From owner-freebsd-net@FreeBSD.ORG Sat Dec 1 10:30:07 2007 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 327DB16A418 for ; Sat, 1 Dec 2007 10:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2D81D13C459 for ; Sat, 1 Dec 2007 10:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lB1AU6Mn032839 for ; Sat, 1 Dec 2007 10:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lB1AU6ZF032836; Sat, 1 Dec 2007 10:30:06 GMT (envelope-from gnats) Date: Sat, 1 Dec 2007 10:30:06 GMT Message-Id: <200712011030.lB1AU6ZF032836@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Manuel Tobias Schiller Cc: Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Manuel Tobias Schiller List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2007 10:30:07 -0000 The following reply was made to PR kern/106438; it has been noted by GNATS. From: Manuel Tobias Schiller To: Remko Lodder Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Date: Sat, 1 Dec 2007 11:11:00 +0100 On Fri, 30 Nov 2007 20:03:31 +0100 Remko Lodder wrote: > Manuel Tobias Schiller wrote: > > Hello, > > > > I've gathered the information you have asked for, see the > > attachment. I hope it helps us to get an idea of what's going > > wrong. Any help with this would be appreciated. > > > > Thanks in advance. > > > > Manuel > > > > P.S. I did the | grep hme3 in the attachment to not clutter the > > output with irrelevant stuff. All other rules are bound to their > > respective interface (hme0, hme1, hme2, le0) and should not > > influence hme3. Besides, there's a lot of traffic going on on le0 > > which does not need to be mentioned in the ipfstat output because > > the machine in question is headless and can only be reached with a > > serial line (with a laptop down in the cellar) or a dedicated > > network interface (le0, for which I need to have rules that pass > > everything). > > > > On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote: > >> Hello, > >> > >> > >> First of all thanks for using FreeBSD! > >> > >> If you run ipmon, what kind of details do you see in the > >> log? It mentions where it is blocked and you can review that rule > >> with ipfstat -hion (list everything in out, do not resolve and > >> show the amount of hits on the rule) > >> > >> Thanks in advance > >> > >> -- > >> Kind regards, > >> > >> Remko Lodder ** remko@elvandar.org > >> FreeBSD ** remko@FreeBSD.org > >> > >> /* Quis custodiet ipsos custodes */ > >> > > > > Dear Manuel, > > It took a lot of time for me to set this up properly, but I managed to > work this out; actually this is not a ipfilter problem but it seems > that hme0 is not capable of doing incoming and outgoing checksumming. > > I faced the same problem, and by issueing a ifconfig hme0 -txcsum > -rxcsum I resolved the problem. > > The ipfilter errors vanished after that. I'll try to have a look at > the intel gigabit card in the machine (manually added) and see > whether that has a similiar issue.. > > Cheers > remko Dear Remko, it's great to hear from you again - I thought everybody had forgotten about this... Well, I have switched to pf in the meantime, as it's a production machine, but I may have time over christmas to test things out with ipfilter, as I like it very much. By the way, why did things work with hme and ipfilter in earlier FreeBSD versions? Did hme not have the checksumming feature at all or different defaults? This puzzles me a little, I must confess. Anyway, thanks a lot for your help! Cheers, Manuel -- Homepage: http://www.hinterbergen.de/mala OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)