NetBSD Problem Report #39274

From dhgutteridge@sympatico.ca  Sat Aug  2 22:24:26 2008
Return-Path: <dhgutteridge@sympatico.ca>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 6D9B863BBCF
	for <gnats-bugs@gnats.netbsd.org>; Sat,  2 Aug 2008 22:24:26 +0000 (UTC)
Message-Id: <BLU109-F382C203F871B4628E7B2D5B77E0@phx.gbl>
Date: Sat, 02 Aug 2008 18:24:21 -0400
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
Reply-To: gutteridge@netbsd.org
To: gnats-bugs@netbsd.org
Subject: ipfilter loses state of FTP mget transfer sessions	

>Number:         39274
>Category:       kern
>Synopsis:       ipfilter loses state of FTP mget transfer sessions
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 02 22:25:00 +0000 2008
>Last-Modified:  Mon Jan 21 02:31:32 +0000 2019
>Originator:     David H. Gutteridge
>Release:        NetBSD-current
>Organization:
>Environment:


System: NetBSD arcus-v1 4.99.70 NetBSD 4.99.70 (GENERIC) #0: Tue Jul 15 
23:54:25 PDT 2008  
builds@wb28:/home/builds/ab/HEAD/amd64/200807160002Z-obj/home/builds/ab/HEAD/src/sys/arch/amd64/compile/GENERIC 
amd64
>Description:
I'm frequently finding that FTP mget transfers fail (client-side) when
ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
issue, NAT is not enabled on the client machines in question.  I'm
seeing this with both -current builds on amd64 and 4.0 on macppc.

ipfstat output seems to indicate that ipfilter is losing the state of
the connections.  After that happens of course, the FTP session is
unusable.

Here's an example session demonstrating the problem, with before and
after ipfstat data.

[root@arcus-v1:root]# ipfstat
bad packets:		in 0	out 0
IPv6 packets:		in 0 out 5
input packets:		blocked 1 passed 718 nomatch 0 counted 0 short 0
output packets:		blocked 10 passed 473 nomatch 0 counted 0 short 0
input packets logged:	blocked 1 passed 0
output packets logged:	blocked 0 passed 0
packets logged:	input 0 output 0
log failures:		input 0 output 0
fragment state(in):	kept 0	lost 0	not fragmented 0
fragment state(out):	kept 0	lost 0	not fragmented 0
packet state(in):	kept 0	lost 0
packet state(out):	kept 51	lost 10
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	0	(out):	0
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	8	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
IPF Ticks:	910
Packet log flags set: (0)
	none
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
56 block out log quick all head 1
# Group 1
52 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
4 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:42 arcus-v1 /netbsd: audio1 at pad0: half duplex
Jul 29 01:02:42 arcus-v1 /netbsd: boot device: wd0
Jul 29 01:02:42 arcus-v1 /netbsd: root on wd0a dumps on wd0b
Jul 29 01:02:42 arcus-v1 /netbsd: root file system type: ffs
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 1 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 2 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 3 added (80x25, vt100 
emulation)
Jul 29 01:02:42 arcus-v1 /netbsd: wsdisplay0: screen 4 added (80x25, vt100 
emulation)
Jul 29 01:02:43 arcus-v1 savecore: no core dump
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b 
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
[root@arcus-v1:root]# exit
[disciple@arcus-v1:disciple]$ cd /tmp
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help@etearsheets.com
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Lethbridge
250 "/Lethbridge" is current directory
ftp> ls -l
227 Entering Passive Mode (66,226,4,219,14,217)
150 File Listing Follows in ASCII mode.
total 625
-rwxrwxrwx  1 noone    nogroup      6824 Apr 29 05:33 Leth042908.csv
-rwxrwxrwx  1 noone    nogroup      5067 Apr 30 07:00 Leth043008.csv
-rwxrwxrwx  1 noone    nogroup      5742 May 16 13:04 Leth051608.csv
-rwxrwxrwx  1 noone    nogroup     12453 Jun  9 07:24 Leth060708.csv
-rwxrwxrwx  1 noone    nogroup      3509 Jun  9 07:24 Leth060808.csv
-rwxrwxrwx  1 noone    nogroup      2412 Jun  9 07:24 Leth060908.csv
-rwxrwxrwx  1 noone    nogroup      9063 Jun 10 06:29 Leth061008.csv
-rwxrwxrwx  1 noone    nogroup      7377 Jun 11 06:17 Leth061108.csv
-rwxrwxrwx  1 noone    nogroup      2666 Jun 12 06:08 Leth061208.csv
-rwxrwxrwx  1 noone    nogroup      9133 Jun 13 07:10 Leth061308.csv
-rwxrwxrwx  1 noone    nogroup     12724 Jun 16 07:18 Leth061408.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget Leth*.csv
local: Leth042908.csv remote: Leth042908.csv
227 Entering Passive Mode (66,226,4,219,14,219)
150 "/Lethbridge/Leth042908.csv" file ready to send (6824 bytes) in ASCII 
mode
100% |***********************************|  6824       53.04 KiB/s    00:00 
ETA
226 Transfer finished successfully.
WARNING! 28 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
6824 bytes received in 00:00 (25.33 KiB/s)
local: Leth043008.csv remote: Leth043008.csv
227 Entering Passive Mode (66,226,4,219,14,220)
150 "/Lethbridge/Leth043008.csv" file ready to send (5067 bytes) in ASCII 
mode
100% |***********************************|  5067       37.24 KiB/s    00:00 
ETA
226 Transfer finished successfully.
WARNING! 20 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
5067 bytes received in 00:00 (18.44 KiB/s)
local: Leth051608.csv remote: Leth051608.csv
227 Entering Passive Mode (66,226,4,219,14,221)
150 "/Lethbridge/Leth051608.csv" file ready to send (5742 bytes) in ASCII 
mode
100% |***********************************|  5742       45.89 KiB/s    00:00 
ETA
226 Transfer finished successfully.
5742 bytes received in 00:00 (21.47 KiB/s)
<SNIP>
local: Leth062808.csv remote: Leth062808.csv
227 Entering Passive Mode (66,226,4,219,14,243)
ftp: Can't connect to `66.226.4.219:3827': Network is unreachable
local: Leth062908.csv remote: Leth062908.csv
227 Entering Passive Mode (66,226,4,219,14,244)
ftp: Can't connect to `66.226.4.219:3828': Network is unreachable
local: Leth063008.csv remote: Leth063008.csv
227 Entering Passive Mode (66,226,4,219,14,245)
ftp: Can't connect to `66.226.4.219:3829': Network is unreachable
local: Leth070208.csv remote: Leth070208.csv
227 Entering Passive Mode (66,226,4,219,14,246)
ftp: Can't connect to `66.226.4.219:3830': Network is unreachable
local: Leth070308.csv remote: Leth070308.csv
227 Entering Passive Mode (66,226,4,219,14,247)
ftp: Can't connect to `66.226.4.219:3831': Network is unreachable
local: Leth070408.csv remote: Leth070408.csv
227 Entering Passive Mode (66,226,4,219,14,248)
ftp: Can't connect to `66.226.4.219:3832': Network is unreachable
local: Leth070508.csv remote: Leth070508.csv
227 Entering Passive Mode (66,226,4,219,14,249)
ftp: Can't connect to `66.226.4.219:3833': Network is unreachable
local: Leth070608.csv remote: Leth070608.csv
227 Entering Passive Mode (66,226,4,219,14,250)
ftp: Can't connect to `66.226.4.219:3834': Network is unreachable
local: Leth070708.csv remote: Leth070708.csv
227 Entering Passive Mode (66,226,4,219,14,251)
ftp: Can't connect to `66.226.4.219:3835': Network is unreachable
local: Leth070808.csv remote: Leth070808.csv
227 Entering Passive Mode (66,226,4,219,14,252)
ftp: Can't connect to `66.226.4.219:3836': Network is unreachable
local: Leth070908.csv remote: Leth070908.csv
227 Entering Passive Mode (66,226,4,219,14,253)
ftp: Can't connect to `66.226.4.219:3837': Network is unreachable
local: Leth071008.csv remote: Leth071008.csv
227 Entering Passive Mode (66,226,4,219,14,254)
ftp: Can't connect to `66.226.4.219:3838': Network is unreachable
local: Leth071108.csv remote: Leth071108.csv
227 Entering Passive Mode (66,226,4,219,14,255)
ftp: Can't connect to `66.226.4.219:3839': Network is unreachable
local: Leth071208.csv remote: Leth071208.csv
227 Entering Passive Mode (66,226,4,219,15,0)
150 "/Lethbridge/Leth071208.csv" file ready to send (13074 bytes) in ASCII 
mode
100% |***********************************| 13074       30.88 KiB/s    00:00 
ETA
226 Transfer finished successfully.
13074 bytes received in 00:00 (30.59 KiB/s)
local: Leth071308.csv remote: Leth071308.csv
227 Entering Passive Mode (66,226,4,219,15,1)
150 "/Lethbridge/Leth071308.csv" file ready to send (2929 bytes) in ASCII 
mode
100% |***********************************|  2929       24.32 KiB/s    00:00 
ETA
226 Transfer finished successfully.
2929 bytes received in 00:00 (10.59 KiB/s)
<SNIP>
local: Leth072808.csv remote: Leth072808.csv
227 Entering Passive Mode (66,226,4,219,15,16)
150 "/Lethbridge/Leth072808.csv" file ready to send (2396 bytes) in ASCII 
mode
100% |***********************************|  2396       53.77 KiB/s    00:00 
ETA
226 Transfer finished successfully.
2396 bytes received in 00:00 (8.51 KiB/s)
ftp> mget *.csv
ftp> ls
Not connected.
<SNIP>
[disciple@arcus-v1:tmp]$ ftp -p ftp6.itearsheets.com 
Connected to ftp6.itearsheets.com.
220-Welcome to the Shoom / Ad Express FTP Server #8
220-
220-For asssitance call 800-446-6646 or email help@etearsheets.com
220 WFTPD 3.2 service (by Texas Imperial Software) ready for new user
Name (ftp6.itearsheets.com:disciple):
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is WIN32.
ftp> cd Kamloops
250 "/Kamloops" is current directory
ftp> ls -ltr
227 Entering Passive Mode (66,226,4,219,15,69)
150 File Listing Follows in ASCII mode.
total 2503
-rwxrwxrwx  1 noone    nogroup      1608 Mar 20 16:38 DATARER20080321.csv
-rwxrwxrwx  1 noone    nogroup      6822 Mar 20 16:41 DATARE20080321.csv
-rwxrwxrwx  1 noone    nogroup       985 Mar 20 17:05 DATASPL20080321.csv
-rwxrwxrwx  1 noone    nogroup      2895 Mar 24 09:41 DATAKRV20080321.csv
-rwxrwxrwx  1 noone    nogroup      5523 Mar 24 10:41 DATAKDN20080321.csv
-rwxrwxrwx  1 noone    nogroup       131 Mar 24 13:01 
DATARE20080321MOD01.csv
-rwxrwxrwx  1 noone    nogroup      1937 Mar 26 09:51 DATAKDN20080326.csv
-rwxrwxrwx  1 noone    nogroup      1798 Mar 26 09:57 DATAKRV20080326.csv
<SNIP>
226 Transfer finished successfully.
ftp> prompt
Interactive mode off.
ftp> mget DATA*200807*.csv
local: DATAKDN20080702.csv remote: DATAKDN20080702.csv
227 Entering Passive Mode (66,226,4,219,15,71)
150 "/Kamloops/DATAKDN20080702.csv" file ready to send (6136 bytes) in ASCII 
mode
100% |***********************************|  6136       54.14 KiB/s    00:00 
ETA
226 Transfer finished successfully.
6136 bytes received in 00:00 (23.46 KiB/s)
local: DATAKDN20080703.csv remote: DATAKDN20080703.csv
227 Entering Passive Mode (66,226,4,219,15,72)
150 "/Kamloops/DATAKDN20080703.csv" file ready to send (5163 bytes) in ASCII 
mode
100% |***********************************|  5163       41.52 KiB/s    00:00 
ETA
226 Transfer finished successfully.
5163 bytes received in 00:00 (19.08 KiB/s)
local: DATAKDN20080704.csv remote: DATAKDN20080704.csv
227 Entering Passive Mode (66,226,4,219,15,73)
150 "/Kamloops/DATAKDN20080704.csv" file ready to send (7299 bytes) in ASCII 
mode
100% |***********************************|  7299       37.83 KiB/s    00:00 
ETA
226 Transfer finished successfully.
7299 bytes received in 00:00 (27.67 KiB/s)
local: DATAKDN20080704MOD1.csv remote: DATAKDN20080704MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,74)
150 "/Kamloops/DATAKDN20080704MOD1.csv" file ready to send (69 bytes) in 
ASCII mode
100% |***********************************|    69        1.96 KiB/s    00:00 
ETA
226 Transfer finished successfully.
69 bytes received in 00:00 (0.25 KiB/s)
<SNIP>
local: DATAKDN20080724.csv remote: DATAKDN20080724.csv
227 Entering Passive Mode (66,226,4,219,15,93)
150 "/Kamloops/DATAKDN20080724.csv" file ready to send (6292 bytes) in ASCII 
mode
100% |***********************************|  6292       53.99 KiB/s    00:00 
ETA
226 Transfer finished successfully.
6292 bytes received in 00:00 (23.78 KiB/s)
local: DATAKDN20080725.csv remote: DATAKDN20080725.csv
227 Entering Passive Mode (66,226,4,219,15,94)
ftp: Can't connect to `66.226.4.219:3934': Network is unreachable
local: DATAKDN20080726.csv remote: DATAKDN20080726.csv
227 Entering Passive Mode (66,226,4,219,15,95)
ftp: Can't connect to `66.226.4.219:3935': Network is unreachable
local: DATAKRV20080702.csv remote: DATAKRV20080702.csv
227 Entering Passive Mode (66,226,4,219,15,96)
ftp: Can't connect to `66.226.4.219:3936': Network is unreachable
local: DATAKRV20080704.csv remote: DATAKRV20080704.csv
227 Entering Passive Mode (66,226,4,219,15,97)
ftp: Can't connect to `66.226.4.219:3937': Network is unreachable
local: DATAKRV20080709.csv remote: DATAKRV20080709.csv
227 Entering Passive Mode (66,226,4,219,15,98)
ftp: Can't connect to `66.226.4.219:3938': Network is unreachable
local: DATAKRV20080711.csv remote: DATAKRV20080711.csv
227 Entering Passive Mode (66,226,4,219,15,99)
ftp: Can't connect to `66.226.4.219:3939': Network is unreachable
local: DATAKRV20080716.csv remote: DATAKRV20080716.csv
227 Entering Passive Mode (66,226,4,219,15,100)
ftp: Can't connect to `66.226.4.219:3940': Network is unreachable
local: DATAKRV20080716MOD1.csv remote: DATAKRV20080716MOD1.csv
227 Entering Passive Mode (66,226,4,219,15,101)
ftp: Can't connect to `66.226.4.219:3941': Network is unreachable
local: DATAKRV20080718.csv remote: DATAKRV20080718.csv
227 Entering Passive Mode (66,226,4,219,15,102)
ftp: Can't connect to `66.226.4.219:3942': Network is unreachable
local: DATAKRV20080723.csv remote: DATAKRV20080723.csv
227 Entering Passive Mode (66,226,4,219,15,103)
ftp: Can't connect to `66.226.4.219:3943': Network is unreachable
local: DATAKRV20080725.csv remote: DATAKRV20080725.csv
227 Entering Passive Mode (66,226,4,219,15,104)
ftp: Can't connect to `66.226.4.219:3944': Network is unreachable
local: DATARE20080704.csv remote: DATARE20080704.csv
227 Entering Passive Mode (66,226,4,219,15,105)
ftp: Can't connect to `66.226.4.219:3945': Network is unreachable
local: DATARE20080711.csv remote: DATARE20080711.csv
227 Entering Passive Mode (66,226,4,219,15,106)
ftp: Can't connect to `66.226.4.219:3946': Network is unreachable
local: DATARE20080718.csv remote: DATARE20080718.csv
227 Entering Passive Mode (66,226,4,219,15,107)
ftp: Can't connect to `66.226.4.219:3947': Network is unreachable
local: DATARE20080725.csv remote: DATARE20080725.csv
227 Entering Passive Mode (66,226,4,219,15,108)
ftp: Can't connect to `66.226.4.219:3948': Network is unreachable
local: DATARER20080704.csv remote: DATARER20080704.csv
227 Entering Passive Mode (66,226,4,219,15,109)
ftp: Can't connect to `66.226.4.219:3949': Network is unreachable
local: DATARER20080711.csv remote: DATARER20080711.csv
227 Entering Passive Mode (66,226,4,219,15,110)
ftp: Can't connect to `66.226.4.219:3950': Network is unreachable
local: DATARER20080718.csv remote: DATARER20080718.csv
227 Entering Passive Mode (66,226,4,219,15,111)
ftp: Can't connect to `66.226.4.219:3951': Network is unreachable
local: DATARER20080725.csv remote: DATARER20080725.csv
227 Entering Passive Mode (66,226,4,219,15,112)
ftp: Can't connect to `66.226.4.219:3952': Network is unreachable
local: DATASP420080705.csv remote: DATASP420080705.csv
227 Entering Passive Mode (66,226,4,219,15,113)
ftp: Can't connect to `66.226.4.219:3953': Network is unreachable
local: DATASP620080726.csv remote: DATASP620080726.csv
227 Entering Passive Mode (66,226,4,219,15,114)
ftp: Can't connect to `66.226.4.219:3954': Network is unreachable
local: DATASP720080708.csv remote: DATASP720080708.csv
227 Entering Passive Mode (66,226,4,219,15,115)
ftp: Can't connect to `66.226.4.219:3955': Network is unreachable
local: DATASP720080714.csv remote: DATASP720080714.csv
227 Entering Passive Mode (66,226,4,219,15,116)
ftp: Can't connect to `66.226.4.219:3956': Network is unreachable
local: DATASPL20080705.csv remote: DATASPL20080705.csv
227 Entering Passive Mode (66,226,4,219,15,117)
ftp: Can't connect to `66.226.4.219:3957': Network is unreachable
local: DATASPL20080712.csv remote: DATASPL20080712.csv
227 Entering Passive Mode (66,226,4,219,15,118)
ftp: Can't connect to `66.226.4.219:3958': Network is unreachable
local: DATASPL20080719.csv remote: DATASPL20080719.csv
227 Entering Passive Mode (66,226,4,219,15,119)
ftp: Can't connect to `66.226.4.219:3959': Network is unreachable
local: DATASPL20080726.csv remote: DATASPL20080726.csv
227 Entering Passive Mode (66,226,4,219,15,120)
ftp: Can't connect to `66.226.4.219:3960': Network is unreachable
local: DATATVT20080703.csv remote: DATATVT20080703.csv
227 Entering Passive Mode (66,226,4,219,15,121)
ftp: Can't connect to `66.226.4.219:3961': Network is unreachable
local: DATATVT20080710.csv remote: DATATVT20080710.csv
227 Entering Passive Mode (66,226,4,219,15,122)
ftp: Can't connect to `66.226.4.219:3962': Network is unreachable
local: DATATVT20080717.csv remote: DATATVT20080717.csv
227 Entering Passive Mode (66,226,4,219,15,123)
ftp: Can't connect to `66.226.4.219:3963': Network is unreachable
local: DATATVT20080724.csv remote: DATATVT20080724.csv
227 Entering Passive Mode (66,226,4,219,15,124)
ftp: Can't connect to `66.226.4.219:3964': Network is unreachable
ftp> quit
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
[disciple@arcus-v1:tmp]$ su -
Password:
Terminal type is vt100.
[root@arcus-v1:root]# ipfstat
bad packets:		in 0	out 0
IPv6 packets:		in 0 out 5
input packets:		blocked 1 passed 2833 nomatch 0 counted 0 short 0
output packets:		blocked 55 passed 1827 nomatch 0 counted 0 short 0
input packets logged:	blocked 1 passed 0
output packets logged:	blocked 0 passed 0
packets logged:	input 0 output 0
log failures:		input 0 output 0
fragment state(in):	kept 0	lost 0	not fragmented 0
fragment state(out):	kept 0	lost 0	not fragmented 0
packet state(in):	kept 0	lost 0
packet state(out):	kept 174	lost 55
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	0	(out):	0
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	8	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
IPF Ticks:	2513
Packet log flags set: (0)
	none
[root@arcus-v1:root]# ipfstat -ho
0 pass out quick on lo0 all
224 block out log quick all head 1
# Group 1
213 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
11 pass out proto udp from any to any keep state keep frags group 1
0 pass out proto icmp from any to any keep state keep frags group 1
0 block out log quick from any to 127.0.0.0/8 group 1
0 block out log quick from any to 172.16.0.0/12 group 1
0 block out log quick from any to 10.0.0.0/8 group 1
0 block out log quick from any to 255.255.255.255/32 group 1
0 block out log quick from any to 0.0.0.0/8 group 1
0 block out log quick from any to 169.254.0.0/16 group 1
0 block out log quick from any to 192.0.2.0/24 group 1
0 block out log quick from any to 204.152.64.0/23 group 1
0 block out log quick from any to 224.0.0.0/3 group 1
0 pass out proto tcp from any to any flags S/FSRPAU keep state keep frags 
group 1
0 pass out proto udp from any to any keep state keep frags group 1
5 pass out proto ipv6-icmp from any to any keep state keep frags group 1
0 block out log quick from any to ::1/32 group 1
[root@arcus-v1:root]# ipfstat -hi
0 pass in quick on lo0 all
0 block return-rst in log quick proto tcp from any to any
1 block in log quick proto udp from any to any
0 block in log quick proto icmp from any to any
[root@arcus-v1:root]# tail /var/log/messages
Jul 29 01:02:43 arcus-v1 ipmon[137]: 01:02:42.044342 wm0 @0:3 b 
192.168.39.254,bootps -> 192.168.39.128,bootpc PR udp len 20 328 IN
Jul 29 01:15:58 arcus-v1 dhclient: DHCPREQUEST on wm0 to 192.168.39.254 port 
67
Jul 29 01:15:58 arcus-v1 dhclient: DHCPACK from 192.168.39.254
Jul 29 01:15:58 arcus-v1 dhclient: bound to 192.168.39.128 -- renewal in 777 
seconds.
[root@arcus-v1:root]# exit

My ipfilter rules are:

pass in quick on lo0 all
pass out quick on lo0 all

block return-rst in log quick proto tcp all
block in log quick proto udp all
block in log quick proto icmp all

block out log quick all head 1  # use of 'quick' here will force only 
consideration of this group
  pass out proto tcp from any to any flags S keep state keep frags group 1
  pass out proto udp from any to any keep state keep frags group 1
  pass out proto icmp from any to any keep state keep frags group 1
  block out log quick from any to 127.0.0.0/8 group 1
  block out log quick from any to 172.16.0.0/12 group 1
  block out log quick from any to 10.0.0.0/8 group 1
  block out log quick from any to 255.255.255.255/32 group 1
  block out log quick from any to 0.0.0.0/8 group 1
  block out log quick from any to 169.254.0.0/16 group 1
  block out log quick from any to 192.0.2.0/24 group 1
  block out log quick from any to 204.152.64.0/23 group 1
  block out log quick from any to 224.0.0.0/3 group 1

If I disable ipfilter, the problem goes away.  I cannot duplicate it
when using pf, either.

As an ancillary data point (though not relevant to NetBSD per se), I
believe I'm also encountering the same issue with the version of
ipfilter that HP ships with HP-UX 11.23.  It was in fact this problem
that prompted me to see if I could duplicate it with NetBSD.

>How-To-Repeat:
Initiate an ftp mget that's guaranteed to transfer at least half a dozen 
files.  Sometimes it's necessary to try this a few times before the problem 
appears, other times it seems to happen consistently.

>Fix:
None known.


>Release-Note:

>Audit-Trail:
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Sat, 02 Aug 2008 18:44:45 -0400

 I meant to include another example closer to home, so to speak, as a
 specific test case others could try duplicating.  (That might sound
 kind of redundant, given what the problem appears to be, but just to
 demonstrate it doesn't seem specific to some interaction with a
 particular server, I can duplicate the problem with NetBSD's ftp site
 too.)

 Here's an mget I did in /pub/pkgsrc/distfiles:

 ftp> mget xpdf*.patch
 ---> EPSV
 ---> NLST xpdf*.patch
 local: xpdf-3.00pl1.patch remote: xpdf-3.00pl1.patch
 ---> TYPE I
 200 Type set to I.
 ---> SIZE xpdf-3.00pl1.patch
 213 7434
 ---> EPSV
 229 Entering Extended Passive Mode (|||58042|)
 229 Entering Extended Passive Mode (|||58042|)
 ---> RETR xpdf-3.00pl1.patch
 150 Opening BINARY mode data connection for 'xpdf-3.00pl1.patch' (7434 
 bytes).
 100% |***********************************|  7434       75.42 KiB/s    00:00 
 ETA
 226 Transfer complete.
 7434 bytes received in 00:00 (25.94 KiB/s)
 ---> MDTM xpdf-3.00pl1.patch
 213 20041104173330
 remotemodtime: parsed date `20041104173330' as 1099589610, Thu, 04 Nov 2004 
 17:33:30 +0000
 local: xpdf-3.00pl2.patch remote: xpdf-3.00pl2.patch
 ---> SIZE xpdf-3.00pl2.patch
 213 1645
 ---> EPSV
 229 Entering Extended Passive Mode (|||58043|)
 229 Entering Extended Passive Mode (|||58043|)
 ---> RETR xpdf-3.00pl2.patch
 150 Opening BINARY mode data connection for 'xpdf-3.00pl2.patch' (1645 
 bytes).
 100% |***********************************|  1645      159.06 KiB/s    00:00 
 ETA
 226 Transfer complete.
 1645 bytes received in 00:00 (5.78 KiB/s)
 ---> MDTM xpdf-3.00pl2.patch
 213 20041212230213
 remotemodtime: parsed date `20041212230213' as 1102892533, Sun, 12 Dec 2004 
 23:02:13 +0000
 local: xpdf-3.00pl3.patch remote: xpdf-3.00pl3.patch
 ---> SIZE xpdf-3.00pl3.patch
 213 346
 ---> EPSV
 229 Entering Extended Passive Mode (|||58044|)
 229 Entering Extended Passive Mode (|||58044|)
 ---> RETR xpdf-3.00pl3.patch
 150 Opening BINARY mode data connection for 'xpdf-3.00pl3.patch' (346 
 bytes).
 100% |***********************************|   346      383.09 KiB/s    00:00 
 ETA
 226 Transfer complete.
 346 bytes received in 00:00 (1.22 KiB/s)
 ---> MDTM xpdf-3.00pl3.patch
 213 20050117172711
 remotemodtime: parsed date `20050117172711' as 1105982831, Mon, 17 Jan 2005 
 17:27:11 +0000
 local: xpdf-3.01pl1.patch remote: xpdf-3.01pl1.patch
 ---> SIZE xpdf-3.01pl1.patch
 213 4936
 ---> EPSV
 229 Entering Extended Passive Mode (|||58045|)
 229 Entering Extended Passive Mode (|||58045|)
 ---> RETR xpdf-3.01pl1.patch
 150 Opening BINARY mode data connection for 'xpdf-3.01pl1.patch' (4936 
 bytes).
 100% |***********************************|  4936       52.27 KiB/s    00:00 
 ETA
 226 Transfer complete.
 4936 bytes received in 00:00 (17.20 KiB/s)
 ---> MDTM xpdf-3.01pl1.patch
 213 20051201193601
 remotemodtime: parsed date `20051201193601' as 1133465761, Thu, 01 Dec 2005 
 19:36:01 +0000
 local: xpdf-3.01pl2.patch remote: xpdf-3.01pl2.patch
 ---> SIZE xpdf-3.01pl2.patch
 213 12097
 ---> EPSV
 229 Entering Extended Passive Mode (|||58046|)
 229 Entering Extended Passive Mode (|||58046|)
 ---> RETR xpdf-3.01pl2.patch
 150 Opening BINARY mode data connection for 'xpdf-3.01pl2.patch' (12097 
 bytes).
 100% |***********************************| 12097      112.15 KiB/s    00:00 
 ETA
 226 Transfer complete.
 12097 bytes received in 00:00 (41.36 KiB/s)
 ---> MDTM xpdf-3.01pl2.patch
 213 20060208233852
 remotemodtime: parsed date `20060208233852' as 1139441932, Wed, 08 Feb 2006 
 23:38:52 +0000
 local: xpdf-3.02pl1.patch remote: xpdf-3.02pl1.patch
 ---> SIZE xpdf-3.02pl1.patch
 213 1050
 ---> EPSV
 229 Entering Extended Passive Mode (|||58047|)
 229 Entering Extended Passive Mode (|||58047|)
 ---> RETR xpdf-3.02pl1.patch
 150 Opening BINARY mode data connection for 'xpdf-3.02pl1.patch' (1050 
 bytes).
 100% |***********************************|  1050      999.40 KiB/s    00:00 
 ETA
 226 Transfer complete.
 1050 bytes received in 00:00 (3.60 KiB/s)
 ---> MDTM xpdf-3.02pl1.patch
 213 20071108160620
 remotemodtime: parsed date `20071108160620' as 1194537980, Thu, 08 Nov 2007 
 16:06:20 +0000
 local: xpdf-3.02pl2.patch remote: xpdf-3.02pl2.patch
 ---> SIZE xpdf-3.02pl2.patch
 213 20843
 ---> EPSV
 229 Entering Extended Passive Mode (|||58048|)
 229 Entering Extended Passive Mode (|||58048|)
 ftp: Can't connect to `204.152.190.13:58048': Network is unreachable
 ftp> ls
 ---> TYPE A
 200 Type set to A.
 ---> EPSV
 229 Entering Extended Passive Mode (|||58049|)
 229 Entering Extended Passive Mode (|||58049|)
 ftp: Can't connect to `204.152.190.13:58049': Network is unreachable
 ftp> quit
 ---> QUIT
 221-
     Data traffic for this session was 124210 bytes in 20 files.
     Total traffic for this session was 1644719 bytes in 26 transfers.
 221 Thank you for using the FTP service on ftp.NetBSD.org.


From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Thu, 7 Aug 2008 16:13:26 +0200

 On Sat, Aug 02, 2008 at 10:25:00PM +0000, David H. Gutteridge wrote:
 > >Description:
 > I'm frequently finding that FTP mget transfers fail (client-side) when
 > ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
 > issue, NAT is not enabled on the client machines in question.  I'm
 > seeing this with both -current builds on amd64 and 4.0 on macppc.
 > 
 > ipfstat output seems to indicate that ipfilter is losing the state of
 > the connections.  After that happens of course, the FTP session is
 > unusable.

 I think it's the same issue I'm seeing: TCP connections are expirted
 too soon (and/or some that should be closed are not, although there
 was a proper TCP connection close). I worked around this by using
 different timeout values:
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
 map pppoe0 from 10.0.0.0/16 to any port = 22 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 7300 mssclamp 1452
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 900 mssclamp 1452
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452

 -- 
 Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
      NetBSD: 26 ans d'experience feront toujours la difference
 --

From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions	
Date: Fri, 17 Feb 2012 22:51:57 -0500

 I can still duplicate this problem on 5.99.56 with ipfilter 4.1.34
 and 5.99.65 with ipfilter 5.1.1.

 Dave

Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Sun, 18 Mar 2012 21:31:23 +0000
Responsible-Changed-Why:
there's a special role address for ipf bugs


From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/39274 (ipfilter loses state of FTP mget transfer sessions)
Date: Fri, 27 Jul 2012 23:41:35 -0400

 I can still duplicate this problem on 6.99.10 with ipfilter 5.1.2.

 Dave

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.