IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled

To: NetBSD Networking Technical Discussion List <tech-net%NetBSD.org@localhost>
Subject: IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled
From: "Greg A. Woods" <woods%planix.com@localhost>
Date: Wed, 28 Jan 2009 00:30:01 -0500

I think there's a similar problem to PR#34799 still happening with
bge(4) in netbsd-4 on an HP Proliant box I'm setting up as a NAT and
firewall.

I.e. ipmon is reporting "bad" packets blocked even though the "pass"
rule they match is triggered.  (too bad "bad" isn't well documented!)


ifconifg:

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        
capabilities=3f00<IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>
        
caps_enabled=3f00<IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>
        address: 00:12:79:90:6a:0a
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255

dmesg:

bge0 at pci6 dev 2 function 0: Broadcom BCM5704C Dual Gigabit Ethernet
bge0: interrupting at ioapic1 pin 1 (irq 5)
bge0: ASIC unknown BCM5704 (0x2100), Ethernet address 00:12:79:90:6a:0a
brgphy0 at bge0 phy 1: BCM5704 1000BASE-T media interface, rev. 0

some relevant output from "ipfstat -viohn":

357 27201 @11 pass in quick proto udp from 192.168.0.0/24 to any port = domain 
keep state group 350 # count 0
362 27201 @31 block in log quick all group 350

some example log records from syslog:

Jan 28 00:01:02 fw ipmon[340]: 00:01:01.980307 bge0 @350:31 b 
192.168.0.252,54202 -> 
dns.ym-nk-wlfdle.rnc.net.cable.rogers.com[24.153.23.114],domain PR udp len 20 
87 IN bad
Jan 28 00:01:05 fw ipmon[340]: 00:01:04.979956 bge0 @350:31 b 
192.168.0.252,57393 -> dns.nk.rnc.net.cable.rogers.com[24.153.23.66],domain PR 
udp len 20 87 IN bad

then as soon as I made the client DNS queries go to an inside caching
server I saw lots like this:

Jan 28 00:19:30 fw ipmon[340]: 00:19:29.944216 bge0 @350:31 b 
192.168.0.252,50031 -> centos.mirror.iweb.ca[70.38.0.136],http PR tcp len 20 60 
-S IN bad
Jan 28 00:19:36 fw ipmon[340]: 00:19:35.943206 bge0 @350:31 b 
192.168.0.252,50031 -> centos.mirror.iweb.ca[70.38.0.136],http PR tcp len 20 60 
-S IN bad


However once I turned off tcp4csum and udp4csum on bge0 then everything
seemed to begin working OK.

(this machine also has a dual wm(4) board, and I've got all the *4csum
features enabled on it and there are no apparent complaints)

Is this a known problem with bge(4) (vs. IPFilter)?  Is this specific to
just the one BCM5704C chip, or more generic?

-- 
                                                Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack 
<woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>       Secrets of the Weird 
<woods%weird.com@localhost>

Attachment: pgp9EcFvH9qAH.pgp
Description: PGP signature

Follow-Ups:
- Re: IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled
  - From: Ignatios Souvatzis

Prev by Date: Re: if_flags
Next by Date: Re: IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled
Previous by Thread: NetBSD's Implementation of IPv6 Default Router Selection
Next by Thread: Re: IP Filter does not seem to work correctly with bge(4) when hardware checksums are enabled
Indexes:

Home | Main Index | Thread Index | Old Index