kern/39274: ipfilter loses state of FTP mget transfer sessions

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/39274: ipfilter loses state of FTP mget transfer sessions
From: "David H. Gutteridge" <dhgutteridge%sympatico.ca@localhost>
Date: Sat, 2 Aug 2008 22:25:00 +0000 (UTC)
>Number:         39274
>Category:       kern
>Synopsis:       ipfilter loses state of FTP mget transfer sessions
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 02 22:25:00 +0000 2008
>Originator:     David H. Gutteridge
>Release:        NetBSD-current
>Organization:
>Environment:


System: NetBSD arcus-v1 4.99.70 NetBSD 4.99.70 (GENERIC) #0: Tue Jul 15 
23:54:25 PDT 2008  
builds@wb28:/home/builds/ab/HEAD/amd64/200807160002Z-obj/home/builds/ab/HEAD/src/sys/arch/amd64/compile/GENERIC
 
amd64
>Description:
I'm frequently finding that FTP mget transfers fail (client-side) when
ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
issue, NAT is not enabled on the client machines in question.  I'm
seeing this with both -current builds on amd64 and 4.0 on macppc.

ipfstat output seems to indicate that ipfilter is losing the state of
the connections.  After that happens of course, the FTP session is
unusable.

Here's an example session demonstrating the problem, with before and
after ipfstat data.

[root@arcus-v1:root]# ipfstat
bad packets:            in 0    out 0
IPv6 packets:           in 0 out 5
input packets:          blocked 1 passed 718 nomatch 0 counted 0 short 0
output packets:         blocked 10 passed 473 nomatch 0 counted 0 short 0
input packets logged:   blocked 1 passed 0
output packets logged:  blocked 0 passed 0
packets logged: input 0 output 0
log failures:           input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 51 lost 10
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  0       (out):  0
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  8       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      910
Packet log flags set: (0)
        none
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
56 block out log quick all head 1
# Group 1
52 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
4 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:42 arcus-v1 /netbsd: audio1 at pad0: half duplex
Jul 29 01:02:42 arcus-v1 /netbsd: boot device: wd0
Jul 29 01:02:42 arcus-v1 /netbsd: root on wd0a dumps on wd0b
Jul 29 01:02:42 arcus-v1 /netbsd: root file system type: ffs
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 1 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 2 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 3 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 4 added (80x25, vt100 
emulation)
Jul 29 01:02:43 arcus-v1 savecore: no core dump
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b 
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
[root@arcus-v1:root]# exit
[disciple@arcus-v1:disciple]$ cd /tmp
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help%etearsheets.com@localhost
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Lethbridge
250 "/Lethbridge" is current directory
ftp> ls -l
227 Entering Passive Mode (66,226,4,219,14,217)
150 File Listing Follows in ASCII mode.
total 625
-rwxrwxrwx  1 noone    nogroup      6824 Apr 29 05:33 Leth042908.csv
-rwxrwxrwx  1 noone    nogroup      5067 Apr 30 07:00 Leth043008.csv
-rwxrwxrwx  1 noone    nogroup      5742 May 16 13:04 Leth051608.csv
-rwxrwxrwx  1 noone    nogroup     12453 Jun  9 07:24 Leth060708.csv
-rwxrwxrwx  1 noone    nogroup      3509 Jun  9 07:24 Leth060808.csv
-rwxrwxrwx  1 noone    nogroup      2412 Jun  9 07:24 Leth060908.csv
-rwxrwxrwx  1 noone    nogroup      9063 Jun 10 06:29 Leth061008.csv
-rwxrwxrwx  1 noone    nogroup      7377 Jun 11 06:17 Leth061108.csv
-rwxrwxrwx  1 noone    nogroup      2666 Jun 12 06:08 Leth061208.csv
-rwxrwxrwx  1 noone    nogroup      9133 Jun 13 07:10 Leth061308.csv
-rwxrwxrwx  1 noone    nogroup     12724 Jun 16 07:18 Leth061408.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget Leth*.csv
local: Leth042908.csv remote: Leth042908.csv
227 Entering Passive Mode (66,226,4,219,14,219)
150 "/Lethbridge/Leth042908.csv" file ready to send (6824 bytes) in ASCII 
mode
100% |***********************************|  6824       53.04 KiB/s    00:00 
ETA
226 Transfer finished successfully.
WARNING! 28 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
6824 bytes received in 00:00 (25.33 KiB/s)
local: Leth043008.csv remote: Leth043008.csv
227 Entering Passive Mode (66,226,4,219,14,220)
150 "/Lethbridge/Leth043008.csv" file ready to send (5067 bytes) in ASCII 
mode
100% |***********************************|  5067       37.24 KiB/s    00:00 
ETA
226 Transfer finished successfully.
WARNING! 20 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
5067 bytes received in 00:00 (18.44 KiB/s)
local: Leth051608.csv remote: Leth051608.csv
227 Entering Passive Mode (66,226,4,219,14,221)
150 "/Lethbridge/Leth051608.csv" file ready to send (5742 bytes) in ASCII 
mode
100% |***********************************|  5742       45.89 KiB/s    00:00 
ETA
226 Transfer finished successfully.
5742 bytes received in 00:00 (21.47 KiB/s)
<SNIP>
local: Leth062808.csv remote: Leth062808.csv
227 Entering Passive Mode (66,226,4,219,14,243)
ftp: Can't connect to `66.226.4.219:3827': Network is unreachable
local: Leth062908.csv remote: Leth062908.csv
227 Entering Passive Mode (66,226,4,219,14,244)
ftp: Can't connect to `66.226.4.219:3828': Network is unreachable
local: Leth063008.csv remote: Leth063008.csv
227 Entering Passive Mode (66,226,4,219,14,245)
ftp: Can't connect to `66.226.4.219:3829': Network is unreachable
local: Leth070208.csv remote: Leth070208.csv
227 Entering Passive Mode (66,226,4,219,14,246)
ftp: Can't connect to `66.226.4.219:3830': Network is unreachable
local: Leth070308.csv remote: Leth070308.csv
227 Entering Passive Mode (66,226,4,219,14,247)
ftp: Can't connect to `66.226.4.219:3831': Network is unreachable
local: Leth070408.csv remote: Leth070408.csv
227 Entering Passive Mode (66,226,4,219,14,248)
ftp: Can't connect to `66.226.4.219:3832': Network is unreachable
local: Leth070508.csv remote: Leth070508.csv
227 Entering Passive Mode (66,226,4,219,14,249)
ftp: Can't connect to `66.226.4.219:3833': Network is unreachable
local: Leth070608.csv remote: Leth070608.csv
227 Entering Passive Mode (66,226,4,219,14,250)
ftp: Can't connect to `66.226.4.219:3834': Network is unreachable
local: Leth070708.csv remote: Leth070708.csv
227 Entering Passive Mode (66,226,4,219,14,251)
ftp: Can't connect to `66.226.4.219:3835': Network is unreachable
local: Leth070808.csv remote: Leth070808.csv
227 Entering Passive Mode (66,226,4,219,14,252)
ftp: Can't connect to `66.226.4.219:3836': Network is unreachable
local: Leth070908.csv remote: Leth070908.csv
227 Entering Passive Mode (66,226,4,219,14,253)
ftp: Can't connect to `66.226.4.219:3837': Network is unreachable
local: Leth071008.csv remote: Leth071008.csv
227 Entering Passive Mode (66,226,4,219,14,254)
ftp: Can't connect to `66.226.4.219:3838': Network is unreachable
local: Leth071108.csv remote: Leth071108.csv
227 Entering Passive Mode (66,226,4,219,14,255)
ftp: Can't connect to `66.226.4.219:3839': Network is unreachable
local: Leth071208.csv remote: Leth071208.csv
227 Entering Passive Mode (66,226,4,219,15,0)
150 "/Lethbridge/Leth071208.csv" file ready to send (13074 bytes) in ASCII 
mode
100% |***********************************| 13074       30.88 KiB/s    00:00 
ETA
226 Transfer finished successfully.
13074 bytes received in 00:00 (30.59 KiB/s)
local: Leth071308.csv remote: Leth071308.csv
227 Entering Passive Mode (66,226,4,219,15,1)
150 "/Lethbridge/Leth071308.csv" file ready to send (2929 bytes) in ASCII 
mode
100% |***********************************|  2929       24.32 KiB/s    00:00 
ETA
226 Transfer finished successfully.
2929 bytes received in 00:00 (10.59 KiB/s)
<SNIP>
local: Leth072808.csv remote: Leth072808.csv
227 Entering Passive Mode (66,226,4,219,15,16)
150 "/Lethbridge/Leth072808.csv" file ready to send (2396 bytes) in ASCII 
mode
100% |***********************************|  2396       53.77 KiB/s    00:00 
ETA
226 Transfer finished successfully.
2396 bytes received in 00:00 (8.51 KiB/s)
ftp> mget *.csv
ftp> ls
Not connected.
<SNIP>
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com 
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help%etearsheets.com@localhost
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Kamloops
250 "/Kamloops" is current directory
ftp> ls -ltr
227 Entering Passive Mode (66,226,4,219,15,69)
150 File Listing Follows in ASCII mode.
total 2503
-rwxrwxrwx  1 noone    nogroup      1608 Mar 20 16:38 DATARER20080321.csv
-rwxrwxrwx  1 noone    nogroup      6822 Mar 20 16:41 DATARE20080321.csv
-rwxrwxrwx  1 noone    nogroup       985 Mar 20 17:05 DATASPL20080321.csv
-rwxrwxrwx  1 noone    nogroup      2895 Mar 24 09:41 DATAKRV20080321.csv
-rwxrwxrwx  1 noone    nogroup      5523 Mar 24 10:41 DATAKDN20080321.csv
-rwxrwxrwx  1 noone    nogroup       131 Mar 24 13:01 
DATARE20080321MOD01.csv
-rwxrwxrwx  1 noone    nogroup      1937 Mar 26 09:51 DATAKDN20080326.csv
-rwxrwxrwx  1 noone    nogroup      1798 Mar 26 09:57 DATAKRV20080326.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget DATA*200807*.csv
local: DATAKDN20080702.csv remote: DATAKDN20080702.csv
227 Entering Passive Mode (66,226,4,219,15,71)
150 "/Kamloops/DATAKDN20080702.csv" file ready to send (6136 bytes) in ASCII 
mode
100% |***********************************|  6136       54.14 KiB/s    00:00 
ETA
226 Transfer finished successfully.
6136 bytes received in 00:00 (23.46 KiB/s)
local: DATAKDN20080703.csv remote: DATAKDN20080703.csv
227 Entering Passive Mode (66,226,4,219,15,72)
150 "/Kamloops/DATAKDN20080703.csv" file ready to send (5163 bytes) in ASCII 
mode
100% |***********************************|  5163       41.52 KiB/s    00:00 
ETA
226 Transfer finished successfully.
5163 bytes received in 00:00 (19.08 KiB/s)
local: DATAKDN20080704.csv remote: DATAKDN20080704.csv
227 Entering Passive Mode (66,226,4,219,15,73)
150 "/Kamloops/DATAKDN20080704.csv" file ready to send (7299 bytes) in ASCII 
mode
100% |***********************************|  7299       37.83 KiB/s    00:00 
ETA
226 Transfer finished successfully.
7299 bytes received in 00:00 (27.67 KiB/s)
local: DATAKDN20080704MOD1.csv remote: DATAKDN20080704MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,74)
150 "/Kamloops/DATAKDN20080704MOD1.csv" file ready to send (69 bytes) in 
ASCII mode
100% |***********************************|    69        1.96 KiB/s    00:00 
ETA
226 Transfer finished successfully.
69 bytes received in 00:00 (0.25 KiB/s)
<SNIP>
local: DATAKDN20080724.csv remote: DATAKDN20080724.csv
227 Entering Passive Mode (66,226,4,219,15,93)
150 "/Kamloops/DATAKDN20080724.csv" file ready to send (6292 bytes) in ASCII 
mode
100% |***********************************|  6292       53.99 KiB/s    00:00 
ETA
226 Transfer finished successfully.
6292 bytes received in 00:00 (23.78 KiB/s)
local: DATAKDN20080725.csv remote: DATAKDN20080725.csv
227 Entering Passive Mode (66,226,4,219,15,94)
ftp: Can't connect to `66.226.4.219:3934': Network is unreachable
local: DATAKDN20080726.csv remote: DATAKDN20080726.csv
227 Entering Passive Mode (66,226,4,219,15,95)
ftp: Can't connect to `66.226.4.219:3935': Network is unreachable
local: DATAKRV20080702.csv remote: DATAKRV20080702.csv
227 Entering Passive Mode (66,226,4,219,15,96)
ftp: Can't connect to `66.226.4.219:3936': Network is unreachable
local: DATAKRV20080704.csv remote: DATAKRV20080704.csv
227 Entering Passive Mode (66,226,4,219,15,97)
ftp: Can't connect to `66.226.4.219:3937': Network is unreachable
local: DATAKRV20080709.csv remote: DATAKRV20080709.csv
227 Entering Passive Mode (66,226,4,219,15,98)
ftp: Can't connect to `66.226.4.219:3938': Network is unreachable
local: DATAKRV20080711.csv remote: DATAKRV20080711.csv
227 Entering Passive Mode (66,226,4,219,15,99)
ftp: Can't connect to `66.226.4.219:3939': Network is unreachable
local: DATAKRV20080716.csv remote: DATAKRV20080716.csv
227 Entering Passive Mode (66,226,4,219,15,100)
ftp: Can't connect to `66.226.4.219:3940': Network is unreachable
local: DATAKRV20080716MOD1.csv remote: DATAKRV20080716MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,101)
ftp: Can't connect to `66.226.4.219:3941': Network is unreachable
local: DATAKRV20080718.csv remote: DATAKRV20080718.csv
227 Entering Passive Mode (66,226,4,219,15,102)
ftp: Can't connect to `66.226.4.219:3942': Network is unreachable
local: DATAKRV20080723.csv remote: DATAKRV20080723.csv
227 Entering Passive Mode (66,226,4,219,15,103)
ftp: Can't connect to `66.226.4.219:3943': Network is unreachable
local: DATAKRV20080725.csv remote: DATAKRV20080725.csv
227 Entering Passive Mode (66,226,4,219,15,104)
ftp: Can't connect to `66.226.4.219:3944': Network is unreachable
local: DATARE20080704.csv remote: DATARE20080704.csv
227 Entering Passive Mode (66,226,4,219,15,105)
ftp: Can't connect to `66.226.4.219:3945': Network is unreachable
local: DATARE20080711.csv remote: DATARE20080711.csv
227 Entering Passive Mode (66,226,4,219,15,106)
ftp: Can't connect to `66.226.4.219:3946': Network is unreachable
local: DATARE20080718.csv remote: DATARE20080718.csv
227 Entering Passive Mode (66,226,4,219,15,107)
ftp: Can't connect to `66.226.4.219:3947': Network is unreachable
local: DATARE20080725.csv remote: DATARE20080725.csv
227 Entering Passive Mode (66,226,4,219,15,108)
ftp: Can't connect to `66.226.4.219:3948': Network is unreachable
local: DATARER20080704.csv remote: DATARER20080704.csv
227 Entering Passive Mode (66,226,4,219,15,109)
ftp: Can't connect to `66.226.4.219:3949': Network is unreachable
local: DATARER20080711.csv remote: DATARER20080711.csv
227 Entering Passive Mode (66,226,4,219,15,110)
ftp: Can't connect to `66.226.4.219:3950': Network is unreachable
local: DATARER20080718.csv remote: DATARER20080718.csv
227 Entering Passive Mode (66,226,4,219,15,111)
ftp: Can't connect to `66.226.4.219:3951': Network is unreachable
local: DATARER20080725.csv remote: DATARER20080725.csv
227 Entering Passive Mode (66,226,4,219,15,112)
ftp: Can't connect to `66.226.4.219:3952': Network is unreachable
local: DATASP420080705.csv remote: DATASP420080705.csv
227 Entering Passive Mode (66,226,4,219,15,113)
ftp: Can't connect to `66.226.4.219:3953': Network is unreachable
local: DATASP620080726.csv remote: DATASP620080726.csv
227 Entering Passive Mode (66,226,4,219,15,114)
ftp: Can't connect to `66.226.4.219:3954': Network is unreachable
local: DATASP720080708.csv remote: DATASP720080708.csv
227 Entering Passive Mode (66,226,4,219,15,115)
ftp: Can't connect to `66.226.4.219:3955': Network is unreachable
local: DATASP720080714.csv remote: DATASP720080714.csv
227 Entering Passive Mode (66,226,4,219,15,116)
ftp: Can't connect to `66.226.4.219:3956': Network is unreachable
local: DATASPL20080705.csv remote: DATASPL20080705.csv
227 Entering Passive Mode (66,226,4,219,15,117)
ftp: Can't connect to `66.226.4.219:3957': Network is unreachable
local: DATASPL20080712.csv remote: DATASPL20080712.csv
227 Entering Passive Mode (66,226,4,219,15,118)
ftp: Can't connect to `66.226.4.219:3958': Network is unreachable
local: DATASPL20080719.csv remote: DATASPL20080719.csv
227 Entering Passive Mode (66,226,4,219,15,119)
ftp: Can't connect to `66.226.4.219:3959': Network is unreachable
local: DATASPL20080726.csv remote: DATASPL20080726.csv
227 Entering Passive Mode (66,226,4,219,15,120)
ftp: Can't connect to `66.226.4.219:3960': Network is unreachable
local: DATATVT20080703.csv remote: DATATVT20080703.csv
227 Entering Passive Mode (66,226,4,219,15,121)
ftp: Can't connect to `66.226.4.219:3961': Network is unreachable
local: DATATVT20080710.csv remote: DATATVT20080710.csv
227 Entering Passive Mode (66,226,4,219,15,122)
ftp: Can't connect to `66.226.4.219:3962': Network is unreachable
local: DATATVT20080717.csv remote: DATATVT20080717.csv
227 Entering Passive Mode (66,226,4,219,15,123)
ftp: Can't connect to `66.226.4.219:3963': Network is unreachable
local: DATATVT20080724.csv remote: DATATVT20080724.csv
227 Entering Passive Mode (66,226,4,219,15,124)
ftp: Can't connect to `66.226.4.219:3964': Network is unreachable
ftp> quit
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
[disciple@arcus-v1:tmp]$ su -
Password:
Terminal type is vt100.
[root@arcus-v1:root]# ipfstat
bad packets:            in 0    out 0
IPv6 packets:           in 0 out 5
input packets:          blocked 1 passed 2833 nomatch 0 counted 0 short 0
output packets:         blocked 55 passed 1827 nomatch 0 counted 0 short 0
input packets logged:   blocked 1 passed 0
output packets logged:  blocked 0 passed 0
packets logged: input 0 output 0
log failures:           input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 174        lost 55
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  0       (out):  0
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  8       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      2513
Packet log flags set: (0)
        none
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
224 block out log quick all head 1
# Group 1
213 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
11 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b 
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
Jul 29 01:15:58 arcus-v1 dhclient: DHCPREQUEST on wm0 to 192.168.39.254 port 
67
Jul 29 01:15:58 arcus-v1 dhclient: DHCPACK from 192.168.39.254
Jul 29 01:15:58 arcus-v1 dhclient: bound to 192.168.39.128 -- renewal in 777 
seconds.
[root@arcus-v1:root]# exit

My ipfilter rules are:

pass in quick on lo0 all
pass out quick on lo0 all

block return-rst in log quick proto tcp all
block in log quick proto udp all
block in log quick proto icmp all

block out log quick all head 1  # use of 'quick' here will force only 
consideration of this group
  pass out proto tcp from any to any flags S keep state keep frags group 1
  pass out proto udp from any to any keep state keep frags group 1
  pass out proto icmp from any to any keep state keep frags group 1
  block out log quick from any to 127.0.0.0/8 group 1
  block out log quick from any to 172.16.0.0/12 group 1
  block out log quick from any to 10.0.0.0/8 group 1
  block out log quick from any to 255.255.255.255/32 group 1
  block out log quick from any to 0.0.0.0/8 group 1
  block out log quick from any to 169.254.0.0/16 group 1
  block out log quick from any to 192.0.2.0/24 group 1
  block out log quick from any to 204.152.64.0/23 group 1
  block out log quick from any to 224.0.0.0/3 group 1

If I disable ipfilter, the problem goes away.  I cannot duplicate it
when using pf, either.

As an ancillary data point (though not relevant to NetBSD per se), I
believe I'm also encountering the same issue with the version of
ipfilter that HP ships with HP-UX 11.23.  It was in fact this problem
that prompted me to see if I could duplicate it with NetBSD.

>How-To-Repeat:
Initiate an ftp mget that's guaranteed to transfer at least half a dozen 
files.  Sometimes it's necessary to try this a few times before the problem 
appears, other times it seems to happen consistently.

>Fix:
None known.


>Unformatted:
Follow-Ups:
- Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
  - From: Manuel Bouyer
Prev by Date: bin/39272: login times out eroneosly
Next by Date: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Previous by Thread: bin/39272: login times out eroneosly
Next by Thread: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Indexes:
Home | Main Index | Thread Index | Old Index