On 08/22/2009 07:19 AM, Jim Klimov wrote:
I guess I figured it out somewhat, and searching the very
old archives did play a part in this.
http://www.mail-archive.com/[email protected]/msg07513.html
The tcpdump problems are cosmetic and related to hardware
checksum offloading. However, even after setting the flag
to zero and rebooting, the problem persists as in the
reproduction scenario quoted below.
That is, tcpdump on the router host no longer complains
about checksums in most cases, but some still persist i.e.
15:17:11.448413 08:00:27:f6:dc:bd> 00:e0:81:5e:9f:cb, ethertype
IPv4 (0x0800), length 60: (tos 0x0, ttl 1, id 32159, offset 0,
flags [none], proto: ICMP (1), length: 40) 192.168.186.250>
194.67.183.19: ICMP echo request, id 33306, seq 0, length 20
15:17:11.448450 00:e0:81:5e:9f:cb> 08:00:27:f6:dc:bd, ethertype
IPv4 (0x0800), length 82: truncated-ip - 17340 bytes missing!
(tos 0x0, ttl 255, id 39119, offset 512, flags [none],
proto: ICMP (1), length: 17408, bad cksum ec9a (->e89e)!)
192.168.186.2> 192.168.186.250: icmp
So I'm back into debugging the networking setup.
Jim Klimov wrote:
I forgot to mention that, like before, this system is a Sun
Fire X2100 (pre-M2) server with an nge and a bge couple of
interfaces, so most of OS interfaces are VLANs. The one in
question as the external connection certainly is, bge126000.
Maybe some hardcoded offset stuff breaks when Ethernet VLAN
tag bytes come into play?
Jim Klimov wrote:
Hello Darren et al,
I think I have a de-ja-vu again: with IPF 4.1.33 active my
firewall does not respond to pings while tracing through it.
This happens specifically after the rules are touched by
the driver, i.e. reproduction:
1) /etc/init.d/ipfilter stop
- module is unloaded, my router responds to tracert
2) modload /usr/kernel/drv/ipf
- host still responds
3) ipf -Fy
- host stops responding even while the rule list is empty
When I load rules which pass all packets in and out, host
is still out of the traces.
Since other hosts "around" it respond to traces, it may be
that packets entering and exiting the system are mangled
in a similar manner, and packets originating or terminating
on the host are only mangled once - so they break. However
SSH to the machine works well, so there's something deeper
than that.
Seems this also breaks NAT. At the very least, it is not
working for me now (but packets don't panic the kernel
either, which is an improvement compared to my previous
experimental builds).
16:45:28.354506 IP (tos 0x0, ttl 127, id 1150, offset 0,
flags [DF], proto: TCP (6), length: 48) 93.175.31.2.1821
> 193.169.34.3.22107: S, cksum 0x957f (correct),
738265398:738265398(0) win 64240<mss 1366,nop,nop,sackOK>
16:45:28.500340 IP (tos 0x0, ttl 64, id 42280, offset 0,
flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->354a)!)
93.175.31.2.1821> 193.169.34.3.22107: R, cksum 0x0000
(incorrect (-> 0xbcd2), 738265399:738265399(0) win 0
Hi Jim,
I am using IPFilter 4.1.32 on CentOS 5.3 linux kernel2.6.18-128.1.10.el5
Did you figure anything out on this:
15:17:11.448450 00:e0:81:5e:9f:cb> 08:00:27:f6:dc:bd, ethertype
IPv4 (0x0800), length 82: truncated-ip - 17340 bytes missing!
(tos 0x0, ttl 255, id 39119, offset 512, flags [none],
proto: ICMP (1), length: 17408, bad cksum ec9a (->e89e)!)
192.168.186.2> 192.168.186.250: icmp
I seeing a similar problem with bootp responses and dhclient it discarding
the response so I can't pull an address with ipf on.
/sbin/dhclient -cf /etc/dhclient.conf
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
reason is PREINIT
interface is eth1
/etc/foxbox-dhclient-script: PREINIT for eth1
oldip is 192.168.198.178
Listening on LPF/eth1/00:02:b6:36:97:9f
Sending on LPF/eth1/00:02:b6:36:97:9f
Sending on Socket/fallback
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 4
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 10
5 bad IP checksums seen in 5 packets
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 14
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 12
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 10
5 bad IP checksums seen in 5 packets
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 3
No DHCPOFFERS received.
Trying recorded lease 192.168.198.178
reason is TIMEOUT
interface is eth1
/etc/foxbox-dhclient-script: TIMEOUT for eth1
[r...@z2966 ~]# tcpdump -nlvvi eth1 port 67 or port 68
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:15:58.095208 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP
(17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:02:b6:36:97:9f, length: 300, xid:0xe549556a, flags: [none] (0x0000)
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:15:58.095922 IP truncated-ip - 23205 bytes missing! (tos 0x0, ttl 128, id 27103,
offset 0, flags [none], proto: UDP (17), length: 23553, bad cksum 48c3 (->ee1d)!)
192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 23525,
xid:0xe549556a, flags: [none] (0x0000)
Your IP: 192.168.198.178
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:01.003339 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP
(17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:02:b6:36:97:9f, length: 300, xid:0xe549556a, secs:3, flags: [none] (0x0000)
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:01.003851 IP truncated-ip - 23205 bytes missing! (tos 0x0, ttl 128, id 27115,
offset 0, flags [none], proto: UDP (17), length: 23553, bad cksum 48b7 (->ee11)!)
192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 23525,
xid:0xe549556a, flags: [none] (0x0000)
Your IP: 192.168.198.178
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:05.064004 IP truncated-ip - 19635 bytes missing! (tos 0x0, ttl 128, id 0,
offset 0, flags [none], proto: UDP (17), length: 19969, bad cksum 39a0 (->ecec)!)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:1e:68:5e:b2:5f, length: 19941, xid:0x56f3cba3, flags: [Broadcast] (0x8000)
Client Ethernet Address: 00:1e:68:5e:b2:5f [|bootp]
Now with ipfilter off via ipf -Fa:
/sbin/dhclient -cf /etc/dhclient.conf
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
reason is PREINIT
interface is eth1
/etc/foxbox-dhclient-script: PREINIT for eth1
oldip is 192.168.198.178
Listening on LPF/eth1/00:02:b6:36:97:9f
Sending on LPF/eth1/00:02:b6:36:97:9f
Sending on Socket/fallback
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPACK from 192.168.198.70
reason is REBOOT
interface is eth1
/etc/foxbox-dhclient-script: REBOOT for eth1
oldip is 192.168.198.178
/etc/foxbox-dhclient-script: IP Address 192.168.198.178
/etc/foxbox-dhclient-script: Subnet Mask 255.255.255.0
/etc/foxbox-dhclient-script: Default Router 192.168.198.252
/etc/foxbox-dhclient-script: DNS Servers 192.168.198.70 192.168.198.72
192.168.192.26 192.168.198.215 192.168.198.205
bound to 192.168.198.178 -- renewal in 216727 seconds.
[r...@z2966 ~]# uname -a
Linux Z2966.tester.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009
i586 i586 i386 GNU/Linux
[r...@z2966 ~]# tcpdump -nlvvi eth1 port 67 or port 68
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:21:52.499996 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP
(17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:02:b6:36:97:9f, length: 300, xid:0x2f43b119, flags: [none] (0x0000)
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:21:52.500840 IP (tos 0x0, ttl 128, id 28479, offset 0, flags [none], proto: UDP
(17), length: 348) 192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP,
Reply, length: 320, xid:0x2f43b119, flags: [none] (0x0000)
Your IP: 192.168.198.178
Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
IPF rules:
block in log from any to any
block in log quick from any to any with short
pass in quick on lo from any to any
pass out quick on lo from any to any
pass out proto tcp from any to any flags S/S keep state
pass out proto udp from any to any keep state
pass out proto icmp from any to any keep state
block in on eth1 from 10.0.0.0/8 to any
block in on eth1 from 172.16.0.0/12 to any
block in on eth1 from 192.168.0.0/16 to any
block in on eth1 from 10.254.1.4/32 to any
block in on eth1 from 10.254.1.0/24 to any
pass in quick on eth0 proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32
port = 22 keep state
pass in quick on eth0 proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32
port = 8081 keep state
pass in quick on eth0 proto icmp from 10.254.1.0/24 to 10.254.1.4/32 icmp-type
8 keep state
pass in quick on eth0 proto udp from 10.254.1.0/24 port >= 1024 to
10.254.1.4/32 port = 161 keep state
pass in quick on eth0 proto udp from 10.254.1.0/24 port >= 1024 to
10.254.1.4/32 port = 162 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 23 keep
state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 21 keep
state
pass in quick proto tcp from 10.254.1.0/24 port = 20 to any port > 1023 keep
state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 119 keep
state
pass in quick proto udp from 10.254.1.0/24 port = 137 to 10.254.1.255/32 port =
137 keep state
pass in quick proto udp from 10.254.1.0/24 port = 138 to 10.254.1.255/32 port =
138 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.255/32 port
= 139 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 80 keep
state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 443 keep
state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
25 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
110 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
143 keep state
pass in quick proto tcp from any port > 1023 to 10.254.1.4/32 port = 25 keep
state
pass in quick proto udp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
53 keep state
pass in quick proto udp from 10.254.1.0/24 port = 53 to 10.254.1.4/32 port = 53
keep state
pass in quick proto udp from 10.254.1.0/24 port = 137 to 10.254.1.4/32 port =
137 keep state
pass in quick proto udp from 10.254.1.0/24 port = 138 to 10.254.1.4/32 port =
138 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
139 keep state
pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port =
8080 keep state
pass in quick proto icmp from any to 10.254.1.4/32 keep state
pass in quick proto tcp from any port > 1023 to 10.254.1.4/32 port = 80 keep
state
pass in quick on eth1 proto tcp from any port > 1023 to 192.168.198.178/32 port
= 22 keep state
pass in quick on eth1 proto tcp from any port > 1023 to 192.168.198.178/32 port
= 8081 keep state
pass in quick on eth1 proto icmp from any to 192.168.198.178/32 icmp-type 8
keep state
pass in quick on eth1 proto udp from any port >= 1024 to 192.168.198.178/32
port = 161 keep state
pass in quick on eth1 proto udp from any port >= 1024 to 192.168.198.178/32
port = 162 keep state
