kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)

Remko Lodder remko at
Fri Nov 30 11:10:03 PST 2007

The following reply was made to PR kern/106438; it has been noted by GNATS.

From: Remko Lodder <remko at>
To: Manuel Tobias Schiller <mala at>
Cc: freebsd-gnats-submit at
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies
 in on spar64 (and maybe others)
Date: Fri, 30 Nov 2007 20:03:31 +0100

 Manuel Tobias Schiller wrote:
 > Hello,
 > I've gathered the information you have asked for, see the attachment.
 > I hope it helps us to get an idea of what's going wrong. Any help with
 > this would be appreciated.
 > Thanks in advance.
 > Manuel
 > P.S. I did the | grep hme3 in the attachment to not clutter the output
 > with irrelevant stuff. All other rules are bound to their respective
 > interface (hme0, hme1, hme2, le0) and should not influence hme3.
 > Besides, there's a lot of traffic going on on le0 which does not need to
 > be mentioned in the ipfstat output because the machine in question is
 > headless and can only be reached with a serial line (with a laptop down
 > in the cellar) or a dedicated network interface (le0, for which I
 > need to have rules that pass everything).
 > On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 >> Hello,
 >> 	First of all thanks for using FreeBSD!
 >> 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 >> 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 >> 	of hits on the rule)
 >> 	Thanks in advance
 >> -- 
 >> Kind regards,
 >>      Remko Lodder               ** remko at
 >>      FreeBSD                    ** remko at
 >>      /* Quis custodiet ipsos custodes */
 Dear Manuel,
 It took a lot of time for me to set this up properly, but I managed to
 work this out; actually this is not a ipfilter problem but it seems
 that hme0 is not capable of doing incoming and outgoing checksumming.
 I faced the same problem, and by issueing a ifconfig hme0 -txcsum
 -rxcsum I resolved the problem.
 The ipfilter errors vanished after that. I'll try to have a look at the
 intel gigabit card in the machine (manually added) and see whether that
 has a similiar issue..
 /"\   Best regards,                      | remko at
 \ /   Remko Lodder                       | remko at EFnet
  X          |
 / \   ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-net mailing list