netbsd-bugs: kern/36309: ipf 4.1.20 breaks NAT setup

Subject: kern/36309: ipf 4.1.20 breaks NAT setup
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <mlelstv@serpens.de>
List: netbsd-bugs
Date: 05/12/2007 08:25:00

>Number:         36309
>Category:       kern
>Synopsis:       ipf 4.1.20 breaks NAT setup
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 12 08:25:00 +0000 2007
>Originator:     Michael van Elst
>Release:        NetBSD 4.0_BETA2
>Organization:
	
>Environment:
	
	
System: NetBSD fud 4.0_BETA2 NetBSD 4.0_BETA2 (FUD) #2: Sat May 12 00:18:35 CEST 2007 mlelstv@henery:/home/netbsd4/obj/home/netbsd4/src/sys/arch/i386/compile/FUD i386
Architecture: i386
Machine: i386
>Description:
After upgrading to the lastest 4.0_BETA2 kernel NAT no longer works
stable under certain conditions:

The network looks like:

client <-> NAT router <-- dsl connection --> internet host

NAT is configured with 'mssclamp 1420'.

The traffic between client and NAT router is sent through
a IPSEC tunnel.

client and router run 4.0_BETA2. I can log in to the internet host
from the client using ssh. As soon as I run a command that produces
significant output (like 'top' or 'ls') the connection freezes.

ipnat -lv still shows the session
P.P.P.P = client private address,
X.X.X.X = router public address,
Y.Y.Y.Y = internet host

MAP P.P.P.P         65500 <- -> X.X.X.X         10013 [Y.Y.Y.Y 22]
        ttl 14350 use 0 sumd 0x6df8/0x6df8 pr 6 bkt 80/1572 flags 1
        ifp X,X bytes 19706/6553 pkts 51/43 ipsumd 46b8

[ after a few minutes... ]
MAP P.P.P.P         65500 <- -> X.X.X.X         10013 [Y.Y.Y.Y 22]
        ttl 14257 use 0 sumd 0x6df8/0x6df8 pr 6 bkt 80/1572 flags 1
        ifp X,X bytes 22786/7033 pkts 57/49 ipsumd 46b8

[ after the ssh session times out ]
MAP P.P.P.P         65500 <- -> X.X.X.X         10013 [Y.Y.Y.Y 22]
        ttl 14390 use 0 sumd 0x6df8/0x6df8 pr 6 bkt 80/1572 flags 1
        ifp X,X bytes 25866/7513 pkts 63/55 ipsumd 46b8

When sniffing the outgoing traffic I see ICMP messages sent to the
internet host: '[client] unreachable  - need to frag (mtu 1427)'

The same setup worked with the previous IPF version.
When I use a connection between client and router that is not
passed through an IPSEC tunnel, there is no problem either.

>How-To-Repeat:

>Fix:

>Unformatted: