From owner-freebsd-current@FreeBSD.ORG Fri Aug 27 08:43:09 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0157816A4CE for ; Fri, 27 Aug 2004 08:43:09 +0000 (GMT) Received: from obh.snafu.de (obh.snafu.de [213.73.92.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9875743D4C for ; Fri, 27 Aug 2004 08:43:07 +0000 (GMT) (envelope-from ob@gruft.de) Received: from ob by obh.snafu.de with local (Exim 4.34 (FreeBSD)) id 1C0cKA-000MIo-9w for current@freebsd.org; Fri, 27 Aug 2004 10:43:06 +0200 Date: Fri, 27 Aug 2004 10:43:06 +0200 From: Oliver Brandmueller To: current@freebsd.org Message-ID: <20040827084306.GB74653@e-Gitt.NET> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Sender: Oliver Brandmueller Subject: RELENG_5 ipfw problem X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 08:43:09 -0000 Hi, I upgraded from a -CURRENT as of about 1.5 or 2 months ago to RELENG_5 and do now have a problem with ipfw: FreeBSD champagne.eusc.inter.net 5.3-BETA1 FreeBSD 5.3-BETA1 #6: Fri Aug 27 09:35:33 CEST 2004 root@champagne.eusc.inter.net:/usr/obj/usr/src/sys/CHAMPAGNE i386 ipfw is running and loads it's rules just fine: champagne# ipfw show 00100 1286 106440 allow ip from 127.0.0.0/8 to 127.0.0.0/8 00200 840 36960 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.X/24 00300 0 0 reset tcp from me to 213.XXX.XXX.XXX dst-port 25 00400 0 0 reset tcp from me to 203.XXX.XXX.XXX/24 dst-port 25 00500 5221 559882 allow ip from any to any 65535 0 0 deny ip from any to any My problem is with rule 200: It's there, ipfw shows matches. But the packets don't get forwarded. The rule is unchanged from the setup before and is working on other systems. ipfw is loaded as a module. I use SCHED_4BSD the kernel has these options (which might be related): options PFIL_HOOKS # pfil(9) framework options ADAPTIVE_GIANT # Giant mutex is adaptive. I added PFIL_HOOKS to the kernel (I think ipfw wouldn't work at all, if I didn't) and ADAPTIVE_GIANT (as suggested here and in GENERIC). The machine is a Dual Xeon 2.4 GHz wit HTT (currently) disabled. The machine has two interfaces: fxp0 with 192.168.25.5/24 em0 with 213.XXX.XXX.XXX (same network as in rule 200) The setup is a local load balancing, so there are connects coming from the official network to port 25 (loadbalanced) at 192.168.25.5 (the machines actually connect to an IP in the official net, which gets balanced to 192.168.25.x). The forwarding rule is needed, because routing to the connecting IP would be through the em0 interface and translation by the loadbalancer would be circumvented then. connection to port 25 is possible from a 192.168.25.x IP directly, but if I enable this host on the load balancer, I do only see incoming packets to port 25 on fxp0 but don't see any packets going back (on neither fxp0 now em0 not even lo0). The forwarded packets simply disappear. - Oliver -- | Oliver Brandmueller | Offenbacher Str. 1 | Germany D-14197 Berlin | | Fon +49-172-3130856 | Fax +49-172-3145027 | WWW: http://the.addict.de/ | | Ich bin das Internet. Sowahr ich Gott helfe. | | Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |