From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 23:16:46 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D591106566C for ; Tue, 17 Feb 2009 23:16:46 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id 283348FC08 for ; Tue, 17 Feb 2009 23:16:45 +0000 (UTC) (envelope-from rik@inse.ru) Received: from www.inse.ru (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id 5D30D33C53; Wed, 18 Feb 2009 01:58:53 +0300 (MSK) Message-ID: <499B4019.4060203@localhost.inse.ru> Date: Wed, 18 Feb 2009 01:54:17 +0300 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: n j References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 23:16:47 -0000 n j wrote: >> About 2 Minutes later after apply this rule set, system writes that bge1 >> watchdog timeout --- resetting and then system hangs, keyboard doesnt >> response. No logs can be observed. >> >> When i remove all skipto and checkstate rules, system work properly >> without problems. I suspect about stateful inpection code. >> > > Just to add a "me too" message to this thread, I also experienced > system freezes (keyboard not working => hardware reset necessary) with > in-kernel NAT and stateful rules. I had a repeatable case on a > production server and hoped to replicate the bug on a different > machine as the production server needed to go in, well, production; > however thanks to complex setup of original machine (in-kernel NAT, > vlans, openvpn...), lack of time and virtual environment, test > scenario failed to produce a sensible bug report and I gave up until I > saw OP reporting the same issue. > > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > > ipfw 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... > ipfw > I know this is far from a good bug report, but stateful inspection > code/in-kernel NAT mix might be worth looking into. > IIRC both natd and in-kernel nat do not support stateful rules. rik > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >