netbsd-bugs: Re: kern/29529 (still there)

Subject: Re: kern/29529 (still there)
To: None <darrenr@netbsd.org, gnats-admin@netbsd.org,>
From: Arto Selonen <arto@selonen.org>
List: netbsd-bugs
Date: 04/27/2006 10:50:03
The following reply was made to PR kern/29529; it has been noted by GNATS.

From: Arto Selonen <arto@selonen.org>
To: gnats-bugs@netbsd.org
Cc: Martti Kuparinen <martti.kuparinen@iki.fi>
Subject: Re: kern/29529 (still there)
Date: Thu, 27 Apr 2006 13:48:17 +0300 (EEST)

 Hi!
 
 Box upgraded on April 25th with whatever sources anoncvs.netbsd.org gave.
 Fastrouted traffic still does not get properly through:
 
 Network:  SOURCE -- GW -- TARGET
 
  		- source is a NetBSD-current 3.99.18
  		- GW is the problem box with fastroute ipfilter rule
  		  running 3.99.18 as explained above
  		- target is an old RedHat 8.0 Linux laptop running
  		  OpenSSH
 
 GW has the following settings (related to this):
 
  	- TARGET network is in private IANA space, connected to wm2
  	- SOURCE is in public address space, connected to wm0
  	- TARGET addresses NAT'ed in wm0 as in:
  		"map wm0 IANA/24 -> PUBLIC/32 portmap tcp/udp 1025:65000"
  		"map wm0 IANA/24 -> PUBLIC/32"
  	- SOURCE network also has routes for TARGET network
  	- ipfilter has a fastroute rule for incoming traffic on wm0 to wm2:
  		"pass in log first quick on wm0 to wm2 proto tcp from
  		 SOURCE-NET to any flags S keep state"
 
 Running 'ssh TARGET' on SOURCE system, and running 'tcpdump -ef -nn -vv' 
 on SOURCE, GW/wm2 and TARGET produces the following:
 (SOURCE and GW run ntpd, TARGET time may be off)
 
 SOURCE:
 =======
 12:25:27.684481 SOURCEMAC > GWMAC, ethertype IPv4 (0x0800), length 78:
  	 IP (tos 0x0, ttl  64, id 12100, offset 0, flags [DF], length: 64)
  	 SOURCEIP.65443 > TARGETIP.22: S [tcp sum ok] 1884348293:1884348293(0)
  	 win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
 12:25:31.082361 GWMAC > SOURCEMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], length: 52)
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok] 307175932:307175932(0)
  	 ack 1884348294 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
 12:25:31.082443 SOURCEMAC > GWMAC, ethertype IPv4 (0x0800), length 54:
  	 IP (tos 0x0, ttl  64, id 12187, offset 0, flags [DF], length: 40)
  	 SOURCEIP.65443 > TARGETIP.22: . [tcp sum ok] 1:1(0) ack 1 win 33580
 12:25:37.257151 GWMAC > SOURCEMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], length: 52)
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok] 307175932:307175932(0)
  	 ack 1884348294 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
 12:25:37.257228 SOURCEMAC > GWMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 2386, offset 0, flags [DF], length: 52)
  	 SOURCEIP.65443 > TARGETIP.22: . [tcp sum ok] 1:1(0)
  	 ack 1 win 33580 <nop,nop,sack sack 1 {1:1} >
 12:25:56.426213 SOURCEMAC > GWMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 12911, offset 0, flags [none], length: 52)
  	 SOURCEIP.65444 > TARGETIP.22: F [tcp sum ok] 321398010:321398010(0)
  	 ack 22076308 win 33580 <nop,nop,timestamp 660 210435>
 
 GATEWAY/wm2:
 ============
 12:25:27.676597 GWMAC > TARGETMAC, ethertype IPv4 (0x0800), length 78:
  	 IP (tos 0x0, ttl  64, id 12100, offset 0, flags [DF], length: 64)
  	 SOURCEIP.65443 > TARGETIP.22: S [tcp sum ok] 1884348293:1884348293(0)
  	 win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
 12:25:31.074210 TARGETMAC > GWMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 52)
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok] 307175932:307175932(0)
  	 ack 1884348294 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
 12:25:31.074392 GWMAC > TARGETMAC, ethertype IPv4 (0x0800), length 54:
  	 IP (tos 0x0, ttl  64, id 12187, offset 0, flags [DF], length: 40)
  	 SOURCEIP.65443 > TARGETIP.22: . [tcp sum ok] 1:1(0) ack 1 win 33580
 12:25:36.073348 TARGETMAC > GWMAC, ethertype ARP (0x0806), length 60:
  	 arp who-has GW-IP tell TARGETIP
 12:25:36.073354 GWMAC > TARGETMAC, ethertype ARP (0x0806), length 42:
  	 arp reply GWIP is-at GWMAC
 12:25:37.248961 TARGETMAC > GWMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 52)
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok] 307175932:307175932(0)
  	 ack 1884348294 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
 12:25:37.249270 GWMAC > TARGETMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 12386, offset 0, flags [DF], length: 52)
  	 SOURCEIP.65443 > TARGETIP.22: . [tcp sum ok] 1:1(0)
  	 ack 1 win 33580 <nop,nop,sack sack 1 {1:1} >
 12:25:56.418072 GWMAC > TARGETMAC, ethertype IPv4 (0x0800), length 66:
  	 IP (tos 0x0, ttl  64, id 12911, offset 0, flags [none], length: 52)
  	 SOURCEIP.65444 > TARGETIP.22: F [tcp sum ok] 0:0(0)
  	 ack 1 win 33580 <nop,nop,timestamp 660 210435>
 
 TARGET:
 =======
 11:40:39.797174 GWMAC TARGETMAC 0800 78:
  	 SOURCEIP.65443 > TARGETIP.22: S [tcp sum ok]
  	 1884348293:1884348293(0) win 32768
  	 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
  	 (DF) (ttl 64, id 12100, len 64)
 11:40:39.797225 TARGETMAC GWMAC 0800 66:
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok]
  	 307175932:307175932(0) ack 1884348294 win 5840
  	 <mss 1460,nop,nop,sackOK,nop,wscale 0>
  	 (DF) (ttl 64, id 0, len 52)
 11:40:43.195305 TARGETMAC GWMAC 0800 66:
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok]
  	 307175932:307175932(0) ack 1884348294 win 5840
  	 <mss 1460,nop,nop,sackOK,nop,wscale 0>
  	 (DF) (ttl 64, id 0, len 52)
 11:40:43.195582 GWMAC TARGETMAC 0800 60: truncated-ip - 10194 bytes missing!
  	 SOURCEIP > TARGETIP: (frag 12187:10220@512)
  	 (ttl 64, len 10240, bad cksum df34!)
 11:40:48.195295 TARGETMAC GWMAC 0806 42:
  	 arp who-has GWIP tell TARGETIP
 11:40:48.195451 GWMAC TARGETMAC 0806 60:
  	 arp reply GWIP is-at GWMAC
 11:40:49.371082 TARGETMAC GWMAC 0800 66:
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok]
  	 307175932:307175932(0) ack 1884348294 win 5840
  	 <mss 1460,nop,nop,sackOK,nop,wscale 0>
  	 (DF) (ttl 64, id 0, len 52)
 11:40:49.371579 GWMAC TARGETMAC 0800 66: truncated-ip - 13260 bytes missing!
  	 SOURCEIP > TARGETIP: (frag 12386:13292@512)
  	 (ttl 64, len 13312, bad cksum de61!)
 11:41:02.718741 TARGETMAC GWMAC 0800 66:
  	 TARGETIP.22 > SOURCEIP.65443: S [tcp sum ok]
  	 307175932:307175932(0) ack 1884348294 win 5840
  	 <mss 1460,nop,nop,sackOK,nop,wscale 0>
  	 (DF) (ttl 64, id 0, len 52)
 11:41:08.543859 GWMAC TARGETMAC 0800 66: truncated-ip - 13260 bytes missing!
  	 SOURCEIP.65444 > TARGETIP.22: F 0:13260(13260) ack 1 win 33580
  	 <nop,nop,timestamp 660 210435>
  	 (ttl 64, id 12911, len 13312, bad cksum 1c55!)
 
 
 Note the "fragmented" packets.
 
 Traffic that is initiated from TARGET side goes through GW where it
 matches other keep-state rules, and is not affected by fastroute rules
 and so it flows just fine.
 
 So, the PR is still valid and probably identical to what it was in 
 February 2005.
 
 
 Artsi
 -- 
 #######======------  http://www.selonen.org/arto/  --------========########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FI-02600 Espoo         arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.