port-macppc: gem hardware-assisted checksums and ipfilter

Subject: gem hardware-assisted checksums and ipfilter
To: None <port-macppc@netbsd.org>
From: Radek Kujawa <radoslaw.kujawa@altkom.pl>
List: port-macppc
Date: 04/02/2006 15:12:14
Hi.
    I'm running NetBSD 3.0 on Mac Mini. I noticed weird problem with gem 
ethernet interface. It seems that enabling hardware checksums for TCP 
and/or UDP breaks ipfilter. Outbound connections are timing out like this:

# host somehostname
somehostname has address SOMEIP
# ifconfig gem0 udp4csum
# host somehostname
;; connection timed out; no servers could be reached
# ifconfig gem0 -udp4csum
# host somehostname
somehostname has address SOMEIP

The same for TCP...

# telnet somehostname
Nexenta GNU/OpenSolaris Alpha 4 Release (SunOS 5.11 build 36)

login:

# ifconfig gem0 tcp4csum
# telnet somehostname
Trying SOMEIP...
telnet: Unable to connect to remote host: Connection timed out
# ifconfig gem0 -tcp4csum
# telnet somehostname
Nexenta GNU/OpenSolaris Alpha 4 Release (SunOS 5.11 build 36)

login:

etc. etc.

This occurs only when IP filter is enabled. I can reproduce it also when 
using tcp4csum-rx and udp4csum-rx.

It's still possible to connect from any other host to services on this 
machine which are passed in ipf.conf. However, I can't connect to any 
other host from this machine (of course this affects only protocol for 
which hardware-assisted checksumming is enabled, so for example ICMP is 
always working). ipfstat does not show any TCP checksum fails.

Here's my ipf.conf:

block in from any to any
pass out quick from any to any keep state
pass in quick on lo0 from any to any
pass in on gem0 from WORKSTATION_IP to EXTERNAL_IP
pass in on gem0 from WORKSTATION_2_IP to EXTERNAL_IP
pass in on gem0 proto icmp from any to any
pass in on gem0 proto tcp from any to EXTERNAL_IP port = 80
pass in on gem0 proto tcp from any to EXTERNAL_IP port = 25
pass in on gem0 proto tcp from any to EXTERNAL_IP port = 113
pass in on gem0 proto tcp from any to EXTERNAL_IP port = 443
pass in on gem0 proto udp from any to EXTERNAL_IP port = 500
pass in on gem0 proto esp from any to EXTERNAL_IP

This config is working very well when checksums are disabled. When 
checksums are enabled, connections are timing out.
I think that this problem has something to do with block rule... When I 
hash it and reload ipf config I can connect to other hosts (but then my 
IP filter rules are useless anyway).

Maybe someone else will be able to reproduce this problem?

dmesg: https://strim.aster.net.pl/stuff/strim-dmesg.txt

Greets
Radek