Date: Mon, 30 Mar 2020 16:02:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 245190] Ipfilter, statefull packet filtering - IPV6 UDP packets issue Message-ID: <bug-245190-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D245190 Bug ID: 245190 Summary: Ipfilter, statefull packet filtering - IPV6 UDP packets issue Product: Base System Version: 11.3-RELEASE Hardware: i386 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: vladi.kamburov@gmail.com Hi,=20=20=20 I found a strange behavior with IPv6 udp packets, when ipfilter rules are configured for statefull packet filtering. OS - FreeBSD 11.3-Release, IP Filter: v5.1.2. FreeBSD is configured as a router/firewall with dual stack IPv4/IPv6(tunnel-broker)=20 This is a simple rule set, that can produce the issue: ipfstat -in6 1 pass in quick on lo0 all 2 block in log quick from any to any with short 3 block in log quick from any to any with ipopts 4 skip 1 in inet6 proto tcp from any to any flags S/FSRA 5 block in quick proto tcp from any to any 6 block in log quick on re0 inet6 from any to any head 1000 7 block in log quick on gif0 inet6 from any to any head 2000 8 block in log quick inet6 from any to any 9 pass in quick inet6 from fe80::/10 to fe80::/10 group 1000 10 pass in quick inet6 from ff00::/8 to ff00::/8 group 1000 11 pass in quick inet6 from fe80::/10 to ff00::/8 group 1000 12 pass in quick inet6 from 2001:xxxx::/64 to any keep state group 1000 13 pass in quick inet6 from fe80::/10 to 2001:xxxx::1/128 keep state group = 1000 14 block in log quick inet6 from pool/rfc5156-4291 to any group 2000 15 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx::2/128 icmp-ty= pe echo keep state group 2000 16 pass in quick inet6 proto ipv6-icmp from any to 2001:xxxx:/64 keep state group 2000 17 pass in quick inet6 proto udp from any to 2001:xxxx::/64 port 33433 >< 3= 3601 keep state group 2000 ipfstat -onh6 1 pass out quick on lo0 all 2 pass out quick on re0 inet6 from any to any keep state 3 pass out quick on gif0 inet6 from any to any keep state 4 block out log quick all When setup the above rules, ipmon start showing events for blocked egress u= dp packets on gif0 (ntp, dns packets...)=20 When I do traceroute6 from firewall host the packet was also blocked. Becau= se somehow those packets doesn=E2=80=99t match the rule:=20 pass out quick on gif0 inet6 from any to any keep state and match=20 block out log quick all Ipmon generate event: ipmon[1153]: 12:24:31.328486 gif0 @0:6 b 2001:xxxx::2,47011 -> 2a00:1450:4017:80a::2003,33435 PR udp len 40 60 OUT bad Note: The event " @0:6 b " because there are IPv4 rules that also counts. ipfstat -t6 do not show any udp state=20 When I set pass out quick on gif0 inet6 from any to any the IPv6 udp packets match the rule, but this leads the need to add an ingr= ess rule(e.g. stateless filtering) This behavior happen only when IPv6 udp packets are sourced from the router/firewall. When IPv6 udp packets are sourced from the inside IPv6 network(behind the router/firewall) udp packets match keep state rule and forwarded between interfaces correctly. Also states can be seen with ipfstat -t6 Can anyone reproduce or confirm this issue or bug. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-245190-227>