Date: Wed, 30 Aug 2006 13:39:34 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: SUZUKI Shinsuke <suz@freebsd.org>, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <200608301339.42374.max@love2party.net> In-Reply-To: <x71wqz6n5v.wl%suz@alaxala.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <x71wqz6n5v.wl%suz@alaxala.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1732840.TuzD54aPQf Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline SUZUKI-san, since you are looking at this already could I interest you in a related=20 problem? On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Your patch looks good for the problem reported, there is - however -=20 another problem that maybe related. The bottom line is that packets to=20 or from local addresses never show up on bpf as they are not processed by=20 lo0's input/output routines. Do you have any idea how to address this? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1732840.TuzD54aPQf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE9Xj+XyyEoT62BG0RAimwAJ4s0elYgCMVPOUEtzk8jjS/hSQmLACfakuq ueTEDz/pV8klfRGbVhNiS1U= =C21O -----END PGP SIGNATURE----- --nextPart1732840.TuzD54aPQf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608301339.42374.max>