kern/143940: ipfw nat and em interface rxcsum problem

Dmitriy Demidov dima_bsd at inbox.lv
Sun Feb 14 20:10:05 UTC 2010


>Number:         143940
>Category:       kern
>Synopsis:       ipfw nat and em interface rxcsum problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 14 20:10:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitriy Demidov
>Release:        FreeBSD 7.3-PRERELEASE i386
>Organization:
>Environment:
FreeBSD hius.local.home 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sun Feb 14 15:21:11 EET 2010     terminus at hius.local.home:/usr/obj/usr/src/sys/STABLE  i386
>Description:
There is a problem with UDP pass throughout ipfw nat then em driver have rxcsum enabled. In the same time TCP traffic is not affected - I can use telnet to IP then rxcsum is on.

For example tcpdump whith rxcsum:

tcpdump -i 2 -v -n -l udp
==
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
21:40:27.130983 IP (tos 0x0, ttl 64, id 6748, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.20152 > 192.5.6.30.53: 62854% [1au] A? www.redhat.com. (43)
21:40:27.507620 IP (tos 0x0, ttl 64, id 6749, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.18912 > 192.35.51.30.53: 13850% [1au] A? www.redhat.com. (43)
21:40:27.884586 IP (tos 0x0, ttl 64, id 6750, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.29135 > 192.55.83.30.53: 41425% [1au] A? www.redhat.com. (43)
21:40:28.263572 IP (tos 0x0, ttl 64, id 6751, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.10444 > 192.52.178.30.53: 6087% [1au] A? www.redhat.com. (43)
21:40:28.615537 IP (tos 0x0, ttl 64, id 6752, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.58118 > 192.43.172.30.53: 63884% [1au] A? www.redhat.com. (43)
21:40:28.992486 IP (tos 0x0, ttl 64, id 6753, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.19810 > 192.33.14.30.53: 62148% [1au] A? www.redhat.com. (43)
21:40:29.369452 IP (tos 0x0, ttl 64, id 6754, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.6475 > 192.5.6.30.53: 40935% [1au] A? www.redhat.com. (43)
21:40:30.122434 IP (tos 0x0, ttl 64, id 6755, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.25595 > 192.48.79.30.53: 51119% [1au] A? www.redhat.com. (43)
21:40:30.499349 IP (tos 0x0, ttl 64, id 6756, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.60447 > 192.48.79.30.53: 850% [1au] A? www.redhat.com. (43)
21:40:31.252291 IP (tos 0x0, ttl 64, id 6764, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.29325 > 192.31.80.30.53: 16308% [1au] A? www.redhat.com. (43)
21:40:31.620152 IP (tos 0x0, ttl 64, id 6779, offset 0, flags [none], proto UDP (17), length 76) 95.68.114.78.123 > 80.90.20.19.123: NTPv4, length 48

==


and then rxcsum is off:

tcpdump -i 2 -v -n -l udp
===
21:39:45.012101 IP (tos 0x0, ttl 64, id 6591, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.60570 > 199.19.53.1.53: 12025% [1au] A? www.kernel.org. (43)
21:39:45.062332 IP (tos 0x0, ttl 247, id 60869, offset 0, flags [DF], proto UDP (17), length 835) 199.19.53.1.53 > 95.68.114.78.60570: 12025- 0/12/8 (807)
21:39:45.062744 IP (tos 0x0, ttl 64, id 6592, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.41587 > 204.152.191.16.53: 49848% [1au] A? www.kernel.org. (43)
21:39:45.439379 IP (tos 0x0, ttl 64, id 6593, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.53299 > 209.132.176.167.53: 17340% [1au] A? www.kernel.org. (43)
21:39:45.439608 IP (tos 0x0, ttl 64, id 6594, offset 0, flags [none], proto UDP (17), length 72) 95.68.114.78.55340 > 199.7.83.42.53: 50445% [1au] A? ns1.q.port80.se. (44)
21:39:45.482710 IP (tos 0x0, ttl 59, id 49090, offset 0, flags [none], proto UDP (17), length 664) 199.7.83.42.53 > 95.68.114.78.55340: 50445- 0/12/14 (636)
21:39:45.483110 IP (tos 0x0, ttl 64, id 6595, offset 0, flags [none], proto UDP (17), length 72) 95.68.114.78.48938 > 192.36.133.107.53: 16536% [1au] A? ns1.q.port80.se. (44)
21:39:45.528423 IP (tos 0x0, ttl 56, id 13488, offset 0, flags [none], proto UDP (17), length 376) 192.36.133.107.53 > 95.68.114.78.48938: 16536- 0/6/3 (348)
21:39:45.528672 IP (tos 0x0, ttl 64, id 6596, offset 0, flags [none], proto UDP (17), length 72) 95.68.114.78.63916 > 217.75.109.220.53: 29369% [1au] A? ns1.q.port80.se. (44)
21:39:45.528890 IP (tos 0x0, ttl 64, id 6597, offset 0, flags [none], proto UDP (17), length 70) 95.68.114.78.32319 > 192.55.83.30.53: 9045% [1au] A? ns4.q.p80.net. (42)
21:39:45.529066 IP (tos 0x0, ttl 64, id 6598, offset 0, flags [none], proto UDP (17), length 70) 95.68.114.78.6721 > 192.52.178.30.53: 1478% [1au] A? ns3.q.p80.net. (42)
21:39:45.571781 IP (tos 0x0, ttl 56, id 61364, offset 0, flags [DF], proto UDP (17), length 213) 217.75.109.220.53 > 95.68.114.78.63916: 29369*- 1/4/4 ns1.q.port80.se. A 217.75.109.220 (185)
21:39:45.590262 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto UDP (17), length 197) 192.52.178.30.53 > 95.68.114.78.6721: 1478- 1/4/3 ns3.q.p80.net. A 82.96.9.250 (169)
21:39:45.590485 IP (tos 0x0, ttl 64, id 6599, offset 0, flags [none], proto UDP (17), length 70) 95.68.114.78.39731 > 82.96.2.250.53: 4565% [1au] A? ns3.q.p80.net. (42)
21:39:45.613763 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 197) 192.55.83.30.53 > 95.68.114.78.32319: 9045- 1/4/3 ns4.q.p80.net. A 82.96.8.250 (169)
21:39:45.614087 IP (tos 0x0, ttl 64, id 6600, offset 0, flags [none], proto UDP (17), length 70) 95.68.114.78.60102 > 217.75.109.220.53: 32305% [1au] A? ns4.q.p80.net. (42)
21:39:45.660231 IP (tos 0x0, ttl 56, id 61366, offset 0, flags [DF], proto UDP (17), length 213) 217.75.109.220.53 > 95.68.114.78.60102: 32305*- 1/4/4 ns4.q.p80.net. A 82.96.8.250 (185)
21:39:45.669840 IP (tos 0x0, ttl 55, id 58170, offset 0, flags [DF], proto UDP (17), length 213) 82.96.2.250.53 > 95.68.114.78.39731: 4565*- 1/4/4 ns3.q.p80.net. A 82.96.9.250 (185)
21:39:45.816298 IP (tos 0x0, ttl 64, id 6601, offset 0, flags [none], proto UDP (17), length 71) 95.68.114.78.20845 > 130.239.17.16.53: 56057% [1au] A? www.kernel.org. (43)
21:39:45.873856 IP (tos 0x0, ttl 53, id 55646, offset 0, flags [none], proto UDP (17), length 278) 130.239.17.16.53 > 95.68.114.78.20845: 56057*- 1/5/6 www.kernel.org. CNAME www.geo.kernel.org. (250)
21:39:45.874210 IP (tos 0x0, ttl 64, id 6602, offset 0, flags [none], proto UDP (17), length 75) 95.68.114.78.35195 > 149.20.20.140.53: 29216% [1au] A? www.geo.kernel.org. (47)
21:39:46.108721 IP (tos 0x0, ttl 59, id 3519, offset 0, flags [none], proto UDP (17), length 115) 149.20.20.140.53 > 95.68.114.78.35195: 29216*- 2/0/1 www.geo.kernel.org. CNAME pub.geo.kernel.org.[|domain]
21:39:46.109031 IP (tos 0x0, ttl 64, id 6603, offset 0, flags [none], proto UDP (17), length 75) 95.68.114.78.55896 > 130.239.17.11.53: 13112% [1au] A? pub.geo.kernel.org. (47)
21:39:46.166560 IP (tos 0x0, ttl 53, id 55647, offset 0, flags [none], proto UDP (17), length 97) 130.239.17.11.53 > 95.68.114.78.55896: 13112*- 1/0/1 pub.geo.kernel.org. CNAME[|domain]
21:39:46.166878 IP (tos 0x0, ttl 64, id 6604, offset 0, flags [none], proto UDP (17), length 75) 95.68.114.78.44098 > 195.92.253.2.53: 13925% [1au] A? pub.all.kernel.org. (47)
21:39:46.242006 IP (tos 0x0, ttl 52, id 63919, offset 0, flags [none], proto UDP (17), length 503) 195.92.253.2.53 > 95.68.114.78.44098: 13925* 4/10/11 pub.all.kernel.org. A 199.6.1.164, pub.all.kernel.org.[|domain]

^C
==


# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:20:ed:11:11:11
        inet 95.68.114.78 netmask 0xffffe000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:20:ed:11:11:11
        inet 95.68.114.78 netmask 0xffffe000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


# ipfw show
00100 13532 2961560 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     5     200 deny ip from 127.0.0.0/8 to any
00400     0       0 count ip from any to any frag
00500     0       0 allow ip from any to any via fxp0
00600  4599 1966327 count ip from any to any
00700     0       0 deny ip from any to 192.168.0.0/16 in via em0
00800     0       0 deny ip from 192.168.0.0/16 to any in via em0
00900     0       0 deny ip from any to 172.16.0.0/12 in via em0
01000     0       0 deny ip from 172.16.0.0/12 to any in via em0
01100     0       0 deny ip from any to 10.0.0.0/8 in via em0
01200     0       0 deny ip from 10.0.0.0/8 to any in via em0
01300     0       0 deny ip from any to 169.254.0.0/16 in via em0
01400     0       0 deny ip from 169.254.0.0/16 to any in via em0
01500  4599 1966327 count ip from any to any
01600  4599 1966327 nat 1 ip from any to any via em0
01700     0       0 count ip from any to any
65535     3     516 deny ip from any to any


# ipfw nat 1 show config
ipfw nat 1 config if em0 log deny_in same_ports reset


>How-To-Repeat:
Configure an instance of ipfw nat on em NIC what have RXCSUM,TXCSUM enabled (it is enabled by default) and make a try to send traffic via.
>Fix:
Turn off RXCSUM,TXCSUM on em adapter

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list