OK, thanks very much for your answer. That was the last thing I had not
checked, and of course, I had a big mistake in my test rules: I had
forgotten the "quick" keyword in the "keep state" lines, and last line =
was
"pass in all" (for test)...

So, it now works with 3.4.9.

I then tried once more to upgrade to 3.4.20. And there, that's lookung =
more
difficult. I upgraded kernel (1.5.3alpha with IPF 3.4.20), IPF =
binaries, and
rebuilded devices.
When I run "ipfstat -i" or "-o", it displays correctly rules (and =
theses
rules are correct ;-)
But I run "ipfstat -si", "-so" or "-s", it displays nothing at all: no
errors, no messages, nothing... And of course, "ipfstat -t" works, but =
it
doesn't see anything.

Could someone help me, please ? Thanks in advance.

	Frederic CRESTIN



-----Message d'origine-----
De : fredb@handy.villians.invalid
[mailto:fredb@handy.villians.invalid]De la part de Frederick Bruckman
Envoy=E9 : mardi 2 octobre 2001 22:13
=C0 : CRESTIN Fr=E9d=E9ric
Cc : 'netbsd-help@netbsd.org'
Objet : Re: STATE TOP facility for IPFilter 3.4.9 doesn't work anymore


On Tue, 2 Oct 2001, CRESTIN Fr=E9d=E9ric wrote:

> I have a new problem with STATE TOP facility for IPFilter 3.4.9, on a
NetBSD
> 1.5.2/i386: "ipfstat -t" doesn't display anything, i.e. no IP =
packets. But
> IPF is working with "keep state" keywords in the rules.
>
> I was trying to upgrade from IPFilter 3.4.9 to 3.4.20. As all was =
working
> except STATE TOP facility (compiled but displaying nothing), I tried =
to
come
> back to IPF 3.4.9.
>
> I made a new Kernel with original sources, new binaries, etc. And as =
with
>
> So, IPF works perfect, except STATE TOP facility.

Do you get any errors? Does "ipfstat -si -so" show anything? You must
actually trigger one of your "keep state" rules before you will see
anything, of course.

Frederick