Subject: kern/17097: ipfilter policy-routing problem
To: None <gnats-bugs@gnats.netbsd.org>
From: None <Mihai.Chelaru@ballantines.acasa.ro>
List: netbsd-bugs
Date: 05/29/2002 14:05:27
>Number:         17097
>Category:       kern
>Synopsis:       bad checksum for ipfilter generated packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 29 04:07:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Mihai Chelaru
>Release:        NetBSD 1.5ZC
>Organization:
	
	RomTeleNet
>Environment:
	
	
System: NetBSD ballantines.acasa.ro 1.5ZC NetBSD 1.5ZC (Kefren) #2: Fri May 10 00:06:35 EEST 2002 kefren@ballantines.acasa.ro:/usr/src/sys/arch/i386/compile/Kefren i386
Architecture: i386
Machine: i386
IP Filter: v3.4.27 (336)
>Description:
	ipfilter generates packets with wrong chksum when it's used for policy-routing.
>How-To-Repeat:

	I used 3 machines configured like this:

	A: rtk0: 192.168.0.1/24
	   vmnet1: 172.16.212.1/24
	B: rtk0: 192.168.0.2/24
	C: vmnet1: 172.16.212.2/24

	Both, B & C have the default route in A
	I did the following:

	B:
	# ifconfig lo0 100.100.100.100 netmask 255.0.0.0 alias
	# route add 100.0.0.0 -netmask 255.0.0.0 100.100.100.100

	A:
	I added the following line in the ipf config:
	block in quick on vmnet1 to rtk0:192.168.0.2 from 172.16.212.2/32 to 
	100.0.0.0/8

	C:
	# ping 100.100.100.100
	PING 100.100.100.100 (100.100.100.100): 56 data bytes
	64 bytes from 100.100.100.100: icmp_seq=58 ttl=254 time=0.713 ms
	^C^C
	----100.100.100.100 PING Statistics----
	98 packets transmitted, 1 packets received, 99.0% packet loss
	round-trip min/avg/max/stddev = 0.713/0.713/0.713/0.000 ms

	meanwhile i tcpdump-ed all four interfaces (vmnet on C & A, rtk on both A & B) 
	and i saw that ipfilter is doing the correct thing. it routes the packets from 
	C to B. But when i did tcpdump -vvv on same interfaces i observed that packets on both
	rtk interfaces were reporting bad cksum. About 1% of generated packets have the correct sum
	and B is responding correctly to it.

>Fix:
	Don't know.

>Release-Note:
>Audit-Trail:
>Unformatted: