Revisiting: ipfilter/ipnat problems on -current

To: current-users%netbsd.org@localhost
Subject: Revisiting: ipfilter/ipnat problems on -current
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Sat, 6 Sep 2008 18:33:49 -0700 (PDT)

Some of you may remember many months ago when I started having somestrange problems with ipfilter/ipnat, right after a new version wasimported. Among other odd behavior, I was having difficulty mountingNFS file systems.

After several attempts to find a problem, I worked around it by usingNFS TCP mounts, rather than the default of UDP. All seemed to be welland I sort of forgot about it.

Well, a few days ago I updated my systems to -current, and somethingvery odd happened. :)

The update was done using 'build.sh install=/' and RELDIR was on one ofmy NFS mounted filesystems. Most everything seems to work, except/usr/X11R6/bin/xrdb fails with a "built-in" error from the Xserver.

Trying to narrow this down a bit, I decided to verify the integrity ofthe NFS file systems. I logged in to the NFS server and ran cksum onall of the X install sets, and then I ran the same cksum command on thesystem-with-the-problem. Interestingly, I got different results for oneof the files. So I unmounted and remounted the file system and rerancksum, and got wrong results for a different file. Repeat the umount,mount, cksum steps again, and got still different results!

Since these NFS problems only happen on the single client which alsoruns ipfilter/ipnat, and turning ipfilter/ipnat off avoids the problem,I'm pretty sure I don't have a problem on the NFS server, nor on thenetwork that connects everything together.

One additional datapoint that might be relevant: ALL of my systems,including all the NFS clients and the NFS server, run an IPv4 networkonly - no INET6 configured. I'm going to try enabling INET6 on themachine-that-has-the-problem to see if that makes any difference.

If anyone else has any clues on how to go about resolving this, I'dreally appreciate it. The obvious solution might be "turn offipfilter/ipnat" but I need ipnat - I don't have enough fixed IPaddresses for everything - and I'm not willing to go out and buy astand-alone device. :)


----------------------------------------------------------------------
|   Paul Goyette   | PGP DSS Key fingerprint: |  E-mail addresses:   |
| Customer Service | FA29 0E3B 35AF E8AE 6651 |  paul%whooppee.com@localhost   |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette%juniper.net@localhost |
----------------------------------------------------------------------

Follow-Ups:
- Re: Revisiting: ipfilter/ipnat problems on -current
  - From: Quentin Garnier

Prev by Date: [libc] collect2: ld returned 1 exit status
Next by Date: Disconnecting: Corrupted MAC on input
Previous by Thread: [libc] collect2: ld returned 1 exit status
Next by Thread: Re: Revisiting: ipfilter/ipnat problems on -current
Indexes:

Home | Main Index | Thread Index | Old Index