Re: IPFilter issue in -current

[Geoff Adams <gadams%avernus.com@localhost>]

On 29 Dec 2012, at 9:30 PM, Darren Reed <darrenr%NetBSD.org@localhost> wrote:

> I recognise that it is potentially a bad time of year to be trying to resolve 
> issues with so many disruptions to normality by holidays, but has there been 
> any progress in determining why ns_bucketlen[] drops below 0?

Yeah, sorry about that. I've only had about an hour to look into this since I 
last wrote.

In that time, I determined that it's not just ns_bucketlen that's zero; the 
buckets themselves are empty as well (well, almost always, anyway). 
Furthermore, after several days of uptime, the global ns_inuse counter has 
reached over 200,000. It does fluctuate a little (it's not monotonically 
increasing), but it generally grows over time. Furthermore, an increasing 
number of buckets have reached ipf_nat_maxbucket in length, so that's causing 
opt_nat_add to fail frequently at this point.

This all makes me suspect a mis-calculation of the hash codes, leading to 
leaking NAT entries. I haven't looked through the global NAT entry list to see 
if they're still there, but I'll do that soon, as well as some debugging of 
hash code calculation and storage in the NAT structure.

I haven't looked into the ipf_nat_newrdr failures at all, yet. I should have 
more time available over the next few days to delve into this more seriously.

- Geoff