Subject: kern/30851: bge breaks ipnat
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <prlw1@cam.ac.uk>
List: netbsd-bugs
Date: 07/27/2005 18:32:00
>Number:         30851
>Category:       kern
>Synopsis:       bad NAT with bge
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 27 18:32:00 +0000 2005
>Originator:     Patrick Welche
>Release:        NetBSD 3.99.7
>Organization:
	
>Environment:
cvs of 20 July 2005 11:12 UTC
Architecture: i386
Machine: i386
>Description:
When bge(4) is the external interface on which an ipnat mapping is defined,
the return packets are blocked because of "bad NAT" as they don't match
the state table.
>How-To-Repeat:
Rather like in kern/29660, though this is a different Dell GX280, find a
computer with a

bge0 at pci2 dev 0 function 0: Broadcom BCM5751 Gigabit Ethernet
bge0: interrupting at irq 11
bge0: ASIC BCM5750 A1 (0x4001), Ethernet address 00:11:43:7c:6c:94
brgphy0 at bge0 phy 1: BCM5750 1000BASE-T media interface, rev. 0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto

and some other network card, eg. ex.

ipnat.conf:
map bge0 192.168.246.0/24 -> 131.111.246.22/32

ipf.conf:
block in log all
block out log all
pass in  quick log on ex0  proto tcp from any to any port = http flags S/SA keep state
pass out quick log on bge0 proto tcp from any to any port = http flags S/SA keep state

Then run ipmon, and get a client to connect through the Dell. Watch the
packets go out, and get blocked on return to the bge with bad NAT.

>Fix:
Swap the bge for a ex(4) 3Com 3c905C-TX. Maybe this combined with
kern/29660 might point to a fix given that these have the same chip?

>Unformatted: