NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/40382: ipfilter NAT misidentifies packets as FTP

>Number:         40382
>Category:       kern
>Synopsis:       ipfilter NAT misidentifies packets as FTP
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 12 21:30:00 +0000 2009
>Originator:     Peter Eisch
>Release:        netbsd-4-0
NetBSD doily 4.0.0_PATCH NetBSD 4.0.0_PATCH (PETER-FW) #3: Sun Aug 31 18:55:18 
CDT 2008  


Given /etc/ipnat.conf:
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 proxy port ftp ftp/tcp
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 portmap tcp/udp 40000:60000
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 

 +--------+    +-------+    +--------+
 | client |--->| nbrtr |--->| server |
 +--------+    +------NAT   +--------+

  (IPv6 is enabled, but all traffic is IPv4. nbrtr is not connected to 
INSIDE/24 -- just routed)

Some sessions will be identified as FTP and their ipnat state will reflect an 
FTP status.

MAP INSIDE     34645 <- -> OUTSIDE   34645 [SERVER 8888]
        proxy ftp/6 use -59039 flags 0
                proto 6 flags 0 bytes 176 pkts 3 data YES size 312
        FTP Proxy:
                passok: 1
                seq 665766ed (ack 0) len 0 junk 0 cmds 0
                buf [\000]
                seq b3eaa160 (ack 0) len 0 junk 0 cmds 0
                buf [\000]

In most cases "bad nat" will be incremented as these states are added.  When we 
reach about over 200,000 "bad nat" results the internal NAT configuration seems 
to get corrupted.  New sessions will consistently get "no route to host" from 
the nbrtr (or the router just upstream towards the server).  I peak at less 
than < 2000 NAT states at the time of failure.

There is a second server that is used from the same clients matching the same 
NAT rule.  The server listens on port 992.  There has never been a state type 
of FTP for sessions connecting to this server -- only for session connecting to 
port 8888.

My kernel config includes:

include "arch/i386/conf/GENERIC.MP"
ipmi0          at mainbus?
options IPSTATE_SIZE=92111
options IPSTATE_MAX=64433
options NAT_SIZE=2047
options RDR_SIZE=2047
options HOSTMAP_SIZE=8191
options NAT_TABLE_MAX=180000
options NAT_TABLE_SZ=16383
options         GATEWAY
options         BRIDGE_IPF

I'm happy to provide traces with complete IP addrs via private email.  Putting 
these systems in the public record would be wrong.
none known

Home | Main Index | Thread Index | Old Index