Hi!

After upgrading to the latest IPF (version 4.1.3) I can no longer update
my /usr/src from the NetBSD repository. I looks like IPF can't handle
fragmented packets correctly (according to the logs below). I did not have
this problem with 4.1.1 or when IPF is disabled. NAT is performed in my
gateway (running NetBSD 1.6.2) so don't mind about 10.0.0.242.

Jul 23 13:43:05 h242 ipmon[420]: 13:43:03.869716 rtk0 @0:5 b h242[10.0.0.242],65533 -> cvs.netbsd.org[204.152.184.172],ssh PR tcp len 20 1500 -A OUT OOW 
Jul 23 13:43:05 h242 ipmon[420]: 13:43:03.870176 rtk0 @0:5 b h242[10.0.0.242],65533 -> cvs.netbsd.org[204.152.184.172],ssh PR tcp len 20 224 -AFP OUT OOW

Use this ipf.conf and try to update /usr/src with cvs (or anything else
which will trigger fragmentation).

# Allow everything in the loopback network
pass in  quick on lo0 from any to any
pass out quick on lo0 from any to any

# Allow outgoing traffic
pass out quick proto tcp  from any to any flags S keep state keep frags
pass out quick proto udp  from any to any keep state keep frags
pass out quick proto icmp from any to any icmp-type echo keep state

# Block and log everything else
block return-rst in log quick proto tcp from any to any
block in  log quick all
block out log quick all

Anyone else having these kind of problems with the new version?

Martti