From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 20:20:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C2816A4E1; Tue, 5 Sep 2006 20:20:37 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAE5143D5E; Tue, 5 Sep 2006 20:20:36 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 8810FB828; Wed, 6 Sep 2006 00:19:47 +0200 (CEST) Date: Wed, 6 Sep 2006 00:19:47 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, suz@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060905221947.8810FB828@shodan.nognu.de> Cc: suz@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 20:20:37 -0000 freebsd-gnats-submit@freebsd.org Bcc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Reply-To: Frank Steinborn wrote: > Max Laier wrote: > > On Friday 01 September 2006 21:22, Max Laier wrote: > > > On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > > > > Hi, > > > > > > > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > > > > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > > > > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > > > > > > > Using pf stateful rules for inet6 fails for connections originating > > > > > from the firewall itself to a service running on the same box. > > > > > Culprit seems to be interface selection in inet6 (switching between > > > > > the interface that has the address configured and lo0). > > > > > > > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 > > > > > (See below for ruleset used). The reply then comes via lo0 and > > > > > matches the state (if state-policy is floating). The third packet > > > > > (again via > > > > > > > > > > bge0) then does no longer match the state - however: > > > > > >How-To-Repeat: > > > > > > > > > > Use this ruleset: > > > > > > > > > > pass quick on lo0 all > > > > > pass quick on bge0 inet all > > > > > block drop log all > > > > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = > > > > > ssh flags S/SA keep state > > > > > > > > > > Then try to open an inet6-connection to a service running on the > > > > > firewall itself from the firewall itself. > > > > > > > > Could you please try the attached patch for kernel? > > > > > > > > Using this patch, PF regards the initial SYN (and the third packet) > > > > is coming from lo0, instead of bge0. (There was a similar bug-report > > > > regarding PF for looped-back IPv6 packet, and this patch fixed the > > > > problem) > > > > > > > > If it seems okay from the PF's point of view, I'll commit it to > > > > -current. > > > > > > Thinking about this for a bit we might want to use the patch below > > > instead. i.e. do the fixup locally in the pfil wrapper instead. This > > > way other filters don't break if they have adapted to the new world > > > order. > > > > > > Thoughts? Please test and report back, either way. > > > > Any progress on this issue? I haven't heard back from you. The patch > > (attached again) can be built into the pf module and doesn't require a > > full kernel build. Please test and inform us in order for it to get > > fixed in time for FreeBSD 6.2. > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > Index: pf_ioctl.c > > =================================================================== > > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v > > retrieving revision 1.25 > > diff -u -r1.25 pf_ioctl.c > > --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 > > +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 > > @@ -3442,7 +3442,8 @@ > > */ > > int chk; > > > > - chk = pf_test6(PF_IN, ifp, m, NULL, inp); > > + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, > > + NULL, inp); > > if (chk && *m) { > > m_freem(*m); > > *m = NULL; > > I think i'll get the patch tested tonight. Please excuse that I can't > do it right now, since the box is productive and I'll get flamed... > :-) > > Furthermore pf is statically build into the kernel, so I can't just > replace the kld. > > Frank Okay, I tested the patch and it fixes the problem. Would be nice to see it in 6.2-RELEASE. Lot of thanks! Frank