kern/40382: ipfilter NAT misidentifies packets as FTP

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/40382: ipfilter NAT misidentifies packets as FTP
From: peter%boku.net@localhost
Date: Mon, 12 Jan 2009 21:30:01 +0000 (UTC)

>Number:         40382
>Category:       kern
>Synopsis:       ipfilter NAT misidentifies packets as FTP
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 12 21:30:00 +0000 2009
>Originator:     Peter Eisch
>Release:        netbsd-4-0
>Organization:
>Environment:
NetBSD doily 4.0.0_PATCH NetBSD 4.0.0_PATCH (PETER-FW) #3: Sun Aug 31 18:55:18 
CDT 2008  
peter@buster:/builds/netbsd-4-0/i386/obj/builds/netbsd-4-0/src/sys/arch/i386/compile/PETER-FW
 i386

>Description:

Given /etc/ipnat.conf:
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 proxy port ftp ftp/tcp
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 portmap tcp/udp 40000:60000
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 

 +--------+    +-------+    +--------+
 | client |--->| nbrtr |--->| server |
 +--------+    +------NAT   +--------+

  (IPv6 is enabled, but all traffic is IPv4. nbrtr is not connected to 
INSIDE/24 -- just routed)

Some sessions will be identified as FTP and their ipnat state will reflect an 
FTP status.

MAP INSIDE     34645 <- -> OUTSIDE   34645 [SERVER 8888]
        proxy ftp/6 use -59039 flags 0
                proto 6 flags 0 bytes 176 pkts 3 data YES size 312
        FTP Proxy:
                passok: 1
        Client:
                seq 665766ed (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq b3eaa160 (ack 0) len 0 junk 0 cmds 0
                buf [\000]

In most cases "bad nat" will be incremented as these states are added.  When we 
reach about over 200,000 "bad nat" results the internal NAT configuration seems 
to get corrupted.  New sessions will consistently get "no route to host" from 
the nbrtr (or the router just upstream towards the server).  I peak at less 
than < 2000 NAT states at the time of failure.

There is a second server that is used from the same clients matching the same 
NAT rule.  The server listens on port 992.  There has never been a state type 
of FTP for sessions connecting to this server -- only for session connecting to 
port 8888.

My kernel config includes:

include "arch/i386/conf/GENERIC.MP"
ipmi0          at mainbus?
options IPSTATE_SIZE=92111
options IPSTATE_MAX=64433
options NAT_SIZE=2047
options RDR_SIZE=2047
options HOSTMAP_SIZE=8191
options NAT_TABLE_MAX=180000
options NAT_TABLE_SZ=16383
options         GATEWAY
options         BRIDGE_IPF
...





>How-To-Repeat:
I'm happy to provide traces with complete IP addrs via private email.  Putting 
these systems in the public record would be wrong.
>Fix:
none known

Prev by Date: Re: port-amd64/39283: Kernel crash on Dell Poweredge 2950
Next by Date: Re: kern/40109: [dM] PARMRK bugs
Previous by Thread: Re: kern/40375: netbsd-5: Process locks in vnode wchan when writing to LFS
Next by Thread: Re: kern/40375: netbsd-5: Process locks in vnode wchan when
Indexes:

Home | Main Index | Thread Index | Old Index