[Bug 245190] Ipfilter, statefull packet filtering - IPV6 UDP packets issue

Mon Mar 30 16:03:39 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245190

            Bug ID: 245190
           Summary: Ipfilter, statefull packet filtering - IPV6 UDP
                    packets issue
           Product: Base System
           Version: 11.3-RELEASE
          Hardware: i386
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: vladi.kamburov at gmail.com

Hi,   
I found a strange behavior with IPv6 udp packets, when ipfilter rules are
configured for statefull packet filtering. OS - FreeBSD 11.3-Release, IP
Filter: v5.1.2.
FreeBSD is configured as a router/firewall with dual stack
IPv4/IPv6(tunnel-broker) 

This is a simple rule set, that can produce the issue:

ipfstat -in6
1 pass in quick on lo0 all
2 block in log quick from any to any with short
3 block in log quick from any to any with ipopts
4 skip 1 in inet6 proto tcp from any to any flags S/FSRA
5 block in quick proto tcp from any to any
6 block in log quick on re0 inet6 from any to any head 1000
7 block in log quick on gif0 inet6 from any to any head 2000
8 block in log quick inet6 from any to any

9 pass in quick inet6 from fe80::/10 to fe80::/10 group 1000
10 pass in quick inet6 from ff00::/8 to ff00::/8 group 1000
11 pass in quick inet6 from fe80::/10 to ff00::/8 group 1000
12 pass in quick inet6 from 2001:xxxx::/64 to any keep state group 1000
13 pass in quick inet6 from fe80::/10 to 2001:xxxx::1/128 keep state group 1000

14 block in log quick inet6 from pool/rfc5156-4291 to any group 2000
15 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx::2/128 icmp-type
echo keep state group 2000
16 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx:/64 keep state
group 2000
17 pass in quick inet6 proto udp from any to 2001:xxxx::/64 port 33433 >< 33601
keep state group 2000

 ipfstat -onh6
1 pass out quick on lo0 all
2 pass out quick on re0 inet6 from any to any keep state
3 pass out quick on gif0 inet6 from any to any keep state
4 block out log quick all

When setup the above rules, ipmon start showing events for blocked egress udp
packets on gif0 (ntp, dns packets...) 
When I do traceroute6 from firewall host the packet was also blocked. Because
somehow those packets doesn’t match the rule: 
pass out quick on gif0 inet6 from any to any keep state

and match 
block out log quick all

Ipmon generate event:
ipmon[1153]: 12:24:31.328486 gif0 @0:6 b 2001:xxxx::2,47011 ->
2a00:1450:4017:80a::2003,33435 PR udp len 40 60 OUT bad

Note: The event " @0:6 b " because there are IPv4 rules that also counts.

ipfstat -t6 do not show any udp state 

When I set
pass out quick on gif0 inet6 from any to any
the IPv6 udp packets match the rule, but this leads the need to add an ingress
rule(e.g. stateless filtering)

This behavior happen only when IPv6 udp packets are sourced from the
router/firewall.

When IPv6 udp packets are sourced from the inside IPv6 network(behind the
router/firewall) udp packets match keep state rule and forwarded between
interfaces correctly. Also states can be seen with ipfstat -t6

Can anyone reproduce or confirm this issue or bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.