>Number:         6858
>Category:       kern
>Synopsis:       ipf ip packet filter sometimes gets confused about retained state
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 20 11:20:01 1999
>Last-Modified:
>Originator:     Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release:        NetBSD-current 1/5/99
>Environment:
System: NetBSD capsicum.wsrcc.com 1.3I NetBSD 1.3I (WSRCC) #0: Tue Jan 5 06:30:38 PST 1999 root@capsicum.wsrcc.com:/v/src/netbsd/NetBSD-current/usr/src/sys/arch/i386/compile/WSRCC i386


>Description:

	The IP packet filter ipf sometimes screws up when used in a 
	mode that blocks all but allows any outgoing TCP connection 
	and the resulting return packets.

>How-To-Repeat:

	insert into /etc/ipf.conf:

	    block in log on de0 from any to any
	    pass out on de0 proto tcp from any to any flags S/SAFR keep state

	compile and install a kernel with ipf and ipmon support.

	    pseudo-device ipfilter # IP filter (firewall) and NAT
	    options 	IPFILTER_LOG	# ipmon(8) log support

	Start ipf and ipmon.

	    ipf -F a -f /etc/ipf.conf
	    ipmon &

	Use netscape to view some pages at random.  Observe the following
	log lines in /var/log/messages.

	    Jan 20 04:02:06 capsicum ipmon[128]: 04:02:06.092075 de0
	    @0:3 b www75.netscape.com,www ->
	    c460058-a.frmt1.sfba.home.com,58544 PR tcp len 20 40 -R

	I haven't been able to track it down exactly, but I suspect 
	it may be a race condition with duplicate fin-ack packets.
	If the IPF state is cleaned up too fast, the duplicate final 
	packets would probably be rejected.

>Fix:
	guessing: keep the ipf state a bit longer???

>Audit-Trail:
>Unformatted: