Subject: kern/30653: Bugs with NAT and states handling in IPF 4.1.3
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 07/01/2005 18:55:00
	Note: There was a bad value `sw-bug | change-request' for the field `Class'.
	It was set to the default value of `sw-bug'.

>Number:         30653
>Category:       kern
>Synopsis:       Bugs with NAT and states handling in IPF 4.1.3
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 01 18:55:00 +0000 2005
>Release:        NetBSD 2.0.2_STABLE
Richard Braun
System: NetBSD yoda 2.0.2_STABLE NetBSD 2.0.2_STABLE (YODA) #0: Sun Jun 26 18:02:33 CEST 2005 syn@yoda:/usr/src/sys/arch/i386/compile/YODA i386
Architecture: i386
Machine: i386
The IPFilter version used in the stable 2.0 branch (4.1.3) has some bugs
that can be considered as security problems since they can cause denial of
service quite easily on loaded networks. The main problem concerns the state
table handling, which is globally growing fast on some of the routers I
administer. Here is an ipfstat -s output illustrating the kind of problem
I'm having :

# ipfstat -s
        202 bkts in use
        17477 active

The kernel has been compiled with :
options         NMBCLUSTERS="16384"
options         IPSTATE_SIZE="32749"
options         IPSTATE_MAX="22921"

Other problems are ipfs not working (this has been corrected in version 4.1.7)
and ipnat -s output :
# ipnat -s
added   30288   expired 0

expired should be added - inuse.

From the HISTORY file in version 4.1.8 of IPFilter, many problems concerning
NAT and state table entries were fixed since 4.1.3. I guess upgrading IPF to
version 4.1.8 in the netbsd-2-0 branch would correct most of these issues.