> The same situation on another machine .. >>> The attachment didn't make it through. >>> >>> -- Brooks >> Copy&Paste starts here ... >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> >> #ifndef _SIZEOF_ADDR_IFREQ >> #define _SIZEOF_ADDR_IFREQ(ifr) \ >> ((ifr).ifr_addr.sa_len > sizeof(struct sockaddr) ? \ >> (sizeof(struct ifreq) - sizeof(struct sockaddr) + \ >> (ifr).ifr_addr.sa_len) : sizeof(struct ifreq)) >> #endif >> >> int >> main() >> { >> struct ifconf ifc; >> struct ifreq *ifr, *lifr; >> int fd; >> unsigned int n; >> >> fd = socket( AF_INET, SOCK_STREAM, 0 ); >> bzero(&ifc, sizeof(ifc)); >> n = 3; >> ifr = calloc( ifc.ifc_len, sizeof(*ifr) ); >> do >> { >> n *= 2; >> ifr = realloc( ifr, sizeof(*ifr) * n ); >> bzero( ifr, sizeof(*ifr) * n ); >> ifc.ifc_req = ifr; >> ifc.ifc_len = n * sizeof(*ifr); >> } while( ( ioctl( fd, SIOCGIFCONF, &ifc ) == -1 ) || ( ifc.ifc_len >> == n * sizeof(*ifr)) ); > > There are several problems with this loop. First, icoctl won't return > an error in the overflow case because that's not how SIOCGIFCONF works. > SIOCGIFCONF is badly designed in a number of ways, but that's how it > is. Second, checking that the array is completely full isn't at all > reliable because what is returned is actually ifreq structures which > might or might not vary in length as they contain addresses. Thus you > need <=. Third, you should start by allocating a significant amount of > space. Yes, your algorithm is O(sqrt(n)), but allocating a larger > value has effectively no cost so you might as well save some system calls > on average. Thanks - that was the information I miss. I'll try tomorrow (it's slightly late here) and send back the result. Using <= should produce an endless loop, but maybe checking if ifc.ifc_len <= (n/2) * sizeof(*ifr) could bring wanted results ... >> lifr =