kern/77273: ipfilter breaks ipv6 statefull filtering on 5.3

Vladimir Kotal vlada at devnull.cz
Tue Feb 8 09:20:10 PST 2005 

>Number:         77273
>Category:       kern
>Synopsis:       ipfilter breaks ipv6 statefull filtering on 5.3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 08 17:20:09 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir Kotal
>Release:        5.3-RELEASE-p1
>Organization:
>Environment:
FreeBSD news 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #0: Tue Feb  8 12:45:22 CET 2005     root at news:/usr/src/sys/i386/compile/news_5.3  i386
>Description:
      ipfilter with statefull IPv6 ruleset is broken on FreeBSD 5.3

consider following ACL:


block in log on fxp0 all head 600
block out log on fxp0 all head 650

# ingress rules
 
  # ND stuff at link-local
  pass in quick proto ipv6-icmp from fe80::/10 to fe80::/10 group 600
  pass in quick proto ipv6-icmp from fe80::/10 to 2001:XXXX:1003:a::2  group 600

  # NS
  # encompases DAD
  pass in quick proto ipv6-icmp from any to ff02::/16        icmp-type 135 code
0   group 600
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 135 code 0   group 600

  # NA
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 136 code 0   group 600

  # permit ICMPv6 echo-request
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2  icmp-type 128 c
ode 0   keep state   group 600

# outgress rules


  pass out quick proto tcp/udp all keep state group 650

  pass out quick proto ipv6-icmp all group 650


when this ACL is loaded via 'ipf -6 -Fa -f ACL', it is possible to connect to this host or ping it via ping6, but it is not possible to connect from this host to outside - this is normal behavior.

however, when the last rule is replaced with

  pass out quick proto ipv6-icmp all keep state group 650

it is now possible to connect from this host to outside, but it is not possible to ping this host.

there are no log entries in ipf.log which would indicate denied packets.

with the last rule replaced, traffic dump looks like this:

18:15:46.290000 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:47.289251 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:48.289262 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]

no NA messages are sent out, nothing in ipf.log.

the same access list works on FreeBSD 4.x without any problem (e.g. it is possible to connect to host using this ACL from outside as well to connect from this host to arbitrary host outside)

>How-To-Repeat:
      try to load above mentioned access list and try to ping otherwise IPv6 reachable machine.
>Fix:
      use stateless access lists - this is not applicable in some enviroments. more investigation of this problem is needed.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list