kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box

Max Laier max at love2party.net
Fri Sep 1 19:23:02 UTC 2006 

On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote:
> Hi,
>
> >>>>> On Tue, 29 Aug 2006 16:37:23 GMT
> >>>>> steinex at nognu.de(Frank Steinborn)  said:
> >
> > Thanks to Max Laier for examining this, I'll just paste him:
> >
> > Using pf stateful rules for inet6 fails for connections originating
> > from the firewall itself to a service running on the same box. 
> > Culprit seems to be interface selection in inet6 (switching between
> > the interface that has the address configured and lo0).
> >
> > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See 
> > below for ruleset used).  The reply then comes via lo0 and matches the 
> > state (if state-policy is floating).  The third packet (again via 
> > bge0) then does no longer match the state - however:   
> > >How-To-Repeat:
> >
> > Use this ruleset:
> >
> > pass quick on lo0 all
> > pass quick on bge0 inet all
> > block drop log all
> > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =
> > ssh flags S/SA keep state
> >
> > Then try to open an inet6-connection to a service running on the
> > firewall itself from the firewall itself.
>
> Could you please try the attached patch for kernel?
>
> Using this patch, PF regards the initial SYN (and the third packet) is
> coming from lo0, instead of bge0.  (There was a similar bug-report
> regarding PF for looped-back IPv6 packet, and this patch fixed the
> problem)
>
> If it seems okay from the PF's point of view, I'll commit it to
> -current.

Thinking about this for a bit we might want to use the patch below 
instead.  i.e. do the fixup locally in the pfil wrapper instead.  This 
way other filters don't break if they have adapted to the new world 
order.

Thoughts?  Please test and report back, either way.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Index: pf_ioctl.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
retrieving revision 1.25
diff -u -r1.25 pf_ioctl.c
--- pf_ioctl.c	21 Jul 2006 09:48:13 -0000	1.25
+++ pf_ioctl.c	1 Sep 2006 19:19:49 -0000
@@ -3442,7 +3442,8 @@
 	 */
 	int chk;
 
-	chk = pf_test6(PF_IN, ifp, m, NULL, inp);
+	chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m,
+	    NULL, inp);
 	if (chk && *m) {
 		m_freem(*m);
 		*m = NULL;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060901/a49240e8/attachment.pgp

More information about the freebsd-pf mailing list