Bug 77273 - [ipf] ipfilter breaks ipv6 statefull filtering on 5.3
Summary: [ipf] ipfilter breaks ipv6 statefull filtering on 5.3
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 5.3-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-net (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-08 17:20 UTC by Vladimir Kotal
Modified: 2012-02-19 19:35 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Kotal 2005-02-08 17:20:09 UTC 
      ipfilter with statefull IPv6 ruleset is broken on FreeBSD 5.3

consider following ACL:


block in log on fxp0 all head 600
block out log on fxp0 all head 650

# ingress rules
 
  # ND stuff at link-local
  pass in quick proto ipv6-icmp from fe80::/10 to fe80::/10 group 600
  pass in quick proto ipv6-icmp from fe80::/10 to 2001:XXXX:1003:a::2  group 600

  # NS
  # encompases DAD
  pass in quick proto ipv6-icmp from any to ff02::/16        icmp-type 135 code
0   group 600
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 135 code 0   group 600

  # NA
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 136 code 0   group 600

  # permit ICMPv6 echo-request
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2  icmp-type 128 c
ode 0   keep state   group 600

# outgress rules


  pass out quick proto tcp/udp all keep state group 650

  pass out quick proto ipv6-icmp all group 650


when this ACL is loaded via 'ipf -6 -Fa -f ACL', it is possible to connect to this host or ping it via ping6, but it is not possible to connect from this host to outside - this is normal behavior.

however, when the last rule is replaced with

  pass out quick proto ipv6-icmp all keep state group 650

it is now possible to connect from this host to outside, but it is not possible to ping this host.

there are no log entries in ipf.log which would indicate denied packets.

with the last rule replaced, traffic dump looks like this:

18:15:46.290000 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:47.289251 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:48.289262 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]

no NA messages are sent out, nothing in ipf.log.

the same access list works on FreeBSD 4.x without any problem (e.g. it is possible to connect to host using this ACL from outside as well to connect from this host to arbitrary host outside)

Fix: 

use stateless access lists - this is not applicable in some enviroments. more investigation of this problem is needed.
How-To-Repeat:       try to load above mentioned access list and try to ping otherwise IPv6 reachable machine.
Comment 1 Tilman Keskinoz freebsd_committer freebsd_triage 2005-06-04 22:02:29 UTC 
Responsible Changed
From-To: freebsd-bugs->darrenr

Over to maintainer
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2012-02-19 19:34:23 UTC 
State Changed
From-To: open->closed

Unfortunately no one looked at this PR at the time.  It has now been 
obsoleted by the passage of time.