-------- Исходное сообщение -------- Тема: Re: maybe bug in version 4.1.28 Дата: Fri, 04 May 2012 18:00:18 +0100 От: Andrew White <[email protected]> Кому: Jim Klimov <[email protected]> +1 too. I'm guessing this is freebsd. There are some bugs with ipfilter and freebsd that fall into this space, particularly around checksumming and some intel nics etc. for example , read through this bug http://www.freebsd.org/cgi/query-pr.cgi?pr=106438 On Fri, May 4, 2012 at 5:52 PM, Jim Klimov <[email protected] <mailto:[email protected]>> wrote: 2012-05-04 20:17, Michael T. Davis wrote: Where might we find the full thread of this topic? +1 > Reading between the lines, is it recommended that we should not enable NIC-based offload processing under ipfilter? That's what we had to do (on OpenSolaris SXCE). You can google up many hits on "dohwcksum ipfilter" keywords, including PhilDev's IPFilter FAQ. And yes, the problem is very old: http://www.phildev.net/ipf/__IPFsolaris.html#solaris15 <http://www.phildev.net/ipf/IPFsolaris.html#solaris15> http://mail.opensolaris.org/__pipermail/networking-discuss/__2005-September/000192.html <http://mail.opensolaris.org/pipermail/networking-discuss/2005-September/000192.html> http://mail.opensolaris.org/__pipermail/networking-discuss/__2006-March/000953.html <http://mail.opensolaris.org/pipermail/networking-discuss/2006-March/000953.html> http://comments.gmane.org/__gmane.comp.security.firewalls.__ipfilter/6026 <http://comments.gmane.org/gmane.comp.security.firewalls.ipfilter/6026> "As is known, ipfilter NAT does not work correctly with hardware checksumming." http://www.colby.edu/personal/__j/jaearick/sysadmin/sol10.__ipfilter.upgrade <http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade> We could go on and on :) //Jim
