NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/38773: ipf/ipnat broken in 4.99.63

The following reply was made to PR kern/38773; it has been noted by GNATS.

From: Paul Goyette <>
Subject: Re: kern/38773: ipf/ipnat broken in 4.99.63
Date: Fri, 30 May 2008 05:42:01 -0700 (PDT)

 More info in an attempt to narrow things down...
 1. When the problem is occurring, a tcpdump shows no traffic in or
     out of the box.
 2. This is specific to ipnat.  Stopping ipnat via `/etc/rc.d/ipnat
     stop' lets things move, and previously-stalled network activity
     resumes.  Restarting ipnat brings the problem back immediately.
 3. The simplest way for me to cause the "hang" is to log in on a
     wsconsole and use `ls /home/paul' (where /home is NFS-mounted
     from a remote system on the "public network" - see diagram below).
 4. When the ls command hangs, running 'ps -owchan' from another
     session shows that ls is waiting for netio.
 5. The problem appears to affect only local traffic (ie, to or from
     the nat host itself).  Nat'd traffic works just fine.
 6. I'm still quite confused over how I can successfully nfs-mount
     the remote file system, yet once it is mounted I cannot do the
     'ls' command!  And some other stuff still works:
        * I can establish an ftp connection from the public network,
          and even transfer some data.
        * ICMP pings still work, even with a large packet size.
        * nntp traffic seems unaffected to multiple sources
 Since this seems to almost certainly be a problem with ipnat, here
 is my /etc/ipnat.conf file:
        map re0 -> 0/32 proxy port ftp ftp/tcp
        map re0 -> 0/32 portmap tcp/udp 40000:60000
        map re0 -> 0/32
        Public Net        re0  |        | nfe0      Private Net
        <----------------------| SPEEDY |--------------------->
     |        |
 The "private net" is divided into two halves, with the lower half
 (.0 through .127 - my VoIP gateway and several WiFi stations) being
 allowed to access the internet via nat and the upper half (.128
 through .255) being totally private (that's where my printer lives).

Home | Main Index | Thread Index | Old Index