conf/145727: pf rules not applied on boot if using inet6 :network modifier

James Raftery james at now.ie
Thu Apr 15 16:30:05 UTC 2010 

>Number:         145727
>Category:       conf
>Synopsis:       pf rules not applied on boot if using inet6 :network modifier
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 15 16:30:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     James Raftery
>Release:        FreeBSD 7.2-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD a.mx.now.ie 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Fri Feb 26 19:51:57 UTC 2010 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

>Description:

	After reboot, no pf rules are applied if the :network interface
	modifier is used in any inet6 rules.  The net result is no firewall!
	The following is logged to syslog:
	
	Apr 10 17:23:11 a kernel: /etc/pf.conf:52: 
	Apr 10 17:23:11 a kernel: rule expands to no valid combination
	Apr 10 17:23:11 a kernel: 
	Apr 10 17:23:11 a kernel: /etc/pf.conf:70: 
	Apr 10 17:23:11 a kernel: rule expands to no valid combination
	Apr 10 17:23:11 a kernel: 
	Apr 10 17:23:11 a kernel: /etc/pf.conf:71: 
	Apr 10 17:23:11 a kernel: rule expands to no valid combination
	Apr 10 17:23:11 a kernel: 
	Apr 10 17:23:11 a kernel: /etc/pf.conf:72: 
	Apr 10 17:23:11 a kernel: rule expands to no valid combination
	Apr 10 17:23:11 a kernel: 
	Apr 10 17:23:11 a kernel: pfctl: 
	Apr 10 17:23:11 a kernel: Syntax error in config file: pf rules not loaded

	pf rules are applied before the IPv6 network config is applied, so pf
	is unable to expand the :network modifier in the inet6 rule statements.

	The relevant lines from pf.conf are:

	52: pass in log on fxp0 inet6 proto tcp from fxp0:network to fxp0 port ssh
	70: pass in on fxp0 inet6 proto icmp6 from fxp0:network to fxp0 icmp6-type $ipv6_nbr_icmp
	71: pass in on fxp0 inet6 proto icmp6 from fxp0:network to ff02::/8 icmp6-type $ipv6_nbr_icmp
	72: pass in on fxp0 inet6 proto icmp6 from fe80::/10 to fxp0:network icmp6-type $ipv6_nbr_icmp

>How-To-Repeat:

	Add inet6 rule statements which include the :network modifier to
	pf.conf. Ensure there are no active IPv6 addresses on the relevant
	network interfaces. Run `/etc/rc.d/pf start' (with pf_enable=YES in
	rc.conf).

>Fix:
	Re-order rc start-up to apply the IPv6 network config. before pf
	rules are applied. That's in theory, obviously. I don't have enough
	knowledge of boot ordering to say with any confidence that there
	won't be some nasty side-effects of such a change.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list