VLANs, ipfilter, bnx, and lost fragments

To: current-users%netbsd.org@localhost
Subject: VLANs, ipfilter, bnx, and lost fragments
From: netapr%gmx.net@localhost
Date: Thu, 02 Oct 2008 08:41:33 +0200

I have a DELL server with two bnx network interfaces running 4.99.72.
As I need to attach this server to three different LANs I use VLAN
tagging (802.1q) on one of the interfaces:

bnx0 (up, no IP address)
vlan5 10.80.20.33 netmask 0xfffffff0 vlan: 5 parent: bnx0
vlan6 10.80.20.30 netmask 0xfffffff8 vlan: 6 parent: bnx0
bnx1 10.80.20.1 netmask 0xfffffff8

The output of ifconfig looks OK. Both bnx0 and bnx1 are attached to a Cisco 
switch
configured as trunk resp access (cisco speak).
The host ist configured with IPv4 forwarding and almost everything (tm) :-)
runs fine.  Anyway I have the following problem.
If fragmented packets are arriving from vlan5 and are travelling to vlan6
only the first fragment ist forwarded.
The problem first showed up with Microsoft UDP Kerberos packets (see example 
below).

This is snipped from tcpdump on bnx0:

17:07:24.519336 00:03:a0:8a:81:f5 > 00:1e:c9:f2:c4:c6, ethertype IPv4 (0x0800), 
length 1410: (tos x0, ttl 127, id 3585, offset 0, flags [+], proto: UDP (17), 
length: 1396) 192.168.160.67.1228 > 192.168.128.1.88:
17:07:24.519366 00:1e:c9:f2:c4:c6 > 00:16:c7:1e:38:87, ethertype IPv4 (0x0800), 
length 1410: (tos 0x0, ttl 126, id 3585, offset 0, flags [+], proto: UDP (17), 
length: 1396) 192.168.160.67.1228 > 192.168.128.1.88:
17:07:24.519422 00:03:a0:8a:81:f5 > 00:1e:c9:f2:c4:c6, ethertype IPv4 (0x0800), 
length 60: (tos 0x0, ttl 127, id 3585, offset 1376, flags [none], proto: UDP 
(17), length: 29) 192.168.160.67 > 192.168.128.1: udp

00:03:a0:8a:81:f5 is on VLAN 5, 00:16:c7:1e:38:87 is on VLAN 6,
00:1e:c9:f2:c4:c6 is bnx0
You can see the first packet incoming on vlan5, the second line
ist the first packet forwarded to vlan6.
The third line is the second fragment of the incoming packet and it
is never forwarded to vlan6!
So after some time the destination address (192.168.128.1) sends an
ICMP time exceeded during reassembly (ICMP type 11/code 1).
IPfilter is enabled and from the logs (all packets, which are blocked
are logged via ipmon/syslog) I can see, that there is nothing blocked.
And yes, I have "keep state keep frags" in the correspondent places in
ipf.conf

Has anyone any hints, why this happens?

BTW tcpdump does not show the VLAN ID. Is this depended on the type
of the physical interface (i.e. bnx)?

TIA and greetings to all NetBSD folks

Andreas

-- 
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx

Follow-Ups:
- Re: VLANs, ipfilter, bnx, and lost fragments
  - From: Martti Kuparinen

Prev by Date: Re: vmstat -s "active pages" / "inactive pages" output
Next by Date: Re: VLANs, ipfilter, bnx, and lost fragments
Previous by Thread: Build failure for nvi
Next by Thread: Re: VLANs, ipfilter, bnx, and lost fragments
Indexes:

Home | Main Index | Thread Index | Old Index