Date: Mon, 30 Mar 2020 16:02:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 245190] Ipfilter, statefull packet filtering - IPV6 UDP packets issue Message-ID: <bug-245190-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245190 Bug ID: 245190 Summary: Ipfilter, statefull packet filtering - IPV6 UDP packets issue Product: Base System Version: 11.3-RELEASE Hardware: i386 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: vladi.kamburov@gmail.com Hi, I found a strange behavior with IPv6 udp packets, when ipfilter rules are configured for statefull packet filtering. OS - FreeBSD 11.3-Release, IP Filter: v5.1.2. FreeBSD is configured as a router/firewall with dual stack IPv4/IPv6(tunnel-broker) This is a simple rule set, that can produce the issue: ipfstat -in6 1 pass in quick on lo0 all 2 block in log quick from any to any with short 3 block in log quick from any to any with ipopts 4 skip 1 in inet6 proto tcp from any to any flags S/FSRA 5 block in quick proto tcp from any to any 6 block in log quick on re0 inet6 from any to any head 1000 7 block in log quick on gif0 inet6 from any to any head 2000 8 block in log quick inet6 from any to any 9 pass in quick inet6 from fe80::/10 to fe80::/10 group 1000 10 pass in quick inet6 from ff00::/8 to ff00::/8 group 1000 11 pass in quick inet6 from fe80::/10 to ff00::/8 group 1000 12 pass in quick inet6 from 2001:xxxx::/64 to any keep state group 1000 13 pass in quick inet6 from fe80::/10 to 2001:xxxx::1/128 keep state group 1000 14 block in log quick inet6 from pool/rfc5156-4291 to any group 2000 15 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx::2/128 icmp-type echo keep state group 2000 16 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx:/64 keep state group 2000 17 pass in quick inet6 proto udp from any to 2001:xxxx::/64 port 33433 >< 33601 keep state group 2000 ipfstat -onh6 1 pass out quick on lo0 all 2 pass out quick on re0 inet6 from any to any keep state 3 pass out quick on gif0 inet6 from any to any keep state 4 block out log quick all When setup the above rules, ipmon start showing events for blocked egress udp packets on gif0 (ntp, dns packets...) When I do traceroute6 from firewall host the packet was also blocked. Because somehow those packets doesn’t match the rule: pass out quick on gif0 inet6 from any to any keep state and match block out log quick all Ipmon generate event: ipmon[1153]: 12:24:31.328486 gif0 @0:6 b 2001:xxxx::2,47011 -> 2a00:1450:4017:80a::2003,33435 PR udp len 40 60 OUT bad Note: The event " @0:6 b " because there are IPv4 rules that also counts. ipfstat -t6 do not show any udp state When I set pass out quick on gif0 inet6 from any to any the IPv6 udp packets match the rule, but this leads the need to add an ingress rule(e.g. stateless filtering) This behavior happen only when IPv6 udp packets are sourced from the router/firewall. When IPv6 udp packets are sourced from the inside IPv6 network(behind the router/firewall) udp packets match keep state rule and forwarded between interfaces correctly. Also states can be seen with ipfstat -t6 Can anyone reproduce or confirm this issue or bug. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-245190-227>