From owner-freebsd-current@FreeBSD.ORG Fri Jul 13 16:21:53 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D33E816A402 for ; Fri, 13 Jul 2007 16:21:53 +0000 (UTC) (envelope-from jfvogel@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id AD45A13C4CA for ; Fri, 13 Jul 2007 16:21:53 +0000 (UTC) (envelope-from jfvogel@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so659653waf for ; Fri, 13 Jul 2007 09:21:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aZwQfzDksRBn4m3FxnfY96NLTHv3pq6/Jjl5VffUc8k3z8TT4obbb4YlNtE6BP9YBGWBEMRRGnaI7GGg09WWsil1jJoUR2lYIEbCXhBBXPKCuD9KIktOQcwqFB9qnuQTVNfqvKIRKti0QLPN2eUVDlqML60oRZrPPcmA88bLnmY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X76C0l3tKVX40fg5gLgBNVnsNRtcENNp+7svlp5/hY4HaF4WJ0rAdNd/GnhcZLMJCNhBVJqORvpDhue6bWZKa0TTUMHpx5pjUsKTMH5ETfDebUVxwKVF97rKFLURwDT+vG7dmqcbEBGYLLTDyBxUl3zlP0sKtQ30POCIgYmpK4E= Received: by 10.114.146.1 with SMTP id t1mr1797907wad.1184343713308; Fri, 13 Jul 2007 09:21:53 -0700 (PDT) Received: by 10.114.103.14 with HTTP; Fri, 13 Jul 2007 09:21:53 -0700 (PDT) Message-ID: <2a41acea0707130921x38d35d3br62842ef118c93261@mail.gmail.com> Date: Fri, 13 Jul 2007 09:21:53 -0700 From: "Jack Vogel" To: "Ian FREISLICH" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200707130848.01101.jhb@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: em0 hijacking traffic to port 623 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 16:21:53 -0000 On 7/13/07, Ian FREISLICH wrote: > John Baldwin wrote: > > On Monday 21 May 2007 07:17:07 pm Jack Vogel wrote: > > > On 5/21/07, Sten Spans wrote: > > > > On Mon, 21 May 2007, Ian FREISLICH wrote: > > > > > > > > > Hi > > > > > > > > > > We've noticed an issue on our firewalls where the first em device > > > > > in the system hijacks inbound port 623 tcp and udp. The OS never > > > > > sees this traffic. Interestingly, em1 and em2 do not appear to be > > > > > afflicted by this problem. Some reading I've done points to a > > > > > similar conclusion: > > > > > > > > > > http://blogs.sun.com/shepler/entry/port_623_or_the_mount > > > > > > > > > > I've looked at the bios, but I can't find any settings that remotely > > > > > hint IPMI or RMCP+ or serial-over-lan. > > > > > > > > > > Does anyone know how I can stop the card or system from stealing > > > > > port 623 in hardware or must I just stop using em0 (and/or Intel NICS)? > > > > > > > > Does "ifconfig em0 promisc" help ? > > > > That fixed firmware related vanishing ipv6 packets on fxp and em. > > > > > > Is this happening even with the latest CURRENT driver, there is code in > > > it now that is supposed to stop the firmware from doing that, at least > > > that was the theory :) > > > > We still see this at work. We use this workaround in /etc/sysctl.conf: > > > > net.inet.ip.portrange.lowlast=665 > > > > It seems that the em0 interface always snoops 623 looking for RCMP > > packets for IPMI (or ASF). > > =================================================================== > RCS file: /home/ncvs/src/sys/dev/em/e1000_82540.c,v > retrieving revision 1.3 > diff -u -d -r1.3 e1000_82540.c > --- e1000_82540.c 16 May 2007 00:14:23 -0000 1.3 > +++ e1000_82540.c 25 May 2007 13:40:19 -0000 > @@ -316,6 +316,7 @@ > /* Disable HW ARPs on ASF enabled adapters */ > manc = E1000_READ_REG(hw, E1000_MANC); > manc &= ~E1000_MANC_ARP_EN; > + manc &= ~(E1000_MANC_RMCP_EN | E1000_MANC_0298_EN); > E1000_WRITE_REG(hw, E1000_MANC, manc); > > E1000_WRITE_REG(hw, E1000_IMC, 0xffffffff); > > Fixes it for me. But, of course, I'm not interested in ASF on my > gateway hosts. > > I didn't look further into the initalization of the chip. The > datasheet I downloaded suggests that you can filter these packets > on IP address as well and I suspect the option is turned on with > some default in the EEPROM register that equates to 0.0.0.0/0. Hardcoding this change into shared code is not the right place to do it, however I'll take a look at that and figure out a more appropriate approach. Jack