kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)

[Remko Lodder]

The following reply was made to PR kern/106438; it has been noted by GNATS.

From: Remko Lodder <remko at elvandar.org>
To: Manuel Schiller <mala at hinterbergen.de>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Thu, 7 Dec 2006 10:16:19 +0100

 Hello,
 
 
 > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):
 > 
 > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
 > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
 > block out quick on hme3
 > 
 > block in quick on hme3
 > 
 > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.
 > 
 > dig @192.168.x.y www.freebsd.org
 > 
 > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.
 > 
 > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using
 > 
 
 	First of all thanks for using FreeBSD!
 
 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 	of hits on the rule)
 
 	Thanks in advance
 
 -- 
 Kind regards,
 
      Remko Lodder               ** remko at elvandar.org
      FreeBSD                    ** remko at FreeBSD.org
 
      /* Quis custodiet ipsos custodes */