From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 17:52:09 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A2F2106592D for ; Tue, 17 Feb 2009 17:52:09 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id C94E08FC1C for ; Tue, 17 Feb 2009 17:52:08 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by ey-out-2122.google.com with SMTP id d26so221536eyd.7 for ; Tue, 17 Feb 2009 09:52:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=4LLQrAdQZVqrb+sa8XII9+6tpvLgUGZtuDoyfXaqgOc=; b=Q5lHbS4Y6iflhhVu/3WRA3DtDMcVupOTFItwqWuJyTa6Nwv8RzSeLa7RWs/vJs6L/G fTpFbCi2i5Pb2IyY091tcIHugFkWae3ySNWlrVhojYrX9jsNTnqq7XFgjOyDWCKl+Xy4 9zTtxCWJTktxf9So5tJB51KeBo1rLhYpvraWU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ohe2A1aesuqveoyDXIiAkAzexcn4N6f4zjPxakzEVVV2FNauZCI/QBVoV19oK7OGkd KE02fOQcATFkcBDgp3aN1z/oEVUE2eqVq290rL5xQx7MI+p/5YCUu9IvKvfVQjKXG6bU z0KOV7Npt0XIew8HOXSGN5Z+CwKbvEvHtsRRQ= MIME-Version: 1.0 Received: by 10.210.90.20 with SMTP id n20mr298976ebb.72.1234891479731; Tue, 17 Feb 2009 09:24:39 -0800 (PST) In-Reply-To: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> Date: Tue, 17 Feb 2009 18:24:39 +0100 Message-ID: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> From: n j To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:52:11 -0000 > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly > without problems. I suspect about stateful inpection code. Just to add a "me too" message to this thread, I also experienced system freezes (keyboard not working => hardware reset necessary) with in-kernel NAT and stateful rules. I had a repeatable case on a production server and hoped to replicate the bug on a different machine as the production server needed to go in, well, production; however thanks to complex setup of original machine (in-kernel NAT, vlans, openvpn...), lack of time and virtual environment, test scenario failed to produce a sensible bug report and I gave up until I saw OP reporting the same issue. Here is the rule that after a short while (probably the first packet to match the rule) freezes the machine: ipfw 00003 nat 123 log ip from x.x.x.0/24 to a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze ... further down the chain... ipfw I know this is far from a good bug report, but stateful inspection code/in-kernel NAT mix might be worth looking into.