Ipfw on the fritz?

[Josh Paetzel]

On Thu, Sep 18, 2003 at 05:21:36PM +0000, Mark wrote:
> ----- Original Message -----
> From: "Josh Paetzel" <friar_josh at webwarrior.net>
> To: "Mark" <admin at asarian-host.net>
> Cc: <freebsd-questions at freebsd.org>
> Sent: Thursday, September 18, 2003 2:54 AM
> Subject: Re: Ipfw on the fritz?
> 
> > On Thu, Sep 18, 2003 at 12:21:58AM +0000, Mark wrote:
> >
> > > Eek, I just got these eery messages in /var/log/messages:
> > >
> >
> > The following thread may be of interest to you:
> >
> > http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-June/000215.html
> 
> Thank you for the thread. But a bad situation just got worse; all of a
> sudden I got these too:
> 
> Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
> Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
> Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries
> Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries
> 
> Too many entries? I have "net.inet.ip.fw.dyn_max" set to 1000. And there are
> certainly not a 1000+ dynamic rules. Well, thinking out loud, there would be
> if "OUCH! cannot remove rule". :(

Looks like that is what is happening here.

> 
> Is there an ipfw patch somewhere, so I can rebuild the kernel? I do not wish
> to perform a cvsup, as that tends to make the system unstable. But if I can
> compile a new kernel on a Vmware box, and then copy over /kernel to the real
> server, well, that I dare give a try.
> 
> Thanks,
> 
> - Mark

I don't know if an ipfw patch exists or not.  I'm tempted to say there probably 
isn't, but I could be way off base there.  I don't know what you mean about cvsup 
making the system unstable, I've had very good luck tracking RELENG_4_8, which is 
nothing more than 4.8-RELEASE with bug fixes.  As far as running a new kernel, you 
can't run a new kernel on an old userland, that will break numerous things on your 
system. :-/

Josh Paetzel