NetBSD Problem Report #39274
From dhgutteridge@sympatico.ca Sat Aug 2 22:24:26 2008
Return-Path: <dhgutteridge@sympatico.ca>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 6D9B863BBCF
for <gnats-bugs@gnats.netbsd.org>; Sat, 2 Aug 2008 22:24:26 +0000 (UTC)
Message-Id: <BLU109-F382C203F871B4628E7B2D5B77E0@phx.gbl>
Date: Sat, 02 Aug 2008 18:24:21 -0400
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
Reply-To: gutteridge@netbsd.org
To: gnats-bugs@netbsd.org
Subject: ipfilter loses state of FTP mget transfer sessions
>Number: 39274
>Category: kern
>Synopsis: ipfilter loses state of FTP mget transfer sessions
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: ipf-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 02 22:25:00 +0000 2008
>Last-Modified: Mon Jan 21 02:31:32 +0000 2019
>Originator: David H. Gutteridge
>Release: NetBSD-current
>Organization:
>Environment:
System: NetBSD arcus-v1 4.99.70 NetBSD 4.99.70 (GENERIC) #0: Tue Jul 15
23:54:25 PDT 2008
builds@wb28:/home/builds/ab/HEAD/amd64/200807160002Z-obj/home/builds/ab/HEAD/src/sys/arch/amd64/compile/GENERIC
amd64
>Description:
I'm frequently finding that FTP mget transfers fail (client-side) when
ipfilter is enabled on the client. This is not an ipnat/ftp_proxy
issue, NAT is not enabled on the client machines in question. I'm
seeing this with both -current builds on amd64 and 4.0 on macppc.
ipfstat output seems to indicate that ipfilter is losing the state of
the connections. After that happens of course, the FTP session is
unusable.
Here's an example session demonstrating the problem, with before and
after ipfstat data.
[root@arcus-v1:root]# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 5
input packets: blocked 1 passed 718 nomatch 0 counted 0 short 0
output packets: blocked 10 passed 473 nomatch 0 counted 0 short 0
input packets logged: blocked 1 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 51 lost 10
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 0 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 8 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 910
Packet log flags set: (0)
none
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
56 block out log quick all head 1
# Group 1
52 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags
group 1
4 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:42 arcus-v1 /netbsd: audio1 at pad0: half duplex
Jul 29 01:02:42 arcus-v1 /netbsd: boot device: wd0
Jul 29 01:02:42 arcus-v1 /netbsd: root on wd0a dumps on wd0b
Jul 29 01:02:42 arcus-v1 /netbsd: root file system type: ffs
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 1 added (80x25, vt100
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 2 added (80x25, vt100
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 3 added (80x25, vt100
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 4 added (80x25, vt100
emulation)
Jul 29 01:02:43 arcus-v1 savecore: no core dump
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
[root@arcus-v1:root]# exit
[disciple@arcus-v1:disciple]$ cd /tmp
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help@etearsheets.com
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Lethbridge
250 "/Lethbridge" is current directory
ftp> ls -l
227 Entering Passive Mode (66,226,4,219,14,217)
150 File Listing Follows in ASCII mode.
total 625
-rwxrwxrwx 1 noone nogroup 6824 Apr 29 05:33 Leth042908.csv
-rwxrwxrwx 1 noone nogroup 5067 Apr 30 07:00 Leth043008.csv
-rwxrwxrwx 1 noone nogroup 5742 May 16 13:04 Leth051608.csv
-rwxrwxrwx 1 noone nogroup 12453 Jun 9 07:24 Leth060708.csv
-rwxrwxrwx 1 noone nogroup 3509 Jun 9 07:24 Leth060808.csv
-rwxrwxrwx 1 noone nogroup 2412 Jun 9 07:24 Leth060908.csv
-rwxrwxrwx 1 noone nogroup 9063 Jun 10 06:29 Leth061008.csv
-rwxrwxrwx 1 noone nogroup 7377 Jun 11 06:17 Leth061108.csv
-rwxrwxrwx 1 noone nogroup 2666 Jun 12 06:08 Leth061208.csv
-rwxrwxrwx 1 noone nogroup 9133 Jun 13 07:10 Leth061308.csv
-rwxrwxrwx 1 noone nogroup 12724 Jun 16 07:18 Leth061408.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget Leth*.csv
local: Leth042908.csv remote: Leth042908.csv
227 Entering Passive Mode (66,226,4,219,14,219)
150 "/Lethbridge/Leth042908.csv" file ready to send (6824 bytes) in ASCII
mode
100% |***********************************| 6824 53.04 KiB/s 00:00
ETA
226 Transfer finished successfully.
WARNING! 28 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
6824 bytes received in 00:00 (25.33 KiB/s)
local: Leth043008.csv remote: Leth043008.csv
227 Entering Passive Mode (66,226,4,219,14,220)
150 "/Lethbridge/Leth043008.csv" file ready to send (5067 bytes) in ASCII
mode
100% |***********************************| 5067 37.24 KiB/s 00:00
ETA
226 Transfer finished successfully.
WARNING! 20 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
5067 bytes received in 00:00 (18.44 KiB/s)
local: Leth051608.csv remote: Leth051608.csv
227 Entering Passive Mode (66,226,4,219,14,221)
150 "/Lethbridge/Leth051608.csv" file ready to send (5742 bytes) in ASCII
mode
100% |***********************************| 5742 45.89 KiB/s 00:00
ETA
226 Transfer finished successfully.
5742 bytes received in 00:00 (21.47 KiB/s)
<SNIP>
local: Leth062808.csv remote: Leth062808.csv
227 Entering Passive Mode (66,226,4,219,14,243)
ftp: Can't connect to `66.226.4.219:3827': Network is unreachable
local: Leth062908.csv remote: Leth062908.csv
227 Entering Passive Mode (66,226,4,219,14,244)
ftp: Can't connect to `66.226.4.219:3828': Network is unreachable
local: Leth063008.csv remote: Leth063008.csv
227 Entering Passive Mode (66,226,4,219,14,245)
ftp: Can't connect to `66.226.4.219:3829': Network is unreachable
local: Leth070208.csv remote: Leth070208.csv
227 Entering Passive Mode (66,226,4,219,14,246)
ftp: Can't connect to `66.226.4.219:3830': Network is unreachable
local: Leth070308.csv remote: Leth070308.csv
227 Entering Passive Mode (66,226,4,219,14,247)
ftp: Can't connect to `66.226.4.219:3831': Network is unreachable
local: Leth070408.csv remote: Leth070408.csv
227 Entering Passive Mode (66,226,4,219,14,248)
ftp: Can't connect to `66.226.4.219:3832': Network is unreachable
local: Leth070508.csv remote: Leth070508.csv
227 Entering Passive Mode (66,226,4,219,14,249)
ftp: Can't connect to `66.226.4.219:3833': Network is unreachable
local: Leth070608.csv remote: Leth070608.csv
227 Entering Passive Mode (66,226,4,219,14,250)
ftp: Can't connect to `66.226.4.219:3834': Network is unreachable
local: Leth070708.csv remote: Leth070708.csv
227 Entering Passive Mode (66,226,4,219,14,251)
ftp: Can't connect to `66.226.4.219:3835': Network is unreachable
local: Leth070808.csv remote: Leth070808.csv
227 Entering Passive Mode (66,226,4,219,14,252)
ftp: Can't connect to `66.226.4.219:3836': Network is unreachable
local: Leth070908.csv remote: Leth070908.csv
227 Entering Passive Mode (66,226,4,219,14,253)
ftp: Can't connect to `66.226.4.219:3837': Network is unreachable
local: Leth071008.csv remote: Leth071008.csv
227 Entering Passive Mode (66,226,4,219,14,254)
ftp: Can't connect to `66.226.4.219:3838': Network is unreachable
local: Leth071108.csv remote: Leth071108.csv
227 Entering Passive Mode (66,226,4,219,14,255)
ftp: Can't connect to `66.226.4.219:3839': Network is unreachable
local: Leth071208.csv remote: Leth071208.csv
227 Entering Passive Mode (66,226,4,219,15,0)
150 "/Lethbridge/Leth071208.csv" file ready to send (13074 bytes) in ASCII
mode
100% |***********************************| 13074 30.88 KiB/s 00:00
ETA
226 Transfer finished successfully.
13074 bytes received in 00:00 (30.59 KiB/s)
local: Leth071308.csv remote: Leth071308.csv
227 Entering Passive Mode (66,226,4,219,15,1)
150 "/Lethbridge/Leth071308.csv" file ready to send (2929 bytes) in ASCII
mode
100% |***********************************| 2929 24.32 KiB/s 00:00
ETA
226 Transfer finished successfully.
2929 bytes received in 00:00 (10.59 KiB/s)
<SNIP>
local: Leth072808.csv remote: Leth072808.csv
227 Entering Passive Mode (66,226,4,219,15,16)
150 "/Lethbridge/Leth072808.csv" file ready to send (2396 bytes) in ASCII
mode
100% |***********************************| 2396 53.77 KiB/s 00:00
ETA
226 Transfer finished successfully.
2396 bytes received in 00:00 (8.51 KiB/s)
ftp> mget *.csv
ftp> ls
Not connected.
<SNIP>
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help@etearsheets.com
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Kamloops
250 "/Kamloops" is current directory
ftp> ls -ltr
227 Entering Passive Mode (66,226,4,219,15,69)
150 File Listing Follows in ASCII mode.
total 2503
-rwxrwxrwx 1 noone nogroup 1608 Mar 20 16:38 DATARER20080321.csv
-rwxrwxrwx 1 noone nogroup 6822 Mar 20 16:41 DATARE20080321.csv
-rwxrwxrwx 1 noone nogroup 985 Mar 20 17:05 DATASPL20080321.csv
-rwxrwxrwx 1 noone nogroup 2895 Mar 24 09:41 DATAKRV20080321.csv
-rwxrwxrwx 1 noone nogroup 5523 Mar 24 10:41 DATAKDN20080321.csv
-rwxrwxrwx 1 noone nogroup 131 Mar 24 13:01
DATARE20080321MOD01.csv
-rwxrwxrwx 1 noone nogroup 1937 Mar 26 09:51 DATAKDN20080326.csv
-rwxrwxrwx 1 noone nogroup 1798 Mar 26 09:57 DATAKRV20080326.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget DATA*200807*.csv
local: DATAKDN20080702.csv remote: DATAKDN20080702.csv
227 Entering Passive Mode (66,226,4,219,15,71)
150 "/Kamloops/DATAKDN20080702.csv" file ready to send (6136 bytes) in ASCII
mode
100% |***********************************| 6136 54.14 KiB/s 00:00
ETA
226 Transfer finished successfully.
6136 bytes received in 00:00 (23.46 KiB/s)
local: DATAKDN20080703.csv remote: DATAKDN20080703.csv
227 Entering Passive Mode (66,226,4,219,15,72)
150 "/Kamloops/DATAKDN20080703.csv" file ready to send (5163 bytes) in ASCII
mode
100% |***********************************| 5163 41.52 KiB/s 00:00
ETA
226 Transfer finished successfully.
5163 bytes received in 00:00 (19.08 KiB/s)
local: DATAKDN20080704.csv remote: DATAKDN20080704.csv
227 Entering Passive Mode (66,226,4,219,15,73)
150 "/Kamloops/DATAKDN20080704.csv" file ready to send (7299 bytes) in ASCII
mode
100% |***********************************| 7299 37.83 KiB/s 00:00
ETA
226 Transfer finished successfully.
7299 bytes received in 00:00 (27.67 KiB/s)
local: DATAKDN20080704MOD1.csv remote: DATAKDN20080704MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,74)
150 "/Kamloops/DATAKDN20080704MOD1.csv" file ready to send (69 bytes) in
ASCII mode
100% |***********************************| 69 1.96 KiB/s 00:00
ETA
226 Transfer finished successfully.
69 bytes received in 00:00 (0.25 KiB/s)
<SNIP>
local: DATAKDN20080724.csv remote: DATAKDN20080724.csv
227 Entering Passive Mode (66,226,4,219,15,93)
150 "/Kamloops/DATAKDN20080724.csv" file ready to send (6292 bytes) in ASCII
mode
100% |***********************************| 6292 53.99 KiB/s 00:00
ETA
226 Transfer finished successfully.
6292 bytes received in 00:00 (23.78 KiB/s)
local: DATAKDN20080725.csv remote: DATAKDN20080725.csv
227 Entering Passive Mode (66,226,4,219,15,94)
ftp: Can't connect to `66.226.4.219:3934': Network is unreachable
local: DATAKDN20080726.csv remote: DATAKDN20080726.csv
227 Entering Passive Mode (66,226,4,219,15,95)
ftp: Can't connect to `66.226.4.219:3935': Network is unreachable
local: DATAKRV20080702.csv remote: DATAKRV20080702.csv
227 Entering Passive Mode (66,226,4,219,15,96)
ftp: Can't connect to `66.226.4.219:3936': Network is unreachable
local: DATAKRV20080704.csv remote: DATAKRV20080704.csv
227 Entering Passive Mode (66,226,4,219,15,97)
ftp: Can't connect to `66.226.4.219:3937': Network is unreachable
local: DATAKRV20080709.csv remote: DATAKRV20080709.csv
227 Entering Passive Mode (66,226,4,219,15,98)
ftp: Can't connect to `66.226.4.219:3938': Network is unreachable
local: DATAKRV20080711.csv remote: DATAKRV20080711.csv
227 Entering Passive Mode (66,226,4,219,15,99)
ftp: Can't connect to `66.226.4.219:3939': Network is unreachable
local: DATAKRV20080716.csv remote: DATAKRV20080716.csv
227 Entering Passive Mode (66,226,4,219,15,100)
ftp: Can't connect to `66.226.4.219:3940': Network is unreachable
local: DATAKRV20080716MOD1.csv remote: DATAKRV20080716MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,101)
ftp: Can't connect to `66.226.4.219:3941': Network is unreachable
local: DATAKRV20080718.csv remote: DATAKRV20080718.csv
227 Entering Passive Mode (66,226,4,219,15,102)
ftp: Can't connect to `66.226.4.219:3942': Network is unreachable
local: DATAKRV20080723.csv remote: DATAKRV20080723.csv
227 Entering Passive Mode (66,226,4,219,15,103)
ftp: Can't connect to `66.226.4.219:3943': Network is unreachable
local: DATAKRV20080725.csv remote: DATAKRV20080725.csv
227 Entering Passive Mode (66,226,4,219,15,104)
ftp: Can't connect to `66.226.4.219:3944': Network is unreachable
local: DATARE20080704.csv remote: DATARE20080704.csv
227 Entering Passive Mode (66,226,4,219,15,105)
ftp: Can't connect to `66.226.4.219:3945': Network is unreachable
local: DATARE20080711.csv remote: DATARE20080711.csv
227 Entering Passive Mode (66,226,4,219,15,106)
ftp: Can't connect to `66.226.4.219:3946': Network is unreachable
local: DATARE20080718.csv remote: DATARE20080718.csv
227 Entering Passive Mode (66,226,4,219,15,107)
ftp: Can't connect to `66.226.4.219:3947': Network is unreachable
local: DATARE20080725.csv remote: DATARE20080725.csv
227 Entering Passive Mode (66,226,4,219,15,108)
ftp: Can't connect to `66.226.4.219:3948': Network is unreachable
local: DATARER20080704.csv remote: DATARER20080704.csv
227 Entering Passive Mode (66,226,4,219,15,109)
ftp: Can't connect to `66.226.4.219:3949': Network is unreachable
local: DATARER20080711.csv remote: DATARER20080711.csv
227 Entering Passive Mode (66,226,4,219,15,110)
ftp: Can't connect to `66.226.4.219:3950': Network is unreachable
local: DATARER20080718.csv remote: DATARER20080718.csv
227 Entering Passive Mode (66,226,4,219,15,111)
ftp: Can't connect to `66.226.4.219:3951': Network is unreachable
local: DATARER20080725.csv remote: DATARER20080725.csv
227 Entering Passive Mode (66,226,4,219,15,112)
ftp: Can't connect to `66.226.4.219:3952': Network is unreachable
local: DATASP420080705.csv remote: DATASP420080705.csv
227 Entering Passive Mode (66,226,4,219,15,113)
ftp: Can't connect to `66.226.4.219:3953': Network is unreachable
local: DATASP620080726.csv remote: DATASP620080726.csv
227 Entering Passive Mode (66,226,4,219,15,114)
ftp: Can't connect to `66.226.4.219:3954': Network is unreachable
local: DATASP720080708.csv remote: DATASP720080708.csv
227 Entering Passive Mode (66,226,4,219,15,115)
ftp: Can't connect to `66.226.4.219:3955': Network is unreachable
local: DATASP720080714.csv remote: DATASP720080714.csv
227 Entering Passive Mode (66,226,4,219,15,116)
ftp: Can't connect to `66.226.4.219:3956': Network is unreachable
local: DATASPL20080705.csv remote: DATASPL20080705.csv
227 Entering Passive Mode (66,226,4,219,15,117)
ftp: Can't connect to `66.226.4.219:3957': Network is unreachable
local: DATASPL20080712.csv remote: DATASPL20080712.csv
227 Entering Passive Mode (66,226,4,219,15,118)
ftp: Can't connect to `66.226.4.219:3958': Network is unreachable
local: DATASPL20080719.csv remote: DATASPL20080719.csv
227 Entering Passive Mode (66,226,4,219,15,119)
ftp: Can't connect to `66.226.4.219:3959': Network is unreachable
local: DATASPL20080726.csv remote: DATASPL20080726.csv
227 Entering Passive Mode (66,226,4,219,15,120)
ftp: Can't connect to `66.226.4.219:3960': Network is unreachable
local: DATATVT20080703.csv remote: DATATVT20080703.csv
227 Entering Passive Mode (66,226,4,219,15,121)
ftp: Can't connect to `66.226.4.219:3961': Network is unreachable
local: DATATVT20080710.csv remote: DATATVT20080710.csv
227 Entering Passive Mode (66,226,4,219,15,122)
ftp: Can't connect to `66.226.4.219:3962': Network is unreachable
local: DATATVT20080717.csv remote: DATATVT20080717.csv
227 Entering Passive Mode (66,226,4,219,15,123)
ftp: Can't connect to `66.226.4.219:3963': Network is unreachable
local: DATATVT20080724.csv remote: DATATVT20080724.csv
227 Entering Passive Mode (66,226,4,219,15,124)
ftp: Can't connect to `66.226.4.219:3964': Network is unreachable
ftp> quit
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
[disciple@arcus-v1:tmp]$ su -
Password:
Terminal type is vt100.
[root@arcus-v1:root]# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 5
input packets: blocked 1 passed 2833 nomatch 0 counted 0 short 0
output packets: blocked 55 passed 1827 nomatch 0 counted 0 short 0
input packets logged: blocked 1 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 174 lost 55
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 0 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 8 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 2513
Packet log flags set: (0)
none
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
224 block out log quick all head 1
# Group 1
213 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags
group 1
11 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
Jul 29 01:15:58 arcus-v1 dhclient: DHCPREQUEST on wm0 to 192.168.39.254 port
67
Jul 29 01:15:58 arcus-v1 dhclient: DHCPACK from 192.168.39.254
Jul 29 01:15:58 arcus-v1 dhclient: bound to 192.168.39.128 -- renewal in 777
seconds.
[root@arcus-v1:root]# exit
My ipfilter rules are:
pass in quick on lo0 all
pass out quick on lo0 all
block return-rst in log quick proto tcp all
block in log quick proto udp all
block in log quick proto icmp all
block out log quick all head 1 # use of 'quick' here will force only
consideration of this group
pass out proto tcp from any to any flags S keep state keep frags group 1
pass out proto udp from any to any keep state keep frags group 1
pass out proto icmp from any to any keep state keep frags group 1
block out log quick from any to 127.0.0.0/8 group 1
block out log quick from any to 172.16.0.0/12 group 1
block out log quick from any to 10.0.0.0/8 group 1
block out log quick from any to 255.255.255.255/32 group 1
block out log quick from any to 0.0.0.0/8 group 1
block out log quick from any to 169.254.0.0/16 group 1
block out log quick from any to 192.0.2.0/24 group 1
block out log quick from any to 204.152.64.0/23 group 1
block out log quick from any to 224.0.0.0/3 group 1
If I disable ipfilter, the problem goes away. I cannot duplicate it
when using pf, either.
As an ancillary data point (though not relevant to NetBSD per se), I
believe I'm also encountering the same issue with the version of
ipfilter that HP ships with HP-UX 11.23. It was in fact this problem
that prompted me to see if I could duplicate it with NetBSD.
>How-To-Repeat:
Initiate an ftp mget that's guaranteed to transfer at least half a dozen
files. Sometimes it's necessary to try this a few times before the problem
appears, other times it seems to happen consistently.
>Fix:
None known.
>Release-Note:
>Audit-Trail:
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Sat, 02 Aug 2008 18:44:45 -0400
I meant to include another example closer to home, so to speak, as a
specific test case others could try duplicating. (That might sound
kind of redundant, given what the problem appears to be, but just to
demonstrate it doesn't seem specific to some interaction with a
particular server, I can duplicate the problem with NetBSD's ftp site
too.)
Here's an mget I did in /pub/pkgsrc/distfiles:
ftp> mget xpdf*.patch
---> EPSV
---> NLST xpdf*.patch
local: xpdf-3.00pl1.patch remote: xpdf-3.00pl1.patch
---> TYPE I
200 Type set to I.
---> SIZE xpdf-3.00pl1.patch
213 7434
---> EPSV
229 Entering Extended Passive Mode (|||58042|)
229 Entering Extended Passive Mode (|||58042|)
---> RETR xpdf-3.00pl1.patch
150 Opening BINARY mode data connection for 'xpdf-3.00pl1.patch' (7434
bytes).
100% |***********************************| 7434 75.42 KiB/s 00:00
ETA
226 Transfer complete.
7434 bytes received in 00:00 (25.94 KiB/s)
---> MDTM xpdf-3.00pl1.patch
213 20041104173330
remotemodtime: parsed date `20041104173330' as 1099589610, Thu, 04 Nov 2004
17:33:30 +0000
local: xpdf-3.00pl2.patch remote: xpdf-3.00pl2.patch
---> SIZE xpdf-3.00pl2.patch
213 1645
---> EPSV
229 Entering Extended Passive Mode (|||58043|)
229 Entering Extended Passive Mode (|||58043|)
---> RETR xpdf-3.00pl2.patch
150 Opening BINARY mode data connection for 'xpdf-3.00pl2.patch' (1645
bytes).
100% |***********************************| 1645 159.06 KiB/s 00:00
ETA
226 Transfer complete.
1645 bytes received in 00:00 (5.78 KiB/s)
---> MDTM xpdf-3.00pl2.patch
213 20041212230213
remotemodtime: parsed date `20041212230213' as 1102892533, Sun, 12 Dec 2004
23:02:13 +0000
local: xpdf-3.00pl3.patch remote: xpdf-3.00pl3.patch
---> SIZE xpdf-3.00pl3.patch
213 346
---> EPSV
229 Entering Extended Passive Mode (|||58044|)
229 Entering Extended Passive Mode (|||58044|)
---> RETR xpdf-3.00pl3.patch
150 Opening BINARY mode data connection for 'xpdf-3.00pl3.patch' (346
bytes).
100% |***********************************| 346 383.09 KiB/s 00:00
ETA
226 Transfer complete.
346 bytes received in 00:00 (1.22 KiB/s)
---> MDTM xpdf-3.00pl3.patch
213 20050117172711
remotemodtime: parsed date `20050117172711' as 1105982831, Mon, 17 Jan 2005
17:27:11 +0000
local: xpdf-3.01pl1.patch remote: xpdf-3.01pl1.patch
---> SIZE xpdf-3.01pl1.patch
213 4936
---> EPSV
229 Entering Extended Passive Mode (|||58045|)
229 Entering Extended Passive Mode (|||58045|)
---> RETR xpdf-3.01pl1.patch
150 Opening BINARY mode data connection for 'xpdf-3.01pl1.patch' (4936
bytes).
100% |***********************************| 4936 52.27 KiB/s 00:00
ETA
226 Transfer complete.
4936 bytes received in 00:00 (17.20 KiB/s)
---> MDTM xpdf-3.01pl1.patch
213 20051201193601
remotemodtime: parsed date `20051201193601' as 1133465761, Thu, 01 Dec 2005
19:36:01 +0000
local: xpdf-3.01pl2.patch remote: xpdf-3.01pl2.patch
---> SIZE xpdf-3.01pl2.patch
213 12097
---> EPSV
229 Entering Extended Passive Mode (|||58046|)
229 Entering Extended Passive Mode (|||58046|)
---> RETR xpdf-3.01pl2.patch
150 Opening BINARY mode data connection for 'xpdf-3.01pl2.patch' (12097
bytes).
100% |***********************************| 12097 112.15 KiB/s 00:00
ETA
226 Transfer complete.
12097 bytes received in 00:00 (41.36 KiB/s)
---> MDTM xpdf-3.01pl2.patch
213 20060208233852
remotemodtime: parsed date `20060208233852' as 1139441932, Wed, 08 Feb 2006
23:38:52 +0000
local: xpdf-3.02pl1.patch remote: xpdf-3.02pl1.patch
---> SIZE xpdf-3.02pl1.patch
213 1050
---> EPSV
229 Entering Extended Passive Mode (|||58047|)
229 Entering Extended Passive Mode (|||58047|)
---> RETR xpdf-3.02pl1.patch
150 Opening BINARY mode data connection for 'xpdf-3.02pl1.patch' (1050
bytes).
100% |***********************************| 1050 999.40 KiB/s 00:00
ETA
226 Transfer complete.
1050 bytes received in 00:00 (3.60 KiB/s)
---> MDTM xpdf-3.02pl1.patch
213 20071108160620
remotemodtime: parsed date `20071108160620' as 1194537980, Thu, 08 Nov 2007
16:06:20 +0000
local: xpdf-3.02pl2.patch remote: xpdf-3.02pl2.patch
---> SIZE xpdf-3.02pl2.patch
213 20843
---> EPSV
229 Entering Extended Passive Mode (|||58048|)
229 Entering Extended Passive Mode (|||58048|)
ftp: Can't connect to `204.152.190.13:58048': Network is unreachable
ftp> ls
---> TYPE A
200 Type set to A.
---> EPSV
229 Entering Extended Passive Mode (|||58049|)
229 Entering Extended Passive Mode (|||58049|)
ftp: Can't connect to `204.152.190.13:58049': Network is unreachable
ftp> quit
---> QUIT
221-
Data traffic for this session was 124210 bytes in 20 files.
Total traffic for this session was 1644719 bytes in 26 transfers.
221 Thank you for using the FTP service on ftp.NetBSD.org.
From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Thu, 7 Aug 2008 16:13:26 +0200
On Sat, Aug 02, 2008 at 10:25:00PM +0000, David H. Gutteridge wrote:
> >Description:
> I'm frequently finding that FTP mget transfers fail (client-side) when
> ipfilter is enabled on the client. This is not an ipnat/ftp_proxy
> issue, NAT is not enabled on the client machines in question. I'm
> seeing this with both -current builds on amd64 and 4.0 on macppc.
>
> ipfstat output seems to indicate that ipfilter is losing the state of
> the connections. After that happens of course, the FTP session is
> unusable.
I think it's the same issue I'm seeing: TCP connections are expirted
too soon (and/or some that should be closed are not, although there
was a proper TCP connection close). I worked around this by using
different timeout values:
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
map pppoe0 from 10.0.0.0/16 to any port = 22 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 7300 mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 900 mssclamp 1452
map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
NetBSD: 26 ans d'experience feront toujours la difference
--
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Fri, 17 Feb 2012 22:51:57 -0500
I can still duplicate this problem on 5.99.56 with ipfilter 4.1.34
and 5.99.65 with ipfilter 5.1.1.
Dave
Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Sun, 18 Mar 2012 21:31:23 +0000
Responsible-Changed-Why:
there's a special role address for ipf bugs
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/39274 (ipfilter loses state of FTP mget transfer sessions)
Date: Fri, 27 Jul 2012 23:41:35 -0400
I can still duplicate this problem on 6.99.10 with ipfilter 5.1.2.
Dave
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.