RELENG_5 ipfw problem

Oliver Brandmueller ob at e-Gitt.NET
Fri Aug 27 01:43:09 PDT 2004


I upgraded from a -CURRENT as of about 1.5 or 2 months ago to RELENG_5 
and do now have a problem with ipfw:

FreeBSD 5.3-BETA1 FreeBSD 5.3-BETA1 #6:
	Fri Aug 27 09:35:33 CEST 2004
	root at  i386

ipfw is running and loads it's rules just fine:

champagne# ipfw show
00100 1286 106440 allow ip from to
00200  840  36960 fwd tcp from 25 to 213.XXX.XXX.X/24
00300    0      0 reset tcp from me to 213.XXX.XXX.XXX dst-port 25
00400    0      0 reset tcp from me to 203.XXX.XXX.XXX/24 dst-port 25
00500 5221 559882 allow ip from any to any
65535    0      0 deny ip from any to any

My problem is with rule 200:

It's there, ipfw shows matches. But the packets don't get forwarded. The 
rule is unchanged from the setup before and is working on other systems.

ipfw is loaded as a module.


the kernel has these options (which might be related):

options         PFIL_HOOKS              # pfil(9) framework
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.

I added PFIL_HOOKS to the kernel (I think ipfw wouldn't work at all, if 
I didn't) and ADAPTIVE_GIANT (as suggested here and in GENERIC). The 
machine is a Dual Xeon 2.4 GHz wit HTT (currently) disabled.

The machine has two interfaces:

fxp0 with
em0  with 213.XXX.XXX.XXX (same network as in rule 200)

The setup is a local load balancing, so there are connects coming from 
the official network to port 25 (loadbalanced) at (the 
machines actually connect to an IP in the official net, which gets 
balanced to 192.168.25.x). The forwarding rule is needed, because 
routing to the connecting IP would be through the em0 interface and 
translation by the loadbalancer would be circumvented then.

connection to port 25 is possible from a 192.168.25.x IP directly, but 
if I enable this host on the load balancer, I do only see incoming 
packets to port 25 on fxp0 but don't see any packets going back (on 
neither fxp0 now em0 not even lo0). The forwarded packets simply 

- Oliver

| Oliver Brandmueller | Offenbacher Str. 1  | Germany       D-14197 Berlin |
| Fon +49-172-3130856 | Fax +49-172-3145027 | WWW: |
|               Ich bin das Internet. Sowahr ich Gott helfe.               |
| Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |

More information about the freebsd-current mailing list