FreeBSD 10.0 ipfilter problem?

[Valeri Galtsev]

Dear All,

After upgrading the first machine from FreeBSD 9.2-RELEASE to 10.0 I had
strange problem with ipfilter. Well, I actually did fresh install, and the
only what "upgrade" is related to is: I took /etc/ipf.riles that worked
nicely on the same machine under FreeBSD 9.2-RELEASE without changing it
and put it on 10.0 (and enabled ipfilter as usually). The problem
manifested itself in ipfilter dropping majority of packets as "bad", which
in case of scp (even outgoing one) led to connection stalled at about 500
kB of data passed... A quick glance at relevant variables:

sysctl -a | grep ipf

revealed that I don't see majority of them, including two of them that I'm
used to tweak on busy boxes (I'm changing them in
/usr/src/sys/contrib/ipfilter/netinet/ip_state.h actually):

net.inet.ipf.fr_statesize: 65536
net.inet.ipf.fr_statemax: 65536

I tried to search and didn't find anybody mentioning my problem.
(Somebody, please, teach me to search for something in all FreeBSD mail
list archives!)

So, finally I decided to make just a quick and dirty fix: I replaced

/usr/src/sys/contrib/ipfilter
/usr/src/sys//modules/ipfilter

with the ones from FreeBSD 9.2-RELEASE, recompiled the kernel, rebooted,
and that fixed my problem.

I hope, this helps someone, but more importantly, I do have a question: is
this just me doing something wrong so ipfilter stopped working for me on
10.0, or this is something that has to be fixed. Whom do we ask to fix
ipfilter on FreeBSD 10.0?

Thanks.
Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++