Bug 203091

Summary: ipfilter bad packets when keep state specified in IPv6 ruleset
Product: Base System Reporter: Cy Schubert <cy>
Component: kernAssignee: Cy Schubert <cy>
Status: Closed FIXED    
Severity: Affects Some People CC: andywhite
Priority: ---    
Version: 10.0-RELEASE   
Hardware: Any   
OS: Any   

Description Cy Schubert freebsd_committer freebsd_triage 2015-09-14 01:33:29 UTC 
The following IPv6 ipfilter ruleset results in bad packets and connection reset.

#inbound
pass in quick family inet6 proto ipv6-icmp from any to any
skip 1 in log family inet6 proto tcp from any to any flags S/SAFR
block in log quick on em0 family inet6 from any to any
pass in log quick family inet6 proto tcp from any to any port = 22 keep state
block in log quick family inet6 from any to any

# outbound
pass out quick family inet6 proto ipv6-icmp from any to any
block out log quick family inet6 from any to any

Replacing the keep state rule with corresponding stateless rules circumvents the problem.

Possible PRs related to this might also be 185629 and 192847. This will need to be tested.
Comment 1 andywhite 2015-10-07 00:54:36 UTC 
copy of bug 203275
Comment 2 Cy Schubert freebsd_committer freebsd_triage 2020-05-13 02:24:50 UTC 
DUP of 203275.