kern/106438: ipfilter: keep state does not seem to allow replies in
on spar64 (and maybe others)
mala at hinterbergen.de
Thu Dec 7 01:10:18 PST 2006
>Synopsis: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
>Arrival-Date: Thu Dec 07 09:10:07 GMT 2006
>Originator: Manuel Schiller
>Release: RELENG6_1, STABLE (both tested this week)
(sorry, not connected to the net)
GENERIC kernel (no tweaks whatsoever), Sun Ultra1 machine (sparc64 platform)
During the process of moving my router/firewall setup to a new machine (the old one died), I saw that ipfilter seems to do something strange to my packets (when I disable it, the problem disappears, but that's not an option for a firewall :)
My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):
pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
block out quick on hme3
block in quick on hme3
On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.
dig @192.168.x.y www.freebsd.org
would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.
I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using
rm -fr /usr/obj/*
CFLAGS have been "-O", I have removed the "-pipe" for some reason I forgot. The machine has been used elsewhere in the past, and it always ran rock solid for weeks under full load compiling stuff without ever crashing.
Any hints, ideas or things to test would be greatly appreciated. I intend to look into the kernel sources next weekend (I suspect it's some kind of bug that does not trigger on the more common platforms because I suspect strongly that someone would have noticed it already and I didn't find any hint of that in the mailing lists, problem reports and google), but I'm not too confident when it comes to spotting what's going wrong there. If I missed something obvious, I'd appreciate a pointer. (And I'd be very sorry for the inconvenience.)
P.S. I'm sorry that I couldn't offer you a PR done with send-pr on the offending machine, but it's not in a state fit to send e-mails at the moment, so I have to do this from work...
ipf -Fa -f /etc/ipf.rules (with appropriate rule file)
dig @(some-name-server reachable without ipf) www.somesite.whatever
More information about the freebsd-bugs