netbsd-bugs: kern/6220: ipfilter with keep state seems broken

Subject: kern/6220: ipfilter with keep state seems broken
To: None <gnats-bugs@gnats.netbsd.org>
From: Michael Graff <explorer@flame.org>
List: netbsd-bugs
Date: 10/01/1998 02:22:54
>Number:         6220
>Category:       kern
>Synopsis:       ipfilter with keep state seems broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct  1 02:35:01 1998
>Last-Modified:
>Originator:     Michael Graff
>Organization:
flame.org:  yes, we do know everything
>Release:        NetBSD-1-3 branch as of 01-Oct-1998
>Environment:
	
System: NetBSD kechara.lh.vix.com 1.3.2 NetBSD 1.3.2 (FLAME) #1: Sun Sep 27 21:03:53 PDT 1998 explorer@kechara.lh.vix.com:/u1/OS/NetBSD/src/sys/arch/i386/compile/FLAME i386


>Description:
With keep-state turned on for TCP connections, the ip state table will
fill up quickly, and doesn't seem to track what connections are really
in use:

IP states added:
        36286 TCP
        0 UDP
        0 ICMP
        861210 hits
        166007 misses
        0 maximum
        0 no memory
        415 active
        0 expired
        35871 closed

summarizing the output of netstat -n,
	ESTABLISHED         37
	FIN_WAIT_1           4
	LAST_ACK             2
	LISTEN              35
	TIME_WAIT           19

ipfstat -s lists every one of the connections as well, of course.
Many are in state 4/2:

210.160.119.132 -> 204.152.184.79 ttl 849251 pass 4106 pr 6 state 4/2
        pkts 10 bytes 640       1734 -> 2064 3697935968:4117391616 16384:16384
        pass in log keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
203.5.69.218 -> 204.152.184.79 ttl 856046 pass 4106 pr 6 state 4/2
        pkts 8 bytes 352        1744 -> 2064 48780770:2993266952 8192:16384
        pass in log keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
208.24.22.252 -> 204.152.184.79 ttl 863150 pass 4106 pr 6 state 4/2
        pkts 8 bytes 352        2676 -> 2064 209831679:1942642270 8192:16384
        pass in log keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0

netstat -n doesn't report any of these:

root@kechara# netstat -n | grep 210.160.119.132
root@kechara# netstat -n | grep 203.5.69.218
root@kechara# netstat -n | grep 208.24.22.252

>How-To-Repeat:
Run a medium to high load machine with tcp keep state

>Fix:
Unknown.
>Audit-Trail:
>Unformatted: