NetBSD Problem Report #40382

From www@NetBSD.org  Mon Jan 12 21:28:39 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9455963B909
	for <gnats-bugs@gnats.netbsd.org>; Mon, 12 Jan 2009 21:28:39 +0000 (UTC)
Message-Id: <20090112212839.5C7DB63B8C9@narn.NetBSD.org>
Date: Mon, 12 Jan 2009 21:28:39 +0000 (UTC)
From: peter@boku.net
Reply-To: peter@boku.net
To: gnats-bugs@NetBSD.org
Subject: ipfilter NAT misidentifies packets as FTP
X-Send-Pr-Version: www-1.0

>Number:         40382
>Category:       kern
>Synopsis:       ipfilter NAT misidentifies packets as FTP
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 12 21:30:00 +0000 2009
>Originator:     Peter Eisch
>Release:        netbsd-4-0
>Organization:
>Environment:
NetBSD doily 4.0.0_PATCH NetBSD 4.0.0_PATCH (PETER-FW) #3: Sun Aug 31 18:55:18 CDT 2008  peter@buster:/builds/netbsd-4-0/i386/obj/builds/netbsd-4-0/src/sys/arch/i386/compile/PETER-FW i386

>Description:

Given /etc/ipnat.conf:
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 proxy port ftp ftp/tcp
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 portmap tcp/udp 40000:60000
map wm2 from INSIDE/24 to 0/0 -> OUTSIDE/32 

 +--------+    +-------+    +--------+
 | client |--->| nbrtr |--->| server |
 +--------+    +------NAT   +--------+

  (IPv6 is enabled, but all traffic is IPv4. nbrtr is not connected to INSIDE/24 -- just routed)

Some sessions will be identified as FTP and their ipnat state will reflect an FTP status.

MAP INSIDE     34645 <- -> OUTSIDE   34645 [SERVER 8888]
        proxy ftp/6 use -59039 flags 0
                proto 6 flags 0 bytes 176 pkts 3 data YES size 312
        FTP Proxy:
                passok: 1
        Client:
                seq 665766ed (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq b3eaa160 (ack 0) len 0 junk 0 cmds 0
                buf [\000]

In most cases "bad nat" will be incremented as these states are added.  When we reach about over 200,000 "bad nat" results the internal NAT configuration seems to get corrupted.  New sessions will consistently get "no route to host" from the nbrtr (or the router just upstream towards the server).  I peak at less than < 2000 NAT states at the time of failure.

There is a second server that is used from the same clients matching the same NAT rule.  The server listens on port 992.  There has never been a state type of FTP for sessions connecting to this server -- only for session connecting to port 8888.

My kernel config includes:

include "arch/i386/conf/GENERIC.MP"
ipmi0          at mainbus?
options IPSTATE_SIZE=92111
options IPSTATE_MAX=64433
options NAT_SIZE=2047
options RDR_SIZE=2047
options HOSTMAP_SIZE=8191
options NAT_TABLE_MAX=180000
options NAT_TABLE_SZ=16383
options         GATEWAY
options         BRIDGE_IPF
...





>How-To-Repeat:
I'm happy to provide traces with complete IP addrs via private email.  Putting these systems in the public record would be wrong.
>Fix:
none known

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.