Date: Tue, 29 Aug 2000 16:07:00 -0400 From: Jim C <jim@carroll.com> To: Nick Evans <nevans@nextvenue.com>, freebsd-stable@freebsd.org Subject: Re: ipnat fails under load Message-ID: <39AC17E4.BBE52194@carroll.com> References: <712384017032D411AD7B0001023D799B33B354@sn1exchmbx.nextvenue.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------40D195320D90E68E9B03913D Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit > Nick Evans wrote: > > Do you have definitive proof of this? Have you sent this theory along > to Darren? The problem is real, the theory is just a guess. The real problem is that we cannot reliably reproduce it. As I mentioned in my message, it sometimes fails in hours, othertimes it will run for more than a week. We have looked at the "other" software we have running on the machine. At present, the only other software running is sshd and gated. > > -----Original Message----- > From: Jim C [mailto:jim@carroll.com] > Sent: Monday, August 28, 2000 9:40 AM > To: Cy Schubert - ITSD Open Systems Group; freebsd-stable@freebsd.org > Subject: Re: ipnat fails under load > > Cy Schubert - ITSD Open Systems Group wrote: > > > > In message > <Pine.BSF.4.21.0008252052260.3518-100000@fatbastard.zialink.c > > om>, tu > > cka writes: > > > You can add me to the list of people who have problems with > ipfilter > > > under load. > > > > What's your configuration? Could you list your IPF and NAT rules? > > > > Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If > > > you're using statefull filtering, could it be that your state table > has > > filled. > > I suspect this is in fact the case. Here's my thinking. > > ipnat runs flawlessly for a time. Usually this time is at least > several > days, often it is several weeks. Without warning (no log messages or > errors on the console), it will begin "re-using" old nat entries. > > What I mean by re-using, is that rather then create a new outbound > connection (ie: begin w/ SYN) when a client session calls for it, it > sends an ACK message to the destination (as though the session were a > continuation). The remote site has no record of a current session, > and > sends back RST messages. > > My theory is that ipnat thinks it has run out of table entries, and > begins re-using slots, but does NOT correctly re-initialize the slot > before using it. Here is our configuration: > > # uname -a > FreeBSD core1.hck.carroll.com 3.4-STABLE FreeBSD 3.4-STABLE #1: Fri > May > 19 12:33:18 EDT 2000 > jim@core1.hck.carroll.com:/usr/src/sys/compile/ROUTER i386 > > # cat /etc/rc.local > /usr/sbin/ipnat -CF > /usr/sbin/ipnat -f /etc/rc.nat > > # cat /etc/rc.nat > map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 > > -- > Jim C. | C A R R O L L - Net, Inc. > 201-488-1332 | > www.carroll.com | Application Service Provider -- Jim C. | C A R R O L L - Net, Inc. 201-488-1332 | www.carroll.com | Application Service Provider --------------40D195320D90E68E9B03913D Content-Type: text/x-vcard; charset=iso-8859-15; name="jim.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Jim C Content-Disposition: attachment; filename="jim.vcf" begin:vcard n:Carroll;Jim tel;work:201-488-1332 x-mozilla-html:FALSE url:www.carroll.com org:Carroll-Net, Inc. adr:;;905 Main St.;Hackensack;NJ;07601;US version:2.1 email;internet:jim@carroll.com title:President x-mozilla-cpt:;0 fn:Jim Carroll end:vcard --------------40D195320D90E68E9B03913D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39AC17E4.BBE52194>