Bug 203091 - ipfilter bad packets when keep state specified in IPv6 ruleset
Summary: ipfilter bad packets when keep state specified in IPv6 ruleset
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Cy Schubert
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-14 01:33 UTC by Cy Schubert
Modified: 2015-10-07 00:54 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer 2015-09-14 01:33:29 UTC
The following IPv6 ipfilter ruleset results in bad packets and connection reset.

#inbound
pass in quick family inet6 proto ipv6-icmp from any to any
skip 1 in log family inet6 proto tcp from any to any flags S/SAFR
block in log quick on em0 family inet6 from any to any
pass in log quick family inet6 proto tcp from any to any port = 22 keep state
block in log quick family inet6 from any to any

# outbound
pass out quick family inet6 proto ipv6-icmp from any to any
block out log quick family inet6 from any to any

Replacing the keep state rule with corresponding stateless rules circumvents the problem.

Possible PRs related to this might also be 185629 and 192847. This will need to be tested.
Comment 1 andywhite 2015-10-07 00:54:36 UTC
copy of bug 203275