Date: Tue, 07 Nov 2006 19:38:57 +0300 From: "Marat N.Afanasyev" <amarat@ksu.ru> To: freebsd-net@FreeBSD.ORG, amarat@ksu.ru Subject: Re: a very strange netstat output and problem when using transparent proxy Message-ID: <4550B6A1.9090207@ksu.ru> In-Reply-To: <200611071627.kA7GR6LB059312@lurza.secnetix.de> References: <200611071627.kA7GR6LB059312@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
> Marat N.Afanasyev <amarat@ksu.ru> wrote:
> > I've encountered a very strange situation about two hours ago. I use
> > squid as transparent proxy and forward all the packets from port 80 to
> > port 8000. Problem is, first of all, I have a lot of ierrs on interface
> > when looking to interface stats using netstat.
>
> What kind of interface is that? Excerpt from dmesg,
> ifconfig and netstat -i might be useful.
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::250:45ff:fe5f:4f78%bge0 prefixlen 64 scopeid 0x1
inet xx.xx.xx.xx netmask 0xffffffc0 broadcast xx.xx.xx.xx
ether 00:50:45:5f:4f:78
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bge0 1500 <Link#1> 00:50:45:5f:4f:78 2341018 799 3062828
0 0
% uptime
7:34PM up 40 mins, 3 users, load averages: 0.14, 0.16, 0.08
Hardware is clean. Each of my boxes with broadcom 5704 has the same
problem. Patchcords are no longer than 4 feet, plugged into catalyst
2960 directly without patchpanels.
> In general, errors on the interface usually indicate a
> hardware error (NIC, cables, port). However, it might
> also be a driver bug.
>
> > The second problem is far
> > more serious: after a short period of time I have a completely frozen
> > system that can only send data, but very rarely receive and generates a
> > huge amount of ierrs on interface.
> >
> > ipfw rules are as follows:
> >
> > 00001 allow ip from any to any via lo0
> > 00002 deny ip from any to 127.0.0.0/8
> > 00003 deny ip from 127.0.0.0/8 to any
> > 00010 fwd xx.xx.xx.xx,8000 tcp from any to me dst-port 80
> > 65535 allow ip from any to any
> >
> > problem with ierrs disappears after I delete rule with forward, but I
> > need this rule :(
>
> In that rule, is "xx.xx.xx.xx" an IP address configured
> on your NIC, or is it 127.0.0.1? If the former, try to
> replace it with 127.0.0.1 and check if that improves the
> situation.
Real IP address. I've already switched forward off and make squid listen
on 80 instead. Problem persists.
>
> However, the FWD line should not cause ierrs on the NIC.
> If you're sure that your hardware is good, then there's
> probably a bug somewhere.
>
> Best regards
> Oliver
>
I can say that i was finally wrong. problem is caused not by ipfw, as i
think, but rather with broadcom 5704 based NIC. This NIC somehow drops
Ethernet frames. I'm still wandering, why.
--
SY, Marat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4550B6A1.9090207>