ipfilter with statefull IPv6 ruleset is broken on FreeBSD 5.3 consider following ACL: block in log on fxp0 all head 600 block out log on fxp0 all head 650 # ingress rules # ND stuff at link-local pass in quick proto ipv6-icmp from fe80::/10 to fe80::/10 group 600 pass in quick proto ipv6-icmp from fe80::/10 to 2001:XXXX:1003:a::2 group 600 # NS # encompases DAD pass in quick proto ipv6-icmp from any to ff02::/16 icmp-type 135 code 0 group 600 pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-typ e 135 code 0 group 600 # NA pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-typ e 136 code 0 group 600 # permit ICMPv6 echo-request pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-type 128 c ode 0 keep state group 600 # outgress rules pass out quick proto tcp/udp all keep state group 650 pass out quick proto ipv6-icmp all group 650 when this ACL is loaded via 'ipf -6 -Fa -f ACL', it is possible to connect to this host or ping it via ping6, but it is not possible to connect from this host to outside - this is normal behavior. however, when the last rule is replaced with pass out quick proto ipv6-icmp all keep state group 650 it is now possible to connect from this host to outside, but it is not possible to ping this host. there are no log entries in ipf.log which would indicate denied packets. with the last rule replaced, traffic dump looks like this: 18:15:46.290000 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] 18:15:47.289251 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] 18:15:48.289262 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] no NA messages are sent out, nothing in ipf.log. the same access list works on FreeBSD 4.x without any problem (e.g. it is possible to connect to host using this ACL from outside as well to connect from this host to arbitrary host outside) Fix: use stateless access lists - this is not applicable in some enviroments. more investigation of this problem is needed. How-To-Repeat: try to load above mentioned access list and try to ping otherwise IPv6 reachable machine.
Responsible Changed From-To: freebsd-bugs->darrenr Over to maintainer
State Changed From-To: open->closed Unfortunately no one looked at this PR at the time. It has now been obsoleted by the passage of time.