From owner-freebsd-current@FreeBSD.ORG  Fri Jul 13 13:17:33 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 88CBA16A403
	for <freebsd-current@freebsd.org>; Fri, 13 Jul 2007 13:17:33 +0000 (UTC)
	(envelope-from ianf@clue.co.za)
Received: from munchkin.clue.co.za (munchkin.clue.co.za [66.219.59.160])
	by mx1.freebsd.org (Postfix) with ESMTP id 5522F13C467
	for <freebsd-current@freebsd.org>; Fri, 13 Jul 2007 13:17:33 +0000 (UTC)
	(envelope-from ianf@clue.co.za)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=20070313; d=clue.co.za;
	h=Received:Received:Received:To:From:Subject:In-Reply-To:X-Attribution:Date:Message-Id;
	b=Je1NkQ0ebLJZgOOArUOH0iyfAYRYrARFxaUlcqKm9SIZRyGmEWeDlPlDCr9AmnAEWK5r9qnUpwabjbvUDP3fDKwgM59r/4nriNj7aYPEtHQrNKS6VZSEGsNeSgPBHdsc4kT5iIp5+QBo736STqW8T8zjs/eS4LlVhOCr38uVSi3YqRbFh04P/aUYYBuWadcQYA7LUY/rY9jMWBtNqVl5hghHvp42L+M2VWZSYBjpUTyHKhnChSMtAJf7Tk7Vzfwj;
Received: from uucp by munchkin.clue.co.za with local (Exim 4.66)
	(envelope-from <ianf@clue.co.za>)
	id 1I9L1Y-0001QC-Bk; Fri, 13 Jul 2007 13:17:32 +0000
Received: from ianf.clue.co.za ([10.0.0.6] helo=clue.co.za)
	by urchin.clue.co.za with esmtpa (Exim 4.66)
	(envelope-from <ianf@clue.co.za>)
	id 1I9Kzv-00023y-3V; Fri, 13 Jul 2007 13:15:51 +0000
Received: from localhost ([127.0.0.1] helo=clue.co.za)
	by clue.co.za with esmtp (Exim 4.67 (FreeBSD))
	(envelope-from <ianf@clue.co.za>)
	id 1I9Kzu-0001lV-HJ; Fri, 13 Jul 2007 15:15:50 +0200
To: freebsd-current@freebsd.org, Jack Vogel <jfvogel@gmail.com>
From: Ian FREISLICH <ianf@clue.co.za>
In-Reply-To: Message from John Baldwin <jhb@freebsd.org> of "Fri,
	13 Jul 2007 08:47:59 -0400." <200707130848.01101.jhb@freebsd.org> 
X-Attribution: BOFH
Date: Fri, 13 Jul 2007 15:15:50 +0200
Message-Id: <E1I9Kzu-0001lV-HJ@clue.co.za>
Cc: 
Subject: Re: em0 hijacking traffic to port 623 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2007 13:17:33 -0000

John Baldwin wrote:
> On Monday 21 May 2007 07:17:07 pm Jack Vogel wrote:
> > On 5/21/07, Sten Spans <sten@blinkenlights.nl> wrote:
> > > On Mon, 21 May 2007, Ian FREISLICH wrote:
> > >
> > > > Hi
> > > >
> > > > We've noticed an issue on our firewalls where the first em device
> > > > in the system hijacks inbound port 623 tcp and udp.  The OS never
> > > > sees this traffic.  Interestingly, em1 and em2 do not appear to be
> > > > afflicted by this problem.  Some reading I've done points to a
> > > > similar conclusion:
> > > >
> > > > http://blogs.sun.com/shepler/entry/port_623_or_the_mount
> > > >
> > > > I've looked at the bios, but I can't find any settings that remotely
> > > > hint IPMI or RMCP+ or serial-over-lan.
> > > >
> > > > Does anyone know how I can stop the card or system from stealing
> > > > port 623 in hardware or must I just stop using em0 (and/or Intel NICS)?
> > >
> > > Does "ifconfig em0 promisc" help ?
> > > That fixed firmware related vanishing ipv6 packets on fxp and em.
> > 
> > Is this happening even with the latest CURRENT driver,  there is code in
> > it now that is supposed to stop the firmware from doing that, at least
> > that was the theory :)
> 
> We still see this at work.  We use this workaround in /etc/sysctl.conf:
> 
> net.inet.ip.portrange.lowlast=665
> 
> It seems that the em0 interface always snoops 623 looking for RCMP
> packets for IPMI (or ASF).

===================================================================
RCS file: /home/ncvs/src/sys/dev/em/e1000_82540.c,v
retrieving revision 1.3
diff -u -d -r1.3 e1000_82540.c
--- e1000_82540.c       16 May 2007 00:14:23 -0000      1.3
+++ e1000_82540.c       25 May 2007 13:40:19 -0000
@@ -316,6 +316,7 @@
        /* Disable HW ARPs on ASF enabled adapters */
        manc = E1000_READ_REG(hw, E1000_MANC);
        manc &= ~E1000_MANC_ARP_EN;
+       manc &= ~(E1000_MANC_RMCP_EN | E1000_MANC_0298_EN);
        E1000_WRITE_REG(hw, E1000_MANC, manc);
 
        E1000_WRITE_REG(hw, E1000_IMC, 0xffffffff);

Fixes it for me.  But, of course, I'm not interested in ASF on my
gateway hosts.

I didn't look further into the initalization of the chip.  The
datasheet I downloaded suggests that you can filter these packets
on IP address as well and I suspect the option is turned on with
some default in the EEPROM register that equates to 0.0.0.0/0.

Ian

--
Ian Freislich