Subject: kern/30653: Bugs with NAT and states handling in IPF 4.1.3
To: None <email@example.com, firstname.lastname@example.org,>
From: None <email@example.com>
Date: 07/01/2005 18:55:00
Note: There was a bad value `sw-bug | change-request' for the field `Class'.
It was set to the default value of `sw-bug'.
>Synopsis: Bugs with NAT and states handling in IPF 4.1.3
>Arrival-Date: Fri Jul 01 18:55:00 +0000 2005
>Release: NetBSD 2.0.2_STABLE
System: NetBSD yoda 2.0.2_STABLE NetBSD 2.0.2_STABLE (YODA) #0: Sun Jun 26 18:02:33 CEST 2005 syn@yoda:/usr/src/sys/arch/i386/compile/YODA i386
The IPFilter version used in the stable 2.0 branch (4.1.3) has some bugs
that can be considered as security problems since they can cause denial of
service quite easily on loaded networks. The main problem concerns the state
table handling, which is globally growing fast on some of the routers I
administer. Here is an ipfstat -s output illustrating the kind of problem
I'm having :
# ipfstat -s
202 bkts in use
The kernel has been compiled with :
Other problems are ipfs not working (this has been corrected in version 4.1.7)
and ipnat -s output :
# ipnat -s
added 30288 expired 0
expired should be added - inuse.
From the HISTORY file in version 4.1.8 of IPFilter, many problems concerning
NAT and state table entries were fixed since 4.1.3. I guess upgrading IPF to
version 4.1.8 in the netbsd-2-0 branch would correct most of these issues.