NetBSD Problem Report #55236

From  Tue May  5 15:28:11 2020
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer " CA" (not verified))
	by (Postfix) with ESMTPS id 33D301A9213
	for <>; Tue,  5 May 2020 15:28:11 +0000 (UTC)
Message-Id: <>
Date: Tue,  5 May 2020 15:28:10 +0000 (UTC)
Subject: IPfilter truncates UDP packets on NetBSD-9.0/i386 XEN3PAE_DOMU
X-Send-Pr-Version: 3.95

>Number:         55236
>Category:       kern
>Synopsis:       IPfilter truncates UDP packets on NetBSD-9.0/i386 XEN3PAE_DOMU
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 05 15:30:00 +0000 2020
>Last-Modified:  Fri May 29 14:05:01 +0000 2020
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD 9.0
System: NetBSD bacasable 9.0 NetBSD 9.0 (XEN3PAE_DOMU) #0: Fri Feb 14 00:06:28 UTC 2020 i386
Architecture: i386
Machine: i386
Once IPfilter is enabled, UDP packets sent by the machine are truncated to a 4 bytes boundary. 
1) Install a NetBSD-9.0 i386 XEN3PAE_DOMU virtual machine
2) modload ipl; ipF -E
3) nslookup

Or it can be explored in detail with nc. This will be fine:
dd if=/dev/zero count=1 bs=32 | nc -u 53

This will have one byte missing as reported by tcpdump:
dd if=/dev/zero count=1 bs=33 | nc -u 53

Two bytes missing:
dd if=/dev/zero count=1 bs=34 | nc -u 53
NB: the last example is 64 bytes long on

Three bytes missing:
dd if=/dev/zero count=1 bs=35 | nc -u 53

This goes fine:
dd if=/dev/zero count=1 bs=36 | nc -u 53

This problem does not exist on GENERIC kernel (non Xen), nor it happens on amd64 XEN3_DOMU kernels.
No fix known yet. I assume there is an unhelpful alignement somewhere.

From: (Emmanuel Dreyfus)
Subject: Re: kern/55236: IPfilter truncates UDP packets on NetBSD-9.0/i386 XEN3PAE_DOMU
Date: Fri, 29 May 2020 16:00:59 +0200

 This bug disapear if ipfilter is builtin and not loaded as a module.
 ie: if kernel is built with pseudo-device ipfilter

 Emmanuel Dreyfus

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD:,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.