Subject: Re: kern/11670: ipf eventually blocks all traffic (thus ignoring any rules set)
To: None <stephen.welker@nemostar.com.au>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-bugs
Date: 12/09/2000 15:13:46
On Sat, Dec 09, 2000 at 04:26:12AM -0800, stephen.welker@nemostar.com.au wrote:
> NetBSD hermes 1.4.3 NetBSD 1.4.3 (GENERIC) #60: Wed Nov  1 01:35:30 MET 2000     he@vever.runit.no:/usr/src/sys/arch/i386/compile/GENERIC i386
> >Description:
> With ipf enabled (sysctl -w net.inet.ip.forwarding=1), after say a few hours of solid traffic (at modem speed) all traffic is blocked.

FYI, ipf is enabled with ipf -E. sysctl -w net.inet.ip.forwarding=1 only
allows packet forwarding (you can have ipf running without routing
packets).

> >How-To-Repeat:
> see below "Fix to the problem if known" for more details.
> >Fix:
> "ipf -D" followed by "ipf -E -Fa -f /etc/ipf.conf" will fix the problem a few times. Finally only a "ipf -D" will allow any traffic at all. A reboot is then necessary to achieve the use of any filter rules.

Do you use NAT in addition to IPF ? Did this work with 1.4.2 ?
While the traffic is blocked, could you run tcpdump on both interfaces
and see what traffic there is ?

--
Manuel Bouyer <bouyer@antioche.eu.org>
--