Bug 192847 - ipfilter: seeing a lot of BAD packets in the logs while SSH-ing to the box
Summary: ipfilter: seeing a lot of BAD packets in the logs while SSH-ing to the box
Status: Closed Feedback Timeout
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-STABLE
Hardware: amd64 Any
: --- Affects Some People
Assignee: Cy Schubert
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-20 07:27 UTC by Roman
Modified: 2018-03-27 17:31 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Roman 2014-08-20 07:27:41 UTC 
Hello,

FreeBSD 10.0-STABLE built from last night.

The kernel was compiled with:

options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_LOOKUP
options         IPFILTER_DEFAULT_BLOCK

# ipf -V
ipf: IP Filter: v5.1.2 (608)
Kernel: IP Filter: v5.1.2
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Feature mask: 0x4e

Here is the ruleset:

# ipfstat -in

@1 pass in quick on lo0 from any to any
@2 block in quick on vmx0 from any to any with frag
@3 block in quick on vmx0 proto tcp from any to any with short
@4 block in quick on vmx0 inet from any to any with opt lsrr
@5 block in quick on vmx0 inet from any to any with opt ssrr
@6 block in log first quick on vmx0 proto tcp from any to any flags FPU/FSRPAU
@7 block in quick on vmx0 from any to any with ipopts
@8 pass in quick on vmx0 inet proto tcp from 192.168.60.0/24 to 192.168.60.1/32 port = ssh flags S/FSRPAU keep state
@9 pass in quick on vmx0 inet proto icmp from 192.168.60.0/24 to 192.168.60.1/32 icmp-type echo keep state
@10 block in log quick on vmx0 all

# ipfstat -on

@1 pass out quick on lo0 from any to any
@2 pass out quick on vmx0 proto tcp from any to any port = domain flags S/FSRPAU keep state
@3 pass out quick on vmx0 proto udp from any to any port = domain keep state
@4 pass out quick on vmx0 proto udp from any to any port = ntp keep state
@5 pass out quick on vmx0 inet proto icmp from any to any icmp-type echo keep state
@6 block out log quick on vmx0 all

I see a lot of BAD packets in the logs while SSH-ing to the box (the transfer speed over SCP is also affected).

Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817761 vmx0 @0:12 b 192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1532 -AP OUT bad
Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817966 vmx0 @0:12 b 192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1616 -AP OUT bad

# ifconfig -m

vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=39b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6>
capabilities=61079b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:50:56:8a:17:21
        inet 192.168.60.1 netmask 0xffffff00 broadcast 192.168.60.255
        media: Ethernet autoselect
        status: active
        supported media:
                media autoselect

I'd be happy to provide any additional information.
Comment 1 Cy Schubert freebsd_committer freebsd_triage 2015-03-12 20:06:46 UTC 
Can you ifconfig -tso4 on the interface and see if that helps? Let me know the results.
Comment 2 Cy Schubert freebsd_committer freebsd_triage 2015-09-13 00:55:42 UTC 
Is this still a problem?
Comment 3 Roman 2018-03-27 17:31:53 UTC 
I think we can close it. Moved to 11 and pf altogether.