From owner-freebsd-stable Mon Aug 28 6:39:53 2000 Delivered-To: freebsd-stable@freebsd.org Received: from cache1.hck.carroll.com (cache1.hck.carroll.com [216.44.20.19]) by hub.freebsd.org (Postfix) with ESMTP id 5089A37B440 for ; Mon, 28 Aug 2000 06:39:47 -0700 (PDT) Received: from [10.64.0.240] (HELO carroll.com) by cache1.hck.carroll.com (CommuniGate Pro SMTP 3.2.4) with ESMTP id 178248; Mon, 28 Aug 2000 09:39:46 -0400 Message-ID: <39AA6B95.AC60A031@carroll.com> Date: Mon, 28 Aug 2000 09:39:33 -0400 From: Jim C X-Mailer: Mozilla 4.73 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group , freebsd-stable@freebsd.org Subject: Re: ipnat fails under load References: <200008260329.e7Q3TPq87381@cwsys.cwsent.com> Content-Type: multipart/mixed; boundary="------------973EB21760BF1973F199A04D" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------973EB21760BF1973F199A04D Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Cy Schubert - ITSD Open Systems Group wrote: > > In message om>, tu > cka writes: > > You can add me to the list of people who have problems with ipfilter > > under load. > > What's your configuration? Could you list your IPF and NAT rules? > > Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If > you're using statefull filtering, could it be that your state table has > filled. I suspect this is in fact the case. Here's my thinking. ipnat runs flawlessly for a time. Usually this time is at least several days, often it is several weeks. Without warning (no log messages or errors on the console), it will begin "re-using" old nat entries. What I mean by re-using, is that rather then create a new outbound connection (ie: begin w/ SYN) when a client session calls for it, it sends an ACK message to the destination (as though the session were a continuation). The remote site has no record of a current session, and sends back RST messages. My theory is that ipnat thinks it has run out of table entries, and begins re-using slots, but does NOT correctly re-initialize the slot before using it. Here is our configuration: # uname -a FreeBSD core1.hck.carroll.com 3.4-STABLE FreeBSD 3.4-STABLE #1: Fri May 19 12:33:18 EDT 2000 jim@core1.hck.carroll.com:/usr/src/sys/compile/ROUTER i386 # cat /etc/rc.local /usr/sbin/ipnat -CF /usr/sbin/ipnat -f /etc/rc.nat # cat /etc/rc.nat map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 -- Jim C. | C A R R O L L - Net, Inc. 201-488-1332 | www.carroll.com | Application Service Provider --------------973EB21760BF1973F199A04D Content-Type: text/x-vcard; charset=iso-8859-15; name="jim.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Jim C Content-Disposition: attachment; filename="jim.vcf" begin:vcard n:Carroll;Jim tel;work:201-488-1332 x-mozilla-html:FALSE url:www.carroll.com org:Carroll-Net, Inc. adr:;;905 Main St.;Hackensack;NJ;07601;US version:2.1 email;internet:jim@carroll.com title:President x-mozilla-cpt:;0 fn:Jim Carroll end:vcard --------------973EB21760BF1973F199A04D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message