kern/106438: ipfilter: keep state does not seem to allow replies
in on spar64 (and maybe others)
Remko Lodder
remko at elvandar.org
Fri Dec 14 13:10:03 PST 2007
The following reply was made to PR kern/106438; it has been noted by GNATS.
From: Remko Lodder <remko at elvandar.org>
To: Manuel Tobias Schiller <mala at hinterbergen.de>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies
in on spar64 (and maybe others)
Date: Fri, 14 Dec 2007 22:01:11 +0100
Manuel Tobias Schiller wrote:
> On Fri, 30 Nov 2007 20:03:31 +0100
> Remko Lodder <remko at elvandar.org> wrote:
>
>> Manuel Tobias Schiller wrote:
>>> Hello,
>>>
>>> I've gathered the information you have asked for, see the
>>> attachment. I hope it helps us to get an idea of what's going
>>> wrong. Any help with this would be appreciated.
>>>
>>> Thanks in advance.
>>>
>>> Manuel
>>>
>>> P.S. I did the | grep hme3 in the attachment to not clutter the
>>> output with irrelevant stuff. All other rules are bound to their
>>> respective interface (hme0, hme1, hme2, le0) and should not
>>> influence hme3. Besides, there's a lot of traffic going on on le0
>>> which does not need to be mentioned in the ipfstat output because
>>> the machine in question is headless and can only be reached with a
>>> serial line (with a laptop down in the cellar) or a dedicated
>>> network interface (le0, for which I need to have rules that pass
>>> everything).
>>>
>>> On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
>>>> Hello,
>>>>
>>>>
>>>> First of all thanks for using FreeBSD!
>>>>
>>>> If you run ipmon, what kind of details do you see in the
>>>> log? It mentions where it is blocked and you can review that rule
>>>> with ipfstat -hion (list everything in out, do not resolve and
>>>> show the amount of hits on the rule)
>>>>
>>>> Thanks in advance
>>>>
>>>> --
>>>> Kind regards,
>>>>
>>>> Remko Lodder ** remko at elvandar.org
>>>> FreeBSD ** remko at FreeBSD.org
>>>>
>>>> /* Quis custodiet ipsos custodes */
>>>>
>> Dear Manuel,
>>
>> It took a lot of time for me to set this up properly, but I managed to
>> work this out; actually this is not a ipfilter problem but it seems
>> that hme0 is not capable of doing incoming and outgoing checksumming.
>>
>> I faced the same problem, and by issueing a ifconfig hme0 -txcsum
>> -rxcsum I resolved the problem.
>>
>> The ipfilter errors vanished after that. I'll try to have a look at
>> the intel gigabit card in the machine (manually added) and see
>> whether that has a similiar issue..
>>
>> Cheers
>> remko
>
> Dear Remko,
>
> it's great to hear from you again - I thought everybody had forgotten
> about this... Well, I have switched to pf in the meantime, as it's a
> production machine, but I may have time over christmas to test things
> out with ipfilter, as I like it very much. By the way, why did things
> work with hme and ipfilter in earlier FreeBSD versions? Did hme not have
> the checksumming feature at all or different defaults? This puzzles me a
> little, I must confess.
>
> Anyway, thanks a lot for your help!
>
> Cheers,
>
> Manuel
>
Hello Manuel,
Yes my fault, I reproduced this today with pf enabled, hme just works
fine with that, so I was wrong :-)
it's ipfilter that is messing up here...
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder | remko at EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-net
mailing list