kern/57908: 'return-rst' does not work for ipv6 in ipfilter

Andrew Konstantinov andrei at
Sun Oct 12 11:40:24 PDT 2003

>Number:         57908
>Category:       kern
>Synopsis:       'return-rst' does not work for ipv6 in ipfilter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 12 11:40:19 PDT 2003
>Originator:     Andrew Konstantinov
>Release:        FreeBSD 4.9-RC i386
Andrew's Co.
System: FreeBSD 4.9-RC FreeBSD 4.9-RC #0: Fri Oct 10 19:29:06 PDT 2003 root at i386
RELENG_4, with IPFILTER and INET6 compiled in kernel

IPfilter has a feature called 'return-rst.' Whenever a packet matches the description and the line with that description contains 'return-rst,' ipfilter simply returns the TCP packet (provided that the original packet was also TCP) with RST flag on. This works perfectly fine with ipv4, but it does not work with ipv6.

Get RELENG_4 sources, compile IPFILTER and INET6 in kernel. Then put the following line in the configuration file for ipf and reload that file with ipf -6f /path/to/your/file
The line is:
block return-rst in quick on lo0 proto tcp from any to any port = 111
Try to 'telnet localhost 111' and you will get connection timeout, while originally, ipfilter is supposed to send RST packet and abort the connection.


I found an old patch originated by Peter Postma, changed it a little and here it is. After applying this patch everything works perfectly (return-rst returns RST packets).

--- ip_fil.patch begins here ---
--- ip_fil.c.orig       Fri Dec  6 12:45:45 2002
+++ ip_fil.c    Tue Mar 25 17:05:09 2003
@@ -1937,24 +1937,24 @@
        struct route_in6 ip6route;
        struct sockaddr_in6 *dst6;
        struct route_in6 *ro;
-       struct ifnet *ifp;
+       struct ifnet *ifp = (fdp != NULL) ? fdp->fd_ifp : fin->fin_ifp;
        frentry_t *fr;
 #if defined(OpenBSD) && (OpenBSD >= 200211)
        struct route_in6 *ro_pmtu = NULL;
        struct in6_addr finaldst;
-       ip6_t *ip6;
+       ip6_t *ip6;
        u_long mtu;
        int error;

-       ifp = NULL;
        ro = &ip6route;
+       ip6 = mtod(m0, struct ip6_t *);
        fr = fin->fin_fr;
        bzero((caddr_t)ro, sizeof(*ro));
        dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
        dst6->sin6_family = AF_INET6;
        dst6->sin6_len = sizeof(struct sockaddr_in6);
-       dst6->sin6_addr = fin->fin_fi.fi_src.in6;
+       dst6->sin6_addr = ip6->ip6_dst;

        if (fdp != NULL)
                ifp = fdp->fd_ifp;
--- ip_fil.patch ends here ---


More information about the freebsd-bugs mailing list