kern/79416: ipf in 4.11 breaks POLA

Jonathan Dama devteam at donut.ugcs.caltech.edu
Thu Mar 31 15:10:07 PST 2005 

>Number:         79416
>Category:       kern
>Synopsis:       ipf in 4.11 breaks POLA
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 31 23:10:06 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Jonathan Dama
>Release:        4.11-STABLE
>Organization:
ASCIT, inc.
>Environment:
FreeBSD donut.ugcs.caltech.edu 4.11-STABLE FreeBSD 4.11-STABLE #1: Tue Mar 22 00:12:05 PST 2005     root at donut.ugcs.caltech.edu:/usr/obj/usr/src/sys/BEARCLAW  i386

>Description:
ipf's interpretation of icmp rules has changed.  This constitutes a POLA violation.  See kern/73399 for a report of this problem against 5.3 as a regression versus 4.x.  Original PR was closed because a simple rule rewrite resolves the issue.  Some MFC has brought this regression into 4.x.  As 4.x is a STABLE release branch, POLA holds; "simply change your configuration files" is not acceptable solution for stable branches in relationship to components of the base system.

Problem summary:
ipf cites a pass rule as grounds for blocking a packet.  This applies specifically to protocol type icmp and the keep-state directive.

>How-To-Repeat:
Create a rule set such as:
block in all
pass in quick on lo0 from any to any
pass out quick on lo0 from any to any
pass out quick on fxp0 proto tcp from any to any flags S/FSRPAU keep state keep frags
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
pass in  quick on fxp0 proto icmp from trustnet to any

This results in the following activity:
31/03/2005 01:36:37.333242 fxp0 @0:3 p trustedip -> localip PR icmp len 20 84 icmp echo/0 IN
31/03/2005 01:36:37.333259 fxp0 @0:4 B localip -> trustedip PR icmp 

rule #4, "pass out quick on fxp0 proto icmp from any to any keep state" is cited as cause to block the reply packet.

1) This is textual nonsense.  A pass-rule should never be cited as cause for dropping a packet.
2) This is behavioral change in 4.11-STABLE relative to earler 4.x releases, as such it constitutes a POLA violation. 

The echo reply should have matched rule #4 and been passed.

>Fix:
Only the original hack given by pr/73399, replace the keep-state icmp pass-rule with pass out quick on fxp0 proto icmp
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list