Date: Fri, 14 Dec 2007 21:10:02 GMT From: Remko Lodder <remko@elvandar.org> To: freebsd-net@FreeBSD.org Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Message-ID: <200712142110.lBELA2ML042551@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/106438; it has been noted by GNATS. From: Remko Lodder <remko@elvandar.org> To: Manuel Tobias Schiller <mala@hinterbergen.de> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Date: Fri, 14 Dec 2007 22:01:11 +0100 Manuel Tobias Schiller wrote: > On Fri, 30 Nov 2007 20:03:31 +0100 > Remko Lodder <remko@elvandar.org> wrote: > >> Manuel Tobias Schiller wrote: >>> Hello, >>> >>> I've gathered the information you have asked for, see the >>> attachment. I hope it helps us to get an idea of what's going >>> wrong. Any help with this would be appreciated. >>> >>> Thanks in advance. >>> >>> Manuel >>> >>> P.S. I did the | grep hme3 in the attachment to not clutter the >>> output with irrelevant stuff. All other rules are bound to their >>> respective interface (hme0, hme1, hme2, le0) and should not >>> influence hme3. Besides, there's a lot of traffic going on on le0 >>> which does not need to be mentioned in the ipfstat output because >>> the machine in question is headless and can only be reached with a >>> serial line (with a laptop down in the cellar) or a dedicated >>> network interface (le0, for which I need to have rules that pass >>> everything). >>> >>> On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote: >>>> Hello, >>>> >>>> >>>> First of all thanks for using FreeBSD! >>>> >>>> If you run ipmon, what kind of details do you see in the >>>> log? It mentions where it is blocked and you can review that rule >>>> with ipfstat -hion (list everything in out, do not resolve and >>>> show the amount of hits on the rule) >>>> >>>> Thanks in advance >>>> >>>> -- >>>> Kind regards, >>>> >>>> Remko Lodder ** remko@elvandar.org >>>> FreeBSD ** remko@FreeBSD.org >>>> >>>> /* Quis custodiet ipsos custodes */ >>>> >> Dear Manuel, >> >> It took a lot of time for me to set this up properly, but I managed to >> work this out; actually this is not a ipfilter problem but it seems >> that hme0 is not capable of doing incoming and outgoing checksumming. >> >> I faced the same problem, and by issueing a ifconfig hme0 -txcsum >> -rxcsum I resolved the problem. >> >> The ipfilter errors vanished after that. I'll try to have a look at >> the intel gigabit card in the machine (manually added) and see >> whether that has a similiar issue.. >> >> Cheers >> remko > > Dear Remko, > > it's great to hear from you again - I thought everybody had forgotten > about this... Well, I have switched to pf in the meantime, as it's a > production machine, but I may have time over christmas to test things > out with ipfilter, as I like it very much. By the way, why did things > work with hme and ipfilter in earlier FreeBSD versions? Did hme not have > the checksumming feature at all or different defaults? This puzzles me a > little, I must confess. > > Anyway, thanks a lot for your help! > > Cheers, > > Manuel > Hello Manuel, Yes my fault, I reproduced this today with pf enabled, hme just works fine with that, so I was wrong :-) it's ipfilter that is messing up here... -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712142110.lBELA2ML042551>