NetBSD Problem Report #43484

From  Wed Jun 16 02:04:35 2010
Return-Path: <>
Received: from ( [])
	by (Postfix) with ESMTP id 034D463B916
	for <>; Wed, 16 Jun 2010 02:04:34 +0000 (UTC)
Message-Id: <>
Date: Wed, 16 Jun 2010 14:04:29 +1200 (NZST)
Subject: wrong length in "larger" icmp packets when IPF enabled
X-Send-Pr-Version: 3.95

>Number:         43484
>Category:       kern
>Synopsis:       IPF: wrong length in "larger" icmp packets when IPF enabled
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 16 02:05:00 +0000 2010
>Last-Modified:  Sun Feb 25 18:32:45 +0000 2018
>Originator:     Mark Davies
>Release:        NetBSD 5.0_STABLE
ECS, Victoria Uni. of Wellington, New Zealand.

System: NetBSD 5.0_STABLE NetBSD 5.0_STABLE (ECS_WORKSTATION) #7: Sun Feb 28 09:13:18 NZDT 2010 i386
Architecture: i386
Machine: i386
	IPF seems to be producing IP packets with the length field byteswapped 
	for ICMP packets that it relays larger than 200 bytes in size (including
	the ip header).

	First noticed with a 5.0_RC3/i386 system. Problem still there with a
	5.1_RC3/i386 system and a -current snapshot from yesterday. contains a tcpdump trace 
	captured on the internal interface of the box running ipf
	showing 12 icmp port unreachable packets, and the outgoing packets
	that caused them.

	The first 4 are length 200 and pass through OK.
	The second 4 are length 201 but have length 51456 (201 byte swapped)
	recorded and have incorrect ip header checksums.
	The last 4 are length 201 but ipf has been disabled and they pass
	through OK.

	Enable IPF on a machine acting as a router with the following
	minimal ruleset 
		pass in all
		pass out all

	use scamper from a machine on one side of the router to a machine
	on the other to cause icmp port unreachable packets of a particular
	size be generated.

	scamper -c 'ping -P udp -s 172' -i a.b.c.d
        scamper -c 'ping -P udp -s 173' -i a.b.c.d

	observe the first succeed and the second fail.




Responsible-Changed-From-To: kern-bug-people->darrenr
Responsible-Changed-When: Wed, 16 Jun 2010 02:15:13 +0000
over to IPF maintainer.

Responsible-Changed-From-To: darrenr->kern-bug-people
Responsible-Changed-When: Mon, 23 Dec 2013 11:31:46 +0000
resigned, back to role account

Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-When: Mon, 23 Dec 2013 17:38:04 +0000
there's a special role for ipf bugs


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD:,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.