Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)

The following reply was made to PR kern/106438; it has been noted by GNATS.

From: Remko Lodder <remko@xxxxxxxxxxxx>
To: Manuel Tobias Schiller <mala@xxxxxxxxxxxxxxx>
Cc: freebsd-gnats-submit@xxxxxxxxxxx
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies
in on spar64 (and maybe others)
Date: Fri, 14 Dec 2007 22:01:11 +0100

Manuel Tobias Schiller wrote:
On Fri, 30 Nov 2007 20:03:31 +0100
Remko Lodder <remko@xxxxxxxxxxxx> wrote:

Manuel Tobias Schiller wrote:
Hello,

I've gathered the information you have asked for, see the
attachment. I hope it helps us to get an idea of what's going
wrong. Any help with this would be appreciated.

Thanks in advance.

Manuel

P.S. I did the | grep hme3 in the attachment to not clutter the
output with irrelevant stuff. All other rules are bound to their
respective interface (hme0, hme1, hme2, le0) and should not
influence hme3. Besides, there's a lot of traffic going on on le0
which does not need to be mentioned in the ipfstat output because
the machine in question is headless and can only be reached with a
serial line (with a laptop down in the cellar) or a dedicated
network interface (le0, for which I need to have rules that pass
everything).

On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
Hello,


First of all thanks for using FreeBSD!

If you run ipmon, what kind of details do you see in the
log? It mentions where it is blocked and you can review that rule
with ipfstat -hion (list everything in out, do not resolve and
show the amount of hits on the rule)

Thanks in advance

--
Kind regards,

Remko Lodder ** remko@xxxxxxxxxxxx
FreeBSD ** remko@xxxxxxxxxxx

/* Quis custodiet ipsos custodes */

Dear Manuel,

It took a lot of time for me to set this up properly, but I managed to
work this out; actually this is not a ipfilter problem but it seems
that hme0 is not capable of doing incoming and outgoing checksumming.

I faced the same problem, and by issueing a ifconfig hme0 -txcsum
-rxcsum I resolved the problem.

The ipfilter errors vanished after that. I'll try to have a look at
the intel gigabit card in the machine (manually added) and see
whether that has a similiar issue..

Cheers
remko

Dear Remko,

it's great to hear from you again - I thought everybody had forgotten
about this... Well, I have switched to pf in the meantime, as it's a
production machine, but I may have time over christmas to test things
out with ipfilter, as I like it very much. By the way, why did things
work with hme and ipfilter in earlier FreeBSD versions? Did hme not have
the checksumming feature at all or different defaults? This puzzles me a
little, I must confess.

Anyway, thanks a lot for your help!

Cheers,

Manuel


Hello Manuel,

Yes my fault, I reproduced this today with pf enabled, hme just works
fine with that, so I was wrong :-)

it's ipfilter that is messing up here...

--
/"\ Best regards, | remko@xxxxxxxxxxx
\ / Remko Lodder | remko@EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages