Date: Sat, 28 Jan 2006 16:32:54 +0100 From: Koen Martens <fbsd@metro.cx> To: freebsd-stable@freebsd.org Subject: ipfilter + bge strangeness Message-ID: <43DB8EA6.7070503@metro.cx>
next in thread | raw e-mail | index | archive | help
Hi All,
Yesterday night, i was going to send the message below. However,
just before pressing send, i found a solution to the problem:
disable checksum checks (ifconfig bge0 -rxcsum -txcsum). Though this
is a solution, it has me puzzled. Is this a bug^H^H^Hfeature of
6-STABLE, as it works with 5.4.
With 5.4, there was only the rxcsum option for the bge card, not a
txcsum. It worked fine with rxcsum enabled on 5.4..
What are the consequences of disabling {rx,tx}csum? What is wrong
with enabling it on 6-STABLE?
Best,
Koen
===========[ original message ]=====================================
Hi All,
I'm experiencing some strange behaviour with ipfilter on a bge
interface. It ran 5.4, and after upgrading it to 6-STABLE, trouble
started. On another host, where there is an em and an fxp interface
instead of two bge's, the upgrade did not result in the weirdness.
Well, to the point, here is a little editted down version of the
firewall:
pass out log quick on bge0 proto tcp from any to any flags S keep state
pass out log quick on bge0 proto udp from any to any keep state
pass out log quick on bge0 proto icmp from any to any keep state
block in log quick on bge0
pass in quick on bge1
pass out quick on bge1
pass in quick on lo0
pass out quick on lo0
# EOF
So, one would expect that, say, a dns lookup should be able to go
out on the bge0 interface, and the reply should be able to get back
in... However, here is what happens (ipmon -a output):
28/01/2006 01:03:28.223739 bge0 @0:2 p 84.92.240.4,50384 ->
194.109.6.66,53 PR udp len 20 55 K-S OUT
28/01/2006 01:03:28.224623 bge0 @0:1 b 194.109.6.66,53 ->
84.92.240.4,50384 PR udp len 20 154 IN bad
28/01/2006 01:03:28.223731 STATE:NEW 84.92.240.4,50384 ->
194.109.6.66,53 PR udp
I'd say, the state is created before the dns reply is coming in, so
it should be accepted.. Am I doing something horribly wrong here??
For reference, here are the rule numbers:
foo# ipfstat -nih
64 @1 block in log quick on bge0 all
94 @2 pass in quick on bge1 all
0 @3 pass in quick on lo0 all
foo# ipfstat -noh
0 @1 pass out log quick on bge0 proto tcp from any to any flags S/FSRPAU
keep state
57 @2 pass out log quick on bge0 proto udp from any to any keep state
0 @3 pass out log quick on bge0 proto icmp from any to any keep state
79 @4 pass out quick on bge1 all
0 @5 pass out quick on lo0 all
Ifconfig:
curie# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::211:85ff:fed5:dfae%bge0 prefixlen 64 scopeid 0x1
inet 84.92.240.4 netmask 0xffffffc0 broadcast 84.92.240.63
ether 00:11:85:d5:df:ae
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::211:85ff:fed5:df6f%bge1 prefixlen 64 scopeid 0x2
inet 192.168.0.5 netmask 0xffff0000 broadcast 192.168.255.255
ether 00:11:85:d5:df:6f
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
And here is the dmesg output:
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
FreeBSD 6.0-STABLE #0: Sat Jan 28 00:25:41 CET 2006
root@curie.sonologic.nl:/usr/obj/usr/src/sys/CURIE_VOLTAIRE-6
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) 4 CPU 3.06GHz (3065.81-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf29 Stepping = 9
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x4400<CNTX-ID,<b14>>
Hyperthreading: 2 logical CPUs
real memory = 671064064 (639 MB)
avail memory = 651612160 (621 MB)
ACPI APIC Table: <COMPAQ 00000083>
ioapic0: Changing APIC ID to 2
ioapic1: Changing APIC ID to 3
MADT: Forcing active-low polarity and level trigger for SCI
ioapic0 <Version 1.1> irqs 0-15 on motherboard
ioapic1 <Version 1.1> irqs 16-31 on motherboard
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <COMPAQ D13> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x920-0x923 on acpi0
cpu0: <ACPI CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> on acpi0
pci0: <ACPI PCI bus> on pcib0
atapci0: <CMD 649 UDMA100 controller> port
0x2010-0x2017,0x2018-0x201b,0x2020-0x2027,0x2028-0x202b,0x2030-0x203f
irq 17 at device 2.0 on pci0
ata2: <ATA channel 0> on atapci0
ata3: <ATA channel 1> on atapci0
pci0: <display, VGA> at device 3.0 (no driver attached)
pci0: <base peripheral> at device 4.0 (no driver attached)
bge0: <Broadcom BCM5702 Gigabit Ethernet, ASIC rev. 0x1002> mem
0xf6fd0000-0xf6fdffff irq 19 at device 5.0 on pci0
miibus0: <MII bus> on bge0
brgphy0: <BCM5703 10/100/1000baseTX PHY> on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX,
1000baseTX-FDX, auto
bge0: Ethernet address: 00:11:85:d5:df:ae
bge1: <Broadcom BCM5702 Gigabit Ethernet, ASIC rev. 0x1002> mem
0xf6fc0000-0xf6fcffff irq 20 at device 6.0 on pci0
miibus1: <MII bus> on bge1
brgphy1: <BCM5703 10/100/1000baseTX PHY> on miibus1
brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX,
1000baseTX-FDX, auto
bge1: Ethernet address: 00:11:85:d5:df:6f
isab0: <PCI-ISA bridge> at device 15.0 on pci0
isa0: <ISA bus> on isab0
atapci1: <ServerWorks CSB6 UDMA100 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x2000-0x200f at device 15.1 on pci0
ata0: <ATA channel 0> on atapci1
ata1: <ATA channel 1> on atapci1
pci0: <serial bus, USB> at device 15.2 (no driver attached)
acpi_button0: <Power Button> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
sio0: <Standard PC COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
fdc0: <floppy drive controller (FDE)> port 0x3f2-0x3f5 irq 6 drq 2 on
acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xc7fff,0xee000-0xeffff on isa0
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on
isa0
Timecounter "TSC" frequency 3065808268 Hz quality 800
Timecounters tick every 1.000 msec
IPv6 packet filtering initialized, logging limited to 100 packets/entry
IP Filter: v4.1.8 initialized. Default = pass all, Logging = enabled
ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding
enabled, default to accept, logging limited to 100 packets/entry by
default
acd0: CDROM <CD-224E/9.9A> at ata0-master PIO4
ad4: 76319MB <Seagate ST380011A 8.01> at ata2-master UDMA100
ar0: 76317MB <LSILogic v2 MegaRAID RAID0 (stripe 64 KB)> status: READY
ar0: disk0 READY using ad4 at ata2-master
Trying to mount root from ufs:/dev/ar0s1a
bge0: link state changed to UP
bge1: link state changed to UP
ohci0: <OHCI (generic) USB controller> mem 0xf6fb0000-0xf6fb0fff irq 11
at device 15.2 on pci0
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: SMM does not respond, resetting
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: (0x1166) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DB8EA6.7070503>