# uname -a
FreeBSD xxxxx 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #3: Fri Mar 12
15:49:47 EET 2010 root@xxxxxxx:/usr/obj/usr/src/sys/KACHA i386В ipfw используется такая конструкция:
pipe tablearg ip from table(11) to any# ipfw table 11 list
10.5.0.17/32 1008
10.5.0.147/32 1004# ipfw pipe list
01004: 1.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 udp 10.5.0.147/137 10.5.0.255/137 2 156 0 0 0
00001: unlimited 0 ms 50 sl. 0 queues (1 buckets) droptail
01008: 1.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 10.5.0.17/56457 147.102.222.211/21 332 15936 0 0 0Но клиент на деле не работал - трафик где-то затыкался. Несколько дней промучился с проверками разных гипотез, наконец, стал проверять по-очереди прохождение пакетов через правила и натолкнулся на следующее явление:
Mar 20 20:18:20 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1
Mar 20 20:18:23 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1
Mar 20 20:18:26 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1
Mar 20 20:18:29 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1
Mar 20 20:18:35 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1
Mar 20 20:18:48 ipfw: 5400 Pipe 65535 TCP 10.5.0.17:59098 141.41.9.9:21 in via fxp1Попробовал на другой машинке простую конфигурацию:
# uname -a
FreeBSD yyyyyy 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Thu Mar 4
16:11:15 EET 2010 root@yyyyyy:/usr/obj/usr/src/sys/HU i386# ipfw list
00100 pipe tablearg log ip from me to table(10)
01000 allow ip from any to any
65535 deny ip from any to any
# ipfw table 10 list
130.208.16.26/32 1004
130.208.16.31/32 1004
134.76.12.3/32 1008
141.41.9.9/32 1008
147.91.8.38/32 1004
147.102.222.211/32 1008
188.40.113.17/32 1004
193.6.210.44/32 1004
212.242.42.40/32 1008
213.206.121.69/32 1008# ipfw pipe list
01004: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 10.5.0.17/60575 188.40.113.17/80 5 240 0 0 0
00001: unlimited 0 ms 50 sl. 0 queues (1 buckets) droptail
01008: 1.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 10.5.0.17/57729 212.242.42.40/80 27 1296 0 0 0В логе - такая же ....:
Mar 20 22:21:15 hu kernel: ipfw: 100 Pipe 65535 TCP 10.5.0.17:57729 212.242.42.40:80 out via rl0
Mar 20 22:21:31 hu kernel: ipfw: 100 Pipe 65535 TCP 10.5.0.17:58866 141.41.9.9:21 out via rl0
Mar 20 22:22:47 hu kernel: ipfw: 100 Pipe 65535 TCP 10.5.0.17:64185 134.76.12.3:21 out via rl0
Mar 20 22:24:02 hu kernel: ipfw: 100 Pipe 65535 TCP 10.5.0.17:60575 188.40.113.17:80 out via rl0Конфиг ядра:
cpu I686_CPU
ident Hu
options SCHED_ULE
options PREEMPTION
options INET
options FFS
options SOFTUPDATES
options NFSCLIENT
options NFSSERVER
options NFSLOCKD
options NFS_ROOT
options MSDOSFS
options CD9660
options PROCFS
options PSEUDOFS
options COMPAT_43TTY
options COMPAT_FREEBSD4
options COMPAT_FREEBSD5
options COMPAT_FREEBSD6
options KTRACE
options STACK
options SYSVSHM
options SYSVMSG
options SYSVSEM
options P1003_1B_SEMAPHORES
options _KPOSIX_PRIORITY_SCHEDULING
options KBD_INSTALL_CDEV
options ADAPTIVE_GIANT
options STOP_NMI
options AUDIT
options INCLUDE_CONFIG_FILE
device cpufreq
device pci
device ata
device atadisk
device atapicd
options ATA_STATIC_ID
device scbus
device ch
device da
device atkbdc
device atkbd
device psm
device kbdmux
device vga
device agp
device splash
device sc
device pmtimer
device loop
device random
device ether
device vlan
device ppp
device tun
device pty
device md
device firmware
device bpf## kldstat
Id Refs Address Size Name
1 13 0xc0400000 3fba84 kernel
2 4 0xc07fc000 ec4c ipfw.ko
3 1 0xc080b000 738c if_rl.ko
4 2 0xc0813000 25110 miibus.ko
5 1 0xc0839000 466c ipdivert.ko
6 1 0xc083e000 3e40 ipfw_nat.ko
7 2 0xc0842000 9ccc libalias.ko
8 1 0xc084c000 998c dummynet.koЯ чего-то недоделал или это, таки, глюк системы? :(
sysctl net.inet.ip.fw.one_pass может?