netbsd-bugs: Re: kern/37174: ipfilter doesn't properly remove connections from NAT table

Subject: Re: kern/37174: ipfilter doesn't properly remove connections from NAT table
To: Pavel Cahyna <pavel@NetBSD.org>
From: Chris Ross <cross+netbsd@distal.com>
List: netbsd-bugs
Date: 10/24/2007 11:22:13

On Mon, 22 Oct 2007 23:14:42 +0200, Pavel Cahyna <pavel@NetBSD.org>  
said:
>> Install NetBSD 4.0_RC3 onto a machine which does NAT for a modest  
>> sized
>> network. ipnat -l | wc will show a constantly growing list of  
>> connections.
>> Networks which would normally only average around 1,000  
>> connections show
>> more than 25,000 connections in a day or two. Networks which average
>> around 50 connections show more than 20,000 after four or five days.
>
> Probably caused by http://releng.netbsd.org/cgi-bin/req-4.cgi?show=880
> which will be backed out soon.

   I was looking at ipfilter changes in netbsd-4, and was pointed at  
this bug.  This bug is also affecting my i386 router at home, for a  
small network.  I *believe* that the only NAT connections that are  
being held and not expiring properly are RDR connections.

   Are you commenting above that the pull-up that was/is ticket #880  
is going to be backed out, thus reintroducing IPF bug #1774745 ?

                      - Chris