From owner-freebsd-stable@FreeBSD.ORG Sat Jan 28 15:31:08 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A18A916A420 for ; Sat, 28 Jan 2006 15:31:08 +0000 (GMT) (envelope-from SRS0=rlehB1Ps=3Y=metro.cx=fbsd@sonologic.nl) Received: from mx1.sonologic.nl (mx1.sonologic.nl [82.94.245.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 212A143D46 for ; Sat, 28 Jan 2006 15:31:07 +0000 (GMT) (envelope-from SRS0=rlehB1Ps=3Y=metro.cx=fbsd@sonologic.nl) Received: from [10.1.2.20] (a80-127-84-188.adsl.xs4all.nl [80.127.84.188]) (authenticated bits=0) by mx1.sonologic.nl (8.13.3/8.13.3) with ESMTP id k0SFUv5Q044019 for ; Sat, 28 Jan 2006 15:31:06 GMT Message-ID: <43DB8EA6.7070503@metro.cx> Date: Sat, 28 Jan 2006 16:32:54 +0100 From: Koen Martens Organization: Sonologic User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2 Mnenhy/0.7.2.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Helo-Milter-Authen: gmc@sonologic.nl, fbsd@metro.cx, mx1 Received-SPF: pass (mx1.sonologic.nl: 80.127.84.188 is authenticated by a trusted mechanism) Subject: ipfilter + bge strangeness X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2006 15:31:08 -0000 Hi All, Yesterday night, i was going to send the message below. However, just before pressing send, i found a solution to the problem: disable checksum checks (ifconfig bge0 -rxcsum -txcsum). Though this is a solution, it has me puzzled. Is this a bug^H^H^Hfeature of 6-STABLE, as it works with 5.4. With 5.4, there was only the rxcsum option for the bge card, not a txcsum. It worked fine with rxcsum enabled on 5.4.. What are the consequences of disabling {rx,tx}csum? What is wrong with enabling it on 6-STABLE? Best, Koen ===========[ original message ]===================================== Hi All, I'm experiencing some strange behaviour with ipfilter on a bge interface. It ran 5.4, and after upgrading it to 6-STABLE, trouble started. On another host, where there is an em and an fxp interface instead of two bge's, the upgrade did not result in the weirdness. Well, to the point, here is a little editted down version of the firewall: pass out log quick on bge0 proto tcp from any to any flags S keep state pass out log quick on bge0 proto udp from any to any keep state pass out log quick on bge0 proto icmp from any to any keep state block in log quick on bge0 pass in quick on bge1 pass out quick on bge1 pass in quick on lo0 pass out quick on lo0 # EOF So, one would expect that, say, a dns lookup should be able to go out on the bge0 interface, and the reply should be able to get back in... However, here is what happens (ipmon -a output): 28/01/2006 01:03:28.223739 bge0 @0:2 p 84.92.240.4,50384 -> 194.109.6.66,53 PR udp len 20 55 K-S OUT 28/01/2006 01:03:28.224623 bge0 @0:1 b 194.109.6.66,53 -> 84.92.240.4,50384 PR udp len 20 154 IN bad 28/01/2006 01:03:28.223731 STATE:NEW 84.92.240.4,50384 -> 194.109.6.66,53 PR udp I'd say, the state is created before the dns reply is coming in, so it should be accepted.. Am I doing something horribly wrong here?? For reference, here are the rule numbers: foo# ipfstat -nih 64 @1 block in log quick on bge0 all 94 @2 pass in quick on bge1 all 0 @3 pass in quick on lo0 all foo# ipfstat -noh 0 @1 pass out log quick on bge0 proto tcp from any to any flags S/FSRPAU keep state 57 @2 pass out log quick on bge0 proto udp from any to any keep state 0 @3 pass out log quick on bge0 proto icmp from any to any keep state 79 @4 pass out quick on bge1 all 0 @5 pass out quick on lo0 all Ifconfig: curie# ifconfig bge0: flags=8843 mtu 1500 options=1b inet6 fe80::211:85ff:fed5:dfae%bge0 prefixlen 64 scopeid 0x1 inet 84.92.240.4 netmask 0xffffffc0 broadcast 84.92.240.63 ether 00:11:85:d5:df:ae media: Ethernet autoselect (100baseTX ) status: active bge1: flags=8843 mtu 1500 options=1b inet6 fe80::211:85ff:fed5:df6f%bge1 prefixlen 64 scopeid 0x2 inet 192.168.0.5 netmask 0xffff0000 broadcast 192.168.255.255 ether 00:11:85:d5:df:6f media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 And here is the dmesg output: Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.0-STABLE #0: Sat Jan 28 00:25:41 CET 2006 root@curie.sonologic.nl:/usr/obj/usr/src/sys/CURIE_VOLTAIRE-6 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) 4 CPU 3.06GHz (3065.81-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf29 Stepping = 9 Features=0xbfebfbff Features2=0x4400> Hyperthreading: 2 logical CPUs real memory = 671064064 (639 MB) avail memory = 651612160 (621 MB) ACPI APIC Table: ioapic0: Changing APIC ID to 2 ioapic1: Changing APIC ID to 3 MADT: Forcing active-low polarity and level trigger for SCI ioapic0 irqs 0-15 on motherboard ioapic1 irqs 16-31 on motherboard npx0: [FAST] npx0: on motherboard npx0: INT 16 interface acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x920-0x923 on acpi0 cpu0: on acpi0 pcib0: on acpi0 pci0: on pcib0 atapci0: port 0x2010-0x2017,0x2018-0x201b,0x2020-0x2027,0x2028-0x202b,0x2030-0x203f irq 17 at device 2.0 on pci0 ata2: on atapci0 ata3: on atapci0 pci0: at device 3.0 (no driver attached) pci0: at device 4.0 (no driver attached) bge0: mem 0xf6fd0000-0xf6fdffff irq 19 at device 5.0 on pci0 miibus0: on bge0 brgphy0: on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto bge0: Ethernet address: 00:11:85:d5:df:ae bge1: mem 0xf6fc0000-0xf6fcffff irq 20 at device 6.0 on pci0 miibus1: on bge1 brgphy1: on miibus1 brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto bge1: Ethernet address: 00:11:85:d5:df:6f isab0: at device 15.0 on pci0 isa0: on isab0 atapci1: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x2000-0x200f at device 15.1 on pci0 ata0: on atapci1 ata1: on atapci1 pci0: at device 15.2 (no driver attached) acpi_button0: on acpi0 acpi_tz0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sio0: port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A fdc0: port 0x3f2-0x3f5 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 orm0: at iomem 0xc0000-0xc7fff,0xee000-0xeffff on isa0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 3065808268 Hz quality 800 Timecounters tick every 1.000 msec IPv6 packet filtering initialized, logging limited to 100 packets/entry IP Filter: v4.1.8 initialized. Default = pass all, Logging = enabled ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding enabled, default to accept, logging limited to 100 packets/entry by default acd0: CDROM at ata0-master PIO4 ad4: 76319MB at ata2-master UDMA100 ar0: 76317MB status: READY ar0: disk0 READY using ad4 at ata2-master Trying to mount root from ufs:/dev/ar0s1a bge0: link state changed to UP bge1: link state changed to UP ohci0: mem 0xf6fb0000-0xf6fb0fff irq 11 at device 15.2 on pci0 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: SMM does not respond, resetting usb0: on ohci0 usb0: USB revision 1.0 uhub0: (0x1166) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered -- K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, hosting, embedded systems, unix, artificial intelligence. Public PGP key: http://www.metro.cx/pubkey-gmc.asc Wondering about the funny attachment your mail program can't read? Visit http://www.openpgp.org/