Bug 57908

Summary: 'return-rst' does not work for ipv6 in ipfilter
Product: Base System Reporter: Andrew Konstantinov <andrei>
Component: kernAssignee: Darern Reed <darrenr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
ip_fil.patch none

Description Andrew Konstantinov 2003-10-12 19:40:19 UTC 
IPfilter has a feature called 'return-rst.' Whenever a packet matches the description and the line with that description contains 'return-rst,' ipfilter simply returns the TCP packet (provided that the original packet was also TCP) with RST flag on. This works perfectly fine with ipv4, but it does not work with ipv6.

Fix: I found an old patch originated by Peter Postma, changed it a little and here it is. After applying this patch everything works perfectly (return-rst returns RST packets).

How-To-Repeat: Get RELENG_4 sources, compile IPFILTER and INET6 in kernel. Then put the following line in the configuration file for ipf and reload that file with ipf -6f /path/to/your/file
The line is:
block return-rst in quick on lo0 proto tcp from any to any port = 111
Try to 'telnet localhost 111' and you will get connection timeout, while originally, ipfilter is supposed to send RST packet and abort the connection.
Comment 1 peter 2003-10-13 02:27:08 UTC 
That patch isn't correct...

This one (from Darren) is better:


--- ip_fil.c.orig	Sat Mar  1 04:55:54 2003
+++ ip_fil.c	Sat May 10 16:48:51 2003
@@ -1950,17 +1950,18 @@
  	u_long mtu;
  	int error;

-	ifp = NULL;
  	ro = &ip6route;
  	fr = fin->fin_fr;
  	bzero((caddr_t)ro, sizeof(*ro));
  	dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
  	dst6->sin6_family = AF_INET6;
  	dst6->sin6_len = sizeof(struct sockaddr_in6);
-	dst6->sin6_addr = fin->fin_fi.fi_src.in6;
+	dst6->sin6_addr = fin->fin_fi.fi_dst.in6;

  	if (fdp != NULL)
  		ifp = fdp->fd_ifp;
+	else
+		ifp = fin->fin_ifp;

  	if ((fr != NULL) && (fin->fin_rev != 0)) {
  		if ((ifp != NULL) && (fdp == &fr->fr_tif))
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2003-10-17 07:28:15 UTC 
Responsible Changed
From-To: freebsd-bugs->darrenr

Assign to ipfilter author
Comment 3 Darern Reed freebsd_committer freebsd_triage 2004-04-20 13:51:56 UTC 
State Changed
From-To: open->feedback

this change has been merged into ipfilter
Comment 4 Darern Reed freebsd_committer freebsd_triage 2004-07-05 17:59:33 UTC 
State Changed
From-To: feedback->closed

patch now in -current & RELENG_4