kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box

Max Laier max at love2party.net
Wed Aug 30 11:39:50 UTC 2006 

SUZUKI-san,

since you are looking at this already could I interest you in a related 
problem?

On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote:
> Hi,
>
> >>>>> On Tue, 29 Aug 2006 16:37:23 GMT
> >>>>> steinex at nognu.de(Frank Steinborn)  said:
> >
> > Thanks to Max Laier for examining this, I'll just paste him:
> >
> > Using pf stateful rules for inet6 fails for connections originating
> > from the firewall itself to a service running on the same box. 
> > Culprit seems to be interface selection in inet6 (switching between
> > the interface that has the address configured and lo0).
> >
> > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See 
> > below for ruleset used).  The reply then comes via lo0 and matches the 
> > state (if state-policy is floating).  The third packet (again via 
> > bge0) then does no longer match the state - however:   
> > >How-To-Repeat:
> >
> > Use this ruleset:
> >
> > pass quick on lo0 all
> > pass quick on bge0 inet all
> > block drop log all
> > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =
> > ssh flags S/SA keep state
> >
> > Then try to open an inet6-connection to a service running on the
> > firewall itself from the firewall itself.
>
> Could you please try the attached patch for kernel?
>
> Using this patch, PF regards the initial SYN (and the third packet) is
> coming from lo0, instead of bge0.  (There was a similar bug-report
> regarding PF for looped-back IPv6 packet, and this patch fixed the
> problem)
>
> If it seems okay from the PF's point of view, I'll commit it to
> -current.

Your patch looks good for the problem reported, there is - however - 
another problem that maybe related.  The bottom line is that packets to 
or from local addresses never show up on bpf as they are not processed by 
lo0's input/output routines.  Do you have any idea how to address this?

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060830/d32b34e9/attachment.pgp

More information about the freebsd-pf mailing list