OpenSolaris

Printable Version Enter a New Search
Bug ID 6575084
Synopsis IPfilter's disguise just doesn't add up (and this synopsis isn't very helpful)
State 10-Fix Delivered (Fix available in build)
Category:Subcategory network:ipfilter
Keywords rtiq_reviewed
Responsible Engineer Evan Xu
Reported Against snv_72 , s10u4_fcs , solaris_10u4
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_77
Fixed In snv_77
Release Fixed solaris_nevada(snv_77) , solaris_10u5(s10u5_06) (Bug ID:2155008)
Related Bugs 6529013 , 6604581 , 6619838 , 6629154
Submit Date 28-June-2007
Last Update Date 2-January-2008
Description 
When using IPfilter with self-NAT, i.e. having the machine masquerade as as another, we see NAT happening, but the return packets are dropped.

ridgemont# ipnat -FC -f - << EOF
> map eri0 from 10.8.57.28/32 to 10.8.57.106/32 port != 22 -> 10.8.57.115/32 portmap tcp/udp auto
> map eri0 from 10.8.57.28/32 to 10.8.57.106/32 port != 22 -> 10.8.57.115/32
> EOF
0 entries flushed from NAT table
0 entries flushed from NAT list
ridgemont# arp -s 10.8.57.115 00:03:ba:14:a0:fd pub
ridgemont# ifconfig eri0
eri0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 10.8.57.28 netmask ffffff00 broadcast 10.8.57.255
        ether 0:3:ba:14:a0:fd

NOTE: the .115 address is a specially dedicated address.  We've confirmed that the return packets have the proper mac address.

If I telnet out, NAT happens but the return packets are dropped.  This does not happen on x86.

Another engineer has the exact same symptoms, works on x86, but not sparc.  He is trying with last night's nightly (6-27-07), I am trying with a nightly (6-15-07) pair.

If we initiate from x86, everything works fine. 

The problem appears to be NAT's inbound checksum processing.

-       tcpInErrs           =    18     udpNoPorts          =315442
+       tcpInErrs           =    21     udpNoPorts          =315443
Work Around 
N/A
Comments 
N/A