From owner-freebsd-stable Mon Aug 28 18:43:54 2000 Delivered-To: freebsd-stable@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1777337B43E for ; Mon, 28 Aug 2000 18:43:49 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA31132; Mon, 28 Aug 2000 18:43:17 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31130; Mon Aug 28 18:43:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id SAA00962; Mon, 28 Aug 2000 18:43:15 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdmSF944; Mon Aug 28 18:42:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e7T1gmo17318; Mon, 28 Aug 2000 18:42:48 -0700 (PDT) Message-Id: <200008290142.e7T1gmo17318@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdu17314; Mon Aug 28 18:42:43 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Jim C Cc: Cy Schubert - ITSD Open Systems Group , freebsd-stable@FreeBSD.ORG Subject: Re: ipnat fails under load In-reply-to: Your message of "Mon, 28 Aug 2000 09:39:33 EDT." <39AA6B95.AC60A031@carroll.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 Aug 2000 18:42:43 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <39AA6B95.AC60A031@carroll.com>, Jim C writes: > This is a multi-part message in MIME format. > --------------973EB21760BF1973F199A04D > Content-Type: text/plain; charset=iso-8859-15 > Content-Transfer-Encoding: 7bit > > Cy Schubert - ITSD Open Systems Group wrote: > > > > In message > om>, tu > > cka writes: > > > You can add me to the list of people who have problems with ipfilter > > > under load. > > > > What's your configuration? Could you list your IPF and NAT rules? > > > > Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If > > you're using statefull filtering, could it be that your state table has > > filled. > > I suspect this is in fact the case. Here's my thinking. > > ipnat runs flawlessly for a time. Usually this time is at least several > days, often it is several weeks. Without warning (no log messages or > errors on the console), it will begin "re-using" old nat entries. > > What I mean by re-using, is that rather then create a new outbound > connection (ie: begin w/ SYN) when a client session calls for it, it > sends an ACK message to the destination (as though the session were a > continuation). The remote site has no record of a current session, and > sends back RST messages. > > My theory is that ipnat thinks it has run out of table entries, and > begins re-using slots, but does NOT correctly re-initialize the slot > before using it. Here is our configuration: > > # uname -a > FreeBSD core1.hck.carroll.com 3.4-STABLE FreeBSD 3.4-STABLE #1: Fri May > 19 12:33:18 EDT 2000 > jim@core1.hck.carroll.com:/usr/src/sys/compile/ROUTER i386 > > # cat /etc/rc.local > /usr/sbin/ipnat -CF > /usr/sbin/ipnat -f /etc/rc.nat > > # cat /etc/rc.nat > map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 No IPF rules, just NAT rules. Try adding after your existing NAT rule: map de0 10.0.0.0/8 -> 0/32 FreeBSD 3.4 came with IPF 3.3.8 (or 7). Darren has made a number of tweaks to the state code and NAT code. You might want to see if IPF 3.4.9 + the NAT patch posted last week or IPF 3.3.18 might help or ask this question on the IP Filter mailing list. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message