From nobody@FreeBSD.org  Thu Jun 15 11:23:43 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 458A016A474
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Jun 2006 11:23:43 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0FD8343D46
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Jun 2006 11:23:43 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k5FBNgGN037039
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 Jun 2006 11:23:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k5FBNgCe037038;
	Thu, 15 Jun 2006 11:23:42 GMT
	(envelope-from nobody)
Message-Id: <200606151123.k5FBNgCe037038@www.freebsd.org>
Date: Thu, 15 Jun 2006 11:23:42 GMT
From: Nicholas von Waltsleben <nicv@korbitec.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter drops OOW packets under 6.1-Release
X-Send-Pr-Version: www-2.3

>Number:         98978
>Category:       kern
>Synopsis:       [ipfilter] [patch] ipfilter drops OOW packets under 6.1-Release
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 15 11:30:16 GMT 2006
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:19:41 UTC 2013
>Originator:     Nicholas von Waltsleben
>Release:        6.1
>Organization:
Korbitec
>Environment:
FreeBSD  6.1-RELEASE-p1 FreeBSD 6.1-RELEASE-p1 #0: Wed Jun 14 09:24:56 SAST 2006     root@:/usr/obj/usr/src/sys/CUSTOM  i386
>Description:
ipfilter blocks OOW packets even though a connection has been established
with a keep state rule.

ipfstat -ni
@17 pass in quick on em0 proto tcp from any to 196.7.156.157/32 port = http flags S/FSRPAU keep state group 1

ipmon -oI
14/06/2006 16:17:36.157851 em0 @1:20 b 192.96.88.227,1904 -> 196.7.156.157,80 PR tcp len 20 44 -S IN OOW
>How-To-Repeat:

>Fix:
Don't make stateful rules. ie

pass in quick on fxp0 proto tcp from any to 10.10.10.10 port = 80
..
..
pass out quick on fxp0 proto tcp from 10.10.10.10 port = 80 to any
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Fri Jun 23 13:46:16 UTC 2006 
Responsible-Changed-Why:  
This looks like a bug in IPFilter: 
http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html 

Darren is the best guy to handle it :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98978 

From: Anders Nordby <anders@FreeBSD.org>
To: bug-followup@FreeBSD.org, nicv@korbitec.com, darrenr@FreeBSD.org,
	guido@FreeBSD.org
Cc:  
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Mon, 7 Aug 2006 01:16:33 +0200

 Hi,
 
 This problem is biting me a lot on many servers that are now upgraded to
 FreeBSD 6.1-RELEASE. Is there a fix? Should we upgrade to a newer IPF
 manually?
 
 Will there be an update to IP Filter in FreeBSD? In RELENG_6 we have
 version 4.1.8 (released march 2005), the latest one is 4.1.13.
 
 Interested readers may want to know about this patch, which NetBSD used,
 to disable broken TCP out-of-window checks:
 
 http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/ipf/netinet/ip_state.c.diff?r1=1.2&r2=1.3
 
 Getting too annoyed of adding oow rules around, here and there. It
 should not be necessary..
 
 Bye,
 
 -- 
 Anders.

From: Guido van Rooij <guido@gvr.org>
To: Anders Nordby <anders@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, nicv@korbitec.com, darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Mon, 7 Aug 2006 14:37:51 +0200

 On Mon, Aug 07, 2006 at 01:16:33AM +0200, Anders Nordby wrote:
 > Hi,
 > 
 > This problem is biting me a lot on many servers that are now upgraded to
 > FreeBSD 6.1-RELEASE. Is there a fix? Should we upgrade to a newer IPF
 > manually?
 > 
 > Will there be an update to IP Filter in FreeBSD? In RELENG_6 we have
 > version 4.1.8 (released march 2005), the latest one is 4.1.13.
 > 
 
 I hope to be able to upgrade ipf in -current in the next week.
 A bit later I can backport it to 6-stable.
 
 The problem is that my planning is extremely volatile lately.
 
 -Guido

From: Anders Nordby <anders@FreeBSD.org>
To: Guido van Rooij <guido@gvr.org>
Cc: bug-followup@FreeBSD.org, nicv@korbitec.com, darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Sun, 13 Aug 2006 17:23:10 +0200

 Hi,
 
 
 On Mon, Aug 07, 2006 at 02:37:51PM +0200, Guido van Rooij wrote:
 >> This problem is biting me a lot on many servers that are now upgraded to
 >> FreeBSD 6.1-RELEASE. Is there a fix? Should we upgrade to a newer IPF
 >> manually?
 >> 
 >> Will there be an update to IP Filter in FreeBSD? In RELENG_6 we have
 >> version 4.1.8 (released march 2005), the latest one is 4.1.13.
 > I hope to be able to upgrade ipf in -current in the next week.
 > A bit later I can backport it to 6-stable.
 > 
 > The problem is that my planning is extremely volatile lately.
 
 Is there any chance to make it before 6.2, which is scheduled to be
 released october 9th? If not, do we disable the out-of-window checks?
 They are quite buggy and bothersome with the current IP Filter release
 in FreeBSD, to me. I would hope we don't ship another release with these
 bugs.
 
 I'd be happy to test out a new IP Filter. Count on me to test it. :)
 
 Cheers,
 
 -- 
 Anders.

From: "Nicholas von Waltsleben" <nicv@korbitec.com>
To: "Anders Nordby" <anders@FreeBSD.org>,
	"Guido van Rooij" <guido@gvr.org>
Cc: <bug-followup@FreeBSD.org>,
	<darrenr@FreeBSD.org>
Subject: RE: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Tue, 5 Sep 2006 21:05:08 +0200

 >On Mon, Aug 07, 2006 at 02:37:51PM +0200, Guido van Rooij wrote:
 >>> This problem is biting me a lot on many servers that are now
 upgraded=20
 >>> to FreeBSD 6.1-RELEASE. Is there a fix? Should we upgrade to a newer
 
 >>> IPF manually?
 >>>=20
 >>> Will there be an update to IP Filter in FreeBSD? In RELENG_6 we have
 
 >>> version 4.1.8 (released march 2005), the latest one is 4.1.13.
 >> I hope to be able to upgrade ipf in -current in the next week.
 >> A bit later I can backport it to 6-stable.
 >>=20
 >> The problem is that my planning is extremely volatile lately.
 
 >Is there any chance to make it before 6.2, which is scheduled to be
 released october 9th? If not, do we disable >>the out-of-window checks?
 >They are quite buggy and bothersome with the current IP Filter release
 in FreeBSD, to me. I would hope we don't >>ship another release with
 these bugs.
 
 Hi
 
 I have updated to 6.1 stable with IP Filter 4.1.13 but the OOW errors
 are still appearing in the logs.  Is there some place where a solution
 to this is discussed or is it just a problem under FreeBSD?  If there is
 no solution to the problem I will need to reinstall my servers with 5.5
 
 Regards,
 Nic von Waltsleben

From: Anders Nordby <anders@fupp.net>
To: Nicholas von Waltsleben <nicv@korbitec.com>
Cc: Guido van Rooij <guido@gvr.org>, bug-followup@FreeBSD.org,
	darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 09:03:03 +0200

 Hi,
 
 On Wed, Sep 13, 2006 at 09:00:37AM +0200, Anders Nordby wrote:
 > A work-around is to make the fr_tcpinwindow function always return 1,
 > that will disable the TCP window checks. Maybe we should make this a
 > tunable, if it's so difficult to get right?
 > 
 > I've used the attached patch with success, to disable these checks in
 > 6.1.
 
 Disclaimer: due to being short on time, I have not had the opportunity
 to check the last commit of IP Filter into FreeBSD yet. :-(
 
 Bye,
 
 -- 
 Anders.

From: Anders Nordby <anders@FreeBSD.org>
To: Nicholas von Waltsleben <nicv@korbitec.com>
Cc: Guido van Rooij <guido@gvr.org>, bug-followup@FreeBSD.org,
	darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 09:00:37 +0200

 --n8g4imXOkfNTN/H1
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi,
 
 On Tue, Sep 05, 2006 at 09:05:08PM +0200, Nicholas von Waltsleben wrote:
 >>Is there any chance to make it before 6.2, which is scheduled to be
 >released october 9th? If not, do we disable >>the out-of-window checks?
 >>They are quite buggy and bothersome with the current IP Filter release
 >in FreeBSD, to me. I would hope we don't >>ship another release with
 >these bugs.
 > I have updated to 6.1 stable with IP Filter 4.1.13 but the OOW errors
 > are still appearing in the logs.  Is there some place where a solution
 > to this is discussed or is it just a problem under FreeBSD?  If there is
 > no solution to the problem I will need to reinstall my servers with 5.5
 
 A work-around is to make the fr_tcpinwindow function always return 1,
 that will disable the TCP window checks. Maybe we should make this a
 tunable, if it's so difficult to get right?
 
 I've used the attached patch with success, to disable these checks in
 6.1.
 
 Cheers,
 
 -- 
 Anders.
 
 --n8g4imXOkfNTN/H1
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="ipfilter-disable-tcpwindow-check.diff"
 
 --- sys/contrib/ipfilter/netinet/ip_state.c.orig	Mon Apr 25 20:43:14 2005
 +++ sys/contrib/ipfilter/netinet/ip_state.c	Mon Aug  7 00:53:50 2006
 @@ -1407,6 +1407,7 @@
  tcphdr_t *tcp;
  int flags;
  {
 +#ifdef BROKEN_TCP_WINDOW_CHECK
  	tcp_seq seq, ack, end;
  	int ackskew, tcpflags;
  	u_32_t win, maxwin;
 @@ -1523,6 +1524,9 @@
  		return 1;
  	}
  	return 0;
 +#else
 +	return 1;
 +#endif
  }
  
  
 
 --n8g4imXOkfNTN/H1--

From: Guido van Rooij <guido@gvr.org>
To: Anders Nordby <anders@FreeBSD.org>
Cc: Nicholas von Waltsleben <nicv@korbitec.com>, bug-followup@FreeBSD.org,
	darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 09:14:51 +0200

 On Wed, Sep 13, 2006 at 09:00:37AM +0200, Anders Nordby wrote:
 > Hi,
 > 
 > On Tue, Sep 05, 2006 at 09:05:08PM +0200, Nicholas von Waltsleben wrote:
 > >>Is there any chance to make it before 6.2, which is scheduled to be
 > >released october 9th? If not, do we disable >>the out-of-window checks?
 > >>They are quite buggy and bothersome with the current IP Filter release
 > >in FreeBSD, to me. I would hope we don't >>ship another release with
 > >these bugs.
 > > I have updated to 6.1 stable with IP Filter 4.1.13 but the OOW errors
 > > are still appearing in the logs.  Is there some place where a solution
 > > to this is discussed or is it just a problem under FreeBSD?  If there is
 > > no solution to the problem I will need to reinstall my servers with 5.5
 > 
 > A work-around is to make the fr_tcpinwindow function always return 1,
 > that will disable the TCP window checks. Maybe we should make this a
 > tunable, if it's so difficult to get right?
 
 I have pointed you towards the ipfilter mailing list but have not seen
 a mail from you. Apparently most issues have been resolved with the state
 checking. Perhaps not yours, but to say that it is difficult to
 get it right is a bit premature.
 
 > 
 > I've used the attached patch with success, to disable these checks in
 > 6.1.
 > 
 
 I am not sure what you mean with "succes". You do disable part of the firewall
 functionality to work around a problem. I would not call that success...
 
 -Guido

From: Anders Nordby <anders@FreeBSD.org>
To: Guido van Rooij <guido@gvr.org>
Cc: Nicholas von Waltsleben <nicv@korbitec.com>, bug-followup@FreeBSD.org,
	darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 09:31:31 +0200

 Hi,
 
 On Wed, Sep 13, 2006 at 09:14:51AM +0200, Guido van Rooij wrote:
 >> A work-around is to make the fr_tcpinwindow function always return 1,
 >> that will disable the TCP window checks. Maybe we should make this a
 >> tunable, if it's so difficult to get right?
 > I have pointed you towards the ipfilter mailing list but have not seen
 > a mail from you. Apparently most issues have been resolved with the state
 > checking. Perhaps not yours, but to say that it is difficult to
 > get it right is a bit premature.
 
 Nicholas here is still having trouble. I was having trouble with it. Of
 course, if I see problems with the latest update, and I have time to
 work on it, I will report about it.
 
 In the mean time however, people might want to decide for themselves
 whether they want to block packets on the basis of TCP window checks,
 without having to add a whole lot of rules specifically for oow packets.
 
 >> I've used the attached patch with success, to disable these checks in
 >> 6.1.
 > I am not sure what you mean with "succes". You do disable part of the firewall
 > functionality to work around a problem. I would not call that success...
 
 It's a "success" because it solved my immediate problem that what for me
 were legal/valid (at least, wanted) packets that shouldn't be stopped
 were stopped. Sure it's a work-around, but a work-around is better than
 no fix.
 
 Cheers,
 
 -- 
 Anders.

From: "Nicholas von Waltsleben" <nicv@korbitec.com>
To: "Anders Nordby" <anders@FreeBSD.org>,
	"Guido van Rooij" <guido@gvr.org>
Cc: <bug-followup@FreeBSD.org>,
	<darrenr@FreeBSD.org>
Subject: RE: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 09:49:08 +0200

 > Nicholas here is still having trouble. I was having trouble with it.=20
 > Of course, if I see problems with the  latest update, and I have=20
 > time to work on it, I will report about it.
 
 I am currently rolling back my 6.1 servers to 5.5 as they never
 exhibited these=20
 problems before I reinstalled them. Once I have some more time available
 to me=20
 I will post on the IPFilter lists again and hopefully this time there
 will be=20
 some interest in this problem.
 
 >> I've used the attached patch with success, to disable these checks in
 
 >> 6.1.
 > I am not sure what you mean with "succes". You do disable part of the=20
 > firewall functionality to work around a problem. I would not call that
 success...
 
 I am not sure whether this is pertinent or not but the only times I
 experience
 these errors is when our proxy server connects to our websites (Squid
 2.6.STABLE2=20
 on FreeBSD 6.1 Release) and with connections from our monitoring server
 (running
 Tembria).  No other situations seem to generate OOW errors.

From: Guido van Rooij <guido@gvr.org>
To: Nicholas von Waltsleben <nicv@korbitec.com>
Cc: Anders Nordby <anders@FreeBSD.org>, bug-followup@FreeBSD.org,
	darrenr@FreeBSD.org
Subject: Re: kern/98978: [ipfilter] ipfilter drops OOW packets under 6.1-Release
Date: Wed, 13 Sep 2006 10:59:58 +0200

 On Wed, Sep 13, 2006 at 09:49:08AM +0200, Nicholas von Waltsleben wrote:
 > >> 6.1.
 > > I am not sure what you mean with "succes". You do disable part of the 
 > > firewall functionality to work around a problem. I would not call that
 > success...
 > 
 > I am not sure whether this is pertinent or not but the only times I
 > experience
 > these errors is when our proxy server connects to our websites (Squid
 > 2.6.STABLE2 
 > on FreeBSD 6.1 Release) and with connections from our monitoring server
 > (running
 > Tembria).  No other situations seem to generate OOW errors.
 
 When you do report problems it is important that a tcpdump of the complete
 TCP session with the OOW errors is included.
 You can also try disabling window scaling on either host to see if
 the problems go away. If they do, it is most probably a bug in the windows
 scaling tracking part of the code, in stead of the sequence/ack number magic.
 
 -Guido
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:19:20 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98978 
>Unformatted:
