Date: Mon, 28 Aug 2000 09:39:33 -0400 From: Jim C <jim@carroll.com> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-stable@freebsd.org Subject: Re: ipnat fails under load Message-ID: <39AA6B95.AC60A031@carroll.com> References: <200008260329.e7Q3TPq87381@cwsys.cwsent.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Cy Schubert - ITSD Open Systems Group wrote: > > In message <Pine.BSF.4.21.0008252052260.3518-100000@fatbastard.zialink.c > om>, tu > cka writes: > > You can add me to the list of people who have problems with ipfilter > > under load. > > What's your configuration? Could you list your IPF and NAT rules? > > Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If > you're using statefull filtering, could it be that your state table has > filled. I suspect this is in fact the case. Here's my thinking. ipnat runs flawlessly for a time. Usually this time is at least several days, often it is several weeks. Without warning (no log messages or errors on the console), it will begin "re-using" old nat entries. What I mean by re-using, is that rather then create a new outbound connection (ie: begin w/ SYN) when a client session calls for it, it sends an ACK message to the destination (as though the session were a continuation). The remote site has no record of a current session, and sends back RST messages. My theory is that ipnat thinks it has run out of table entries, and begins re-using slots, but does NOT correctly re-initialize the slot before using it. Here is our configuration: # uname -a FreeBSD core1.hck.carroll.com 3.4-STABLE FreeBSD 3.4-STABLE #1: Fri May 19 12:33:18 EDT 2000 jim@core1.hck.carroll.com:/usr/src/sys/compile/ROUTER i386 # cat /etc/rc.local /usr/sbin/ipnat -CF /usr/sbin/ipnat -f /etc/rc.nat # cat /etc/rc.nat map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 -- Jim C. | C A R R O L L - Net, Inc. 201-488-1332 | www.carroll.com | Application Service Provider [-- Attachment #2 --] begin:vcard n:Carroll;Jim tel;work:201-488-1332 x-mozilla-html:FALSE url:www.carroll.com org:Carroll-Net, Inc. adr:;;905 Main St.;Hackensack;NJ;07601;US version:2.1 email;internet:jim@carroll.com title:President x-mozilla-cpt:;0 fn:Jim Carroll end:vcardhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39AA6B95.AC60A031>