kern/155945: pf match engine is broken with ipv6
Eugene M. Zheganin
eugene at zhegan.in
Sat Mar 26 10:40:10 UTC 2011
>Number: 155945
>Category: kern
>Synopsis: pf match engine is broken with ipv6
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 26 10:40:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Eugene M. Zheganin
>Release: 8.2-RELEASE
>Organization:
RealService LLC
>Environment:
FreeBSD wizard.hq.norma.perm.ru 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 25 13:08:09 YEKT 2011 emz at ns.hq.norma.perm.ru:/usr/obj/usr/src/sys/WIZARD i386
>Description:
pf match engine is broken when using ipv6. ipv6 packets are matching to some random (?) matching rule in the list, not the last matching rule.
For example (sorry for the long list, but I encountered the problem on the production router. I have to show all of my rules, or I may get blamed for contructing a lame rule list and skipping the lame part of it) ospf packets in this setup are dropped and filter references the rule no. 107 as the source, however, last rule to match is the last rule in the list which passes all of the ipv6 traffic (no. 127 and 128). Rule no. 107 would be the matching rule only if there's no matching rules below it. It's clearly that 128 is the last:
%pfctl -vvvs rules
@0 scrub in on vlan1 inet proto icmp from 192.168.3.7 to any no-df fragment reassemble
[ Evaluations: 26070 Packets: 285 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@1 scrub in on vlan18 inet proto icmp from 192.168.3.7 to any no-df fragment reassemble
[ Evaluations: 19526 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@2 scrub in on vlan20 inet proto icmp from 192.168.3.7 to any no-df fragment reassemble
[ Evaluations: 19286 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@0 block drop log all
[ Evaluations: 20708 Packets: 6 Bytes: 628 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@1 pass on lo0 all no state
[ Evaluations: 20708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@2 pass on vlan1 all no state
[ Evaluations: 20708 Packets: 1596 Bytes: 283586 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@3 pass on vlan18 all no state
[ Evaluations: 20708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@4 pass on vlan20 all no state
[ Evaluations: 20708 Packets: 32 Bytes: 6250 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@5 pass proto gre all no state
[ Evaluations: 20708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@6 pass proto esp all no state
[ Evaluations: 20708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@7 pass proto ah all no state
[ Evaluations: 20708 Packets: 9245 Bytes: 4256848 States: 2 ]
[ Inserted: uid 0 pid 18960 ]
@8 pass proto udp from any to any port = isakmp keep state
[ Evaluations: 20709 Packets: 17 Bytes: 1848 States: 6 ]
[ Inserted: uid 0 pid 18960 ]
@9 pass on gre0 all no state
[ Evaluations: 20711 Packets: 4 Bytes: 304 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@10 pass on gre1 all no state
[ Evaluations: 20711 Packets: 225 Bytes: 23066 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@11 pass on gre2 all no state
[ Evaluations: 20712 Packets: 315 Bytes: 64076 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@12 pass on gre3 all no state
[ Evaluations: 20712 Packets: 22 Bytes: 11564 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@13 pass on gre4 all no state
[ Evaluations: 20712 Packets: 5764 Bytes: 3024528 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@14 pass on gre5 all no state
[ Evaluations: 20712 Packets: 24 Bytes: 11692 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@15 pass on gre6 all no state
[ Evaluations: 20712 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@16 pass on gre7 all no state
[ Evaluations: 20712 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@17 pass on gre8 all no state
[ Evaluations: 20712 Packets: 25 Bytes: 1982 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@18 pass on gre9 all no state
[ Evaluations: 20712 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@19 pass on gre10 all no state
[ Evaluations: 20712 Packets: 8 Bytes: 626 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@20 pass on gre11 all no state
[ Evaluations: 20712 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@21 pass on gre12 all no state
[ Evaluations: 20712 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@22 pass on gre13 all no state
[ Evaluations: 20712 Packets: 22 Bytes: 11544 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@23 pass on gre14 all no state
[ Evaluations: 20712 Packets: 5 Bytes: 380 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@24 pass on gre15 all no state
[ Evaluations: 20712 Packets: 22 Bytes: 11564 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@25 pass on gre16 all no state
[ Evaluations: 20712 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@26 pass in inet proto udp from any to 89.250.210.69 port = l2f keep state
[ Evaluations: 20712 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@27 pass on ng* all no state
[ Evaluations: 20715 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@28 pass out proto tcp from any to any port = ssh flags S/SA keep state
[ Evaluations: 20715 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@29 pass in inet proto tcp from any to 89.250.210.69 port = ssh flags S/SA keep state
[ Evaluations: 4300 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@30 pass in on vlan104 inet proto tcp from any to 89.250.210.69 port 7880:8880 flags S/SA keep state
[ Evaluations: 2674 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@31 pass in on vlan104 inet proto udp from any to 89.250.210.69 port = 8881 keep state
[ Evaluations: 16550 Packets: 170 Bytes: 15450 States: 71 ]
[ Inserted: uid 0 pid 18960 ]
@32 pass out on vlan104 inet proto tcp from 89.250.210.69 to any flags S/SA keep state
[ Evaluations: 2674 Packets: 38 Bytes: 4682 States: 7 ]
[ Inserted: uid 0 pid 18960 ]
@33 pass out on vlan104 inet proto udp from 89.250.210.69 to any keep state
[ Evaluations: 359 Packets: 375 Bytes: 196636 States: 1 ]
[ Inserted: uid 0 pid 18960 ]
@34 pass quick proto icmp all no state
[ Evaluations: 20724 Packets: 850 Bytes: 142464 States: 23 ]
[ Inserted: uid 0 pid 18960 ]
@35 pass quick inet from 192.150.10.0/24 to <rfc1918:6> no state
[ Evaluations: 20076 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@36 pass quick inet from <rfc1918:6> to 192.150.10.0/24 no state
[ Evaluations: 20073 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@37 pass on vlan18 all no state
[ Evaluations: 20077 Packets: 115 Bytes: 7333 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@38 pass in inet proto tcp from any to 89.250.210.69 port = smtp flags S/SA keep state
[ Evaluations: 20077 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@39 pass out inet proto tcp from 89.250.210.69 to any port = smtp flags S/SA keep state
[ Evaluations: 17563 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@40 block drop log on vlan1 inet from ! 192.168.3.7 to ! <internalnets:5>
[ Evaluations: 20076 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@41 block drop log on vlan104 inet from 10.0.0.0/8 to any
[ Evaluations: 20076 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@42 block drop log on vlan104 inet from 172.16.0.0/12 to any
[ Evaluations: 1172 Packets: 374 Bytes: 196508 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@43 block drop log on vlan104 inet from 192.168.0.0/16 to any
[ Evaluations: 1172 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@44 pass in on gre7 from <publicwifisrc:9> to ! <rfc1918:6> no state tag pubwifi
[ Evaluations: 20079 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@45 pass in on gre7 from <publicwifisrc:9> to any no state tag pubwifi
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@46 block drop in on gre7 all tag pubwifi
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@47 pass out on vlan104 route-to (vlan1 192.168.3.1) inet from 192.168.93.64/27 to any flags S/SA keep state
[ Evaluations: 20079 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@48 pass out on vlan1 all no state queue internal
[ Evaluations: 19264 Packets: 1625 Bytes: 810396 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@49 pass in on vlan1 proto tcp from any to any port = ssh flags S/SA keep state queue internal
[ Evaluations: 4044 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@50 pass out on gre6 all no state queue pic_crystal_std_others
[ Evaluations: 20079 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@51 pass out on gre6 proto tcp from any to any port = ssh no state queue pic_crystal_std_terminal
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@52 pass out on gre6 proto tcp from any to any port = telnet no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@53 pass out on gre6 proto tcp from any to any port = rdp no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@54 pass out on gre6 proto tcp from any to any port = 4899 no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@55 pass out on gre6 proto tcp from any port = ssh to any no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@56 pass out on gre6 proto tcp from any port = telnet to any no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@57 pass out on gre6 proto tcp from any port = rdp to any no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@58 pass out on gre6 proto tcp from any port = 4899 to any no state queue pic_crystal_std_terminal
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@59 pass out on gre6 proto tcp from any to any port = http no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@60 pass out on gre6 proto tcp from any to any port = https no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@61 pass out on gre6 proto tcp from any to any port = 3128 no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@62 pass out on gre6 proto tcp from any to any port = 3129 no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@63 pass out on gre6 proto tcp from any to any port = 3130 no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@64 pass out on gre6 proto tcp from any port = http to any no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@65 pass out on gre6 proto tcp from any port = https to any no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@66 pass out on gre6 proto tcp from any port = 3128 to any no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@67 pass out on gre6 proto tcp from any port = 3129 to any no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@68 pass out on gre6 proto tcp from any port = 3130 to any no state queue pic_crystal_std_www
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@69 pass out on gre6 proto tcp from any to any port = netbios-ssn no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@70 pass out on gre6 proto tcp from any to any port = microsoft-ds no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@71 pass out on gre6 proto tcp from any port = netbios-ssn to any no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@72 pass out on gre6 proto tcp from any port = microsoft-ds to any no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@73 pass out on gre6 proto udp from any to any port = netbios-ns no state queue pic_crystal_std_smb
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@74 pass out on gre6 proto udp from any to any port = netbios-dgm no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@75 pass out on gre6 proto udp from any port = netbios-ns to any no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@76 pass out on gre6 proto udp from any port = netbios-dgm to any no state queue pic_crystal_std_smb
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@77 pass out on gre6 proto udp from <voipdest:5> to any no state queue pic_crystal_voip
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@78 pass out on gre9 all no state queue pic_crystal_std_others
[ Evaluations: 20129 Packets: 91 Bytes: 48688 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@79 pass out on gre9 proto tcp from any to any port = ssh no state queue sat_crystal_std_terminal
[ Evaluations: 889 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@80 pass out on gre9 proto tcp from any to any port = telnet no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@81 pass out on gre9 proto tcp from any to any port = rdp no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@82 pass out on gre9 proto tcp from any to any port = 4899 no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@83 pass out on gre9 proto tcp from any port = ssh to any no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@84 pass out on gre9 proto tcp from any port = telnet to any no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@85 pass out on gre9 proto tcp from any port = rdp to any no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@86 pass out on gre9 proto tcp from any port = 4899 to any no state queue sat_crystal_std_terminal
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@87 pass out on gre9 proto tcp from any to any port = http no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@88 pass out on gre9 proto tcp from any to any port = https no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@89 pass out on gre9 proto tcp from any to any port = 3128 no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@90 pass out on gre9 proto tcp from any to any port = 3129 no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@91 pass out on gre9 proto tcp from any to any port = 3130 no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@92 pass out on gre9 proto tcp from any port = http to any no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@93 pass out on gre9 proto tcp from any port = https to any no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@94 pass out on gre9 proto tcp from any port = 3128 to any no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 6 Bytes: 2505 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@95 pass out on gre9 proto tcp from any port = 3129 to any no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@96 pass out on gre9 proto tcp from any port = 3130 to any no state queue sat_crystal_std_www
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@97 pass out on gre9 proto tcp from any to any port = netbios-ssn no state queue sat_crystal_std_smb
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@98 pass out on gre9 proto tcp from any to any port = microsoft-ds no state queue sat_crystal_std_smb
[ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@99 pass out on gre9 proto tcp from any port = netbios-ssn to any no state queue sat_crystal_std_smb
[ Evaluations: 868 Packets: 90 Bytes: 4320 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@100 pass out on gre9 proto tcp from any port = microsoft-ds to any no state queue sat_crystal_std_smb
[ Evaluations: 868 Packets: 700 Bytes: 131236 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@101 pass out on gre9 proto udp from any to any port = netbios-ns no state queue sat_crystal_std_smb
[ Evaluations: 889 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@102 pass out on gre9 proto udp from any to any port = netbios-dgm no state queue sat_crystal_std_smb
[ Evaluations: 16 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@103 pass out on gre9 proto udp from any port = netbios-ns to any no state queue sat_crystal_std_smb
[ Evaluations: 16 Packets: 2 Bytes: 168 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@104 pass out on gre9 proto udp from any port = netbios-dgm to any no state queue sat_crystal_std_smb
[ Evaluations: 16 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@105 pass out on gre9 proto udp from <voipdest:5> to any no state queue sat_crystal_std_voip
[ Evaluations: 16 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@106 pass out on gre7 from any to <publicwifisrc:9> no state queue pic_lenina76
[ Evaluations: 20192 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@107 block drop out log on vlan1 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 20195 Packets: 2 Bytes: 160 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@108 block drop out log on vlan18 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16858 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@109 block drop out log on vlan20 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16743 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@110 block drop out log on gre0 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16711 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@111 block drop out log on gre1 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@112 block drop out log on gre2 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16482 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@113 block drop out log on gre3 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16165 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@114 block drop out log on gre4 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 16143 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@115 block drop out log on gre5 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 10379 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@116 block drop out log on gre6 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 10355 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@117 block drop out log on gre7 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 10353 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@118 block drop out log on gre8 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 10351 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@119 block drop out log on gre9 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 10326 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@120 block drop out log on gre10 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9437 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@121 block drop out log on gre11 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9429 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@122 block drop out log on gre12 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9427 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@123 block drop out log on gre13 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9425 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@124 block drop out log on gre14 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9403 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@125 block drop out log on gre15 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9398 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@126 block drop out log on gre16 from ! <rfc1918:6> to ! <publicwifisrc:9>
[ Evaluations: 9376 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@127 pass on vlan1 proto ipv6 all no state
[ Evaluations: 20238 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@128 pass out on vlan1 proto ipv6 all no state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@129 pass out on vlan18 proto ipv6 all no state
[ Evaluations: 16856 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@130 pass out on vlan20 proto ipv6 all no state
[ Evaluations: 16741 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@131 pass in on vlan1 proto ipv6 all no state
[ Evaluations: 16813 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@132 pass in on vlan18 proto ipv6 all no state
[ Evaluations: 16813 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
@133 pass in on vlan20 proto ipv6 all no state
[ Evaluations: 16735 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 18960 ]
<rfc1918> is:
table <rfc1918> { 192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8, 224.0.0.0/8, fd00::/16, fe80::16 }
tcpdump output is:
%tcpdump -netti pflog0 ip6
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
1301135352.525684 rule 107/0(match): block out on vlan1: [|ip6]
1301135362.528592 rule 107/0(match): block out on vlan1: [|ip6]
1301135372.531443 rule 107/0(match): block out on vlan1: [|ip6]
1301135382.534327 rule 107/0(match): block out on vlan1: [|ip6]
1301135392.537185 rule 107/0(match): block out on vlan1: [|ip6]
1301135402.539959 rule 107/0(match): block out on vlan1: [|ip6]
1301135412.542550 rule 107/0(match): block out on vlan1: [|ip6]
1301135422.545497 rule 107/0(match): block out on vlan1: [|ip6]
1301135432.548550 rule 107/0(match): block out on vlan1: [|ip6]
1301135442.551302 rule 107/0(match): block out on vlan1: [|ip6]
1301135452.554253 rule 107/0(match): block out on vlan1: [|ip6]
1301135462.557122 rule 107/0(match): block out on vlan1: [|ip6]
1301135472.559722 rule 107/0(match): block out on vlan1: [|ip6]
1301135482.562572 rule 107/0(match): block out on vlan1: [|ip6]
1301135492.564647 rule 107/0(match): block out on vlan1: [|ip6]
1301135502.567681 rule 107/0(match): block out on vlan1: [|ip6]
1301135512.669486 rule 107/0(match): block out on vlan1: [|ip6]
1301135522.672834 rule 107/0(match): block out on vlan1: [|ip6]
1301135532.675468 rule 107/0(match): block out on vlan1: [|ip6]
1301135542.678513 rule 107/0(match): block out on vlan1: [|ip6]
1301135552.681479 rule 107/0(match): block out on vlan1: [|ip6]
1301135562.684425 rule 107/0(match): block out on vlan1: [|ip6]
>How-To-Repeat:
Get a FreeBSD 8.x (problem was originally discovered on 8.0-RELEASE, I upgraded this router to the 8.2-RELEASE), get a ipv6 connection, get a rule list similar to the above, where ipv4 matching rules will be above ipv6 matching rules.
>Fix:
Use 'quick' clause to create the rule at the beginning of the rule list to solve this issue.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list