Subject: kern/25103: IP Filter 4.4.1 breaks some connections when NATing
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <martin@aprisoft.de>
List: netbsd-bugs
Date: 04/08/2004 14:10:14
>Number: 25103
>Category: kern
>Synopsis: IP Filter 4.4.1 breaks some connections when NATing
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Apr 08 12:11:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Martin Husemann
>Release: NetBSD 2.0_BETA
>Organization:
>Environment:
System: NetBSD emmas.aprisoft.de 2.0_BETA NetBSD 2.0_BETA (EMMAS) #0: Wed Apr 7 12:44:53 CEST 2004 martin@emmas.aprisoft.de:/usr/src/sys/arch/i386/compile/EMMAS i386
Architecture: sparc
Machine: sparc
>Description:
I upgraded our NAT router from 1.6.2 to 2.0_BETA. Since then, I can't
access web pages on some sites from behind the NAT. One example for
the non-working case is www.netbsd.org, one working site is www.test.de.
See this tcpdump for details (and notice missing ACKs for the www.netbsd.org
case):
13:41:46.858208 www.netbsd.org.www > beasty.aprisoft.de.65505: . [bad tcp cksum 870!] 2113773619:2113774331(712) ack 1639350715 win 33580 <nop,nop,timestamp 2401990 100> (frag 63506:744@0+) (ttl 55, len 764)
13:41:48.795429 beasty.aprisoft.de.65504 > www.netbsd.org.www: S [tcp sum ok] 3843314975:3843314975(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) (ttl 63, id 12186, len 60)
13:41:49.104440 www.netbsd.org.www > beasty.aprisoft.de.65504: S [tcp sum ok] 2579541296:2579541296(0) ack 3843314976 win 32768 <mss 1452,nop,wscale 0,nop,nop,timestamp 2401995 0> (ttl 55, id 63621, len 60)
13:41:49.105094 beasty.aprisoft.de.65504 > www.netbsd.org.www: . [tcp sum ok] 1:1(0) ack 1 win 33580 <nop,nop,timestamp 0 2401995> (DF) (ttl 63, id 12189, len 52)
13:41:49.105886 beasty.aprisoft.de.65504 > www.netbsd.org.www: P [tcp sum ok] 1:407(406) ack 1 win 33580 <nop,nop,timestamp 0 2401995> (DF) (ttl 63, id 12190, len 458)
13:41:49.399726 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 870!] 1:713(712) ack 407 win 33580 <nop,nop,timestamp 2401996 0> (frag 63630:744@0+) (ttl 55, len 764)
13:41:49.416228 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 1f34!] 1449:2161(712) ack 407 win 33580 <nop,nop,timestamp 2401996 0> (frag 63631:744@0+) (ttl 55, len 764)
13:41:49.432814 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 1da2!] 2897:3609(712) ack 407 win 33580 <nop,nop,timestamp 2401996 0> (frag 63632:744@0+) (ttl 55, len 764)
13:41:49.449749 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 1c53!] 4345:5057(712) ack 407 win 33580 <nop,nop,timestamp 2401996 0> (frag 63633:744@0+) (ttl 55, len 764)
13:41:50.097596 beasty.aprisoft.de.65504 > www.netbsd.org.www: P [tcp sum ok] 1:407(406) ack 1 win 33580 <nop,nop,timestamp 2 2401995> (DF) (ttl 63, id 12192, len 458)
13:41:50.376862 www.netbsd.org.www > beasty.aprisoft.de.65504: . [tcp sum ok] 5793:5793(0) ack 407 win 33580 <nop,nop,timestamp 2401998 0> (ttl 55, id 63638, len 52)
13:41:50.858014 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 870!] 1:713(712) ack 407 win 33580 <nop,nop,timestamp 2401998 0> (frag 63639:744@0+) (ttl 55, len 764)
13:41:53.857425 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 870!] 1:713(712) ack 407 win 33580 <nop,nop,timestamp 2402004 0> (frag 63699:744@0+) (ttl 55, len 764)
13:41:59.857808 www.netbsd.org.www > beasty.aprisoft.de.65504: . [bad tcp cksum 870!] 1:713(712) ack 407 win 33580 <nop,nop,timestamp 2402016 0> (frag 64009:744@0+) (ttl 55, len 764)
13:42:03.357785 www.netbsd.org.www > beasty.aprisoft.de.65509: . [bad tcp cksum 870!] 751885058:751885770(712) ack 4274381438 win 33580 <nop,nop,timestamp 2402023 59> (frag 64080:744@0+) (ttl 55, len 764)
13:42:11.134233 beasty.aprisoft.de.65502 > www.stiftungwarentest.de.www: S [tcp sum ok] 325791372:325791372(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) (ttl 63, id 12213, len 60)
13:42:11.217054 www.stiftungwarentest.de.www > beasty.aprisoft.de.65502: S [tcp sum ok] 4089506802:4089506802(0) ack 325791373 win 10080 <nop,nop,timestamp 35695892 0,nop,wscale 0,mss 1452> (DF) (ttl 246, id 49865, len 60)
13:42:11.217560 beasty.aprisoft.de.65502 > www.stiftungwarentest.de.www: . [tcp sum ok] 1:1(0) ack 1 win 33580 <nop,nop,timestamp 1 35695892> (DF) (ttl 63, id 12214, len 52)
13:42:11.218708 beasty.aprisoft.de.65502 > www.stiftungwarentest.de.www: P [tcp sum ok] 1:519(518) ack 1 win 33580 <nop,nop,timestamp 1 35695892> (DF) (ttl 63, id 12215, len 570)
13:42:11.335151 www.stiftungwarentest.de.www > beasty.aprisoft.de.65502: . [tcp sum ok] 1:1(0) ack 519 win 10080 <nop,nop,timestamp 35695904 1> (DF) (ttl 246, id 49866, len 52)
13:42:11.356054 www.stiftungwarentest.de.www > beasty.aprisoft.de.65502: P [tcp sum ok] 1:1441(1440) ack 519 win 10080 <nop,nop,timestamp 35695904 1> (DF) (ttl 246, id 49867, len 1492)
13:42:11.557385 beasty.aprisoft.de.65502 > www.stiftungwarentest.de.www: . [tcp sum ok] 519:519(0) ack 1441 win 33580 <nop,nop,timestamp 1 35695904> (DF) (ttl 63, id 12216, len 52)
13:42:11.673787 www.stiftungwarentest.de.www > beasty.aprisoft.de.65502: . [tcp sum ok] 1441:2881(1440) ack 519 win 10080 <nop,nop,timestamp 35695935 1> (DF) (ttl 246, id 49868, len 1492)
13:42:11.677939 beasty.aprisoft.de.65501 > www.stiftungwarentest.de.www: S [tcp sum ok] 355420502:355420502(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) (ttl 63, id 12217, len 60)
13:42:11.689850 www.stiftungwarentest.de.www > beasty.aprisoft.de.65502: P [tcp sum ok] 2881:4321(1440) ack 519 win 10080 <nop,nop,timestamp 35695935 1> (DF) (ttl 246, id 49869, len 1492)
13:42:11.692584 beasty.aprisoft.de.65502 > www.stiftungwarentest.de.www: . [tcp sum ok] 519:519(0) ack 4321 win 32140 <nop,nop,timestamp 1 35695935> (DF) (ttl 63, id 12218, len 52)
13:42:11.791846 www.stiftungwarentest.de.www > beasty.aprisoft.de.65501: S [tcp sum ok] 4089945242:4089945242(0) ack 355420503 win 10080 <nop,nop,timestamp 35695950 0,nop,wscale 0,mss 1452> (DF) (ttl 246, id 49870, len 60)
13:42:11.792399 beasty.aprisoft.de.65501 > www.stiftungwarentest.de.www: . [tcp sum ok] 1:1(0) ack 1 win 33580 <nop,nop,timestamp 1 35695950> (DF) (ttl 63, id 12219, len 52)
13:42:11.793327 beasty.aprisoft.de.65501 > www.stiftungwarentest.de.www: P [tcp sum ok] 1:461(460) ack 1 win 33580 <nop,nop,timestamp 1 35695950> (DF) (ttl 63, id 12220, len 512)
>How-To-Repeat:
s/a
>Fix:
n/a
>Release-Note:
>Audit-Trail:
>Unformatted: