Date: Wed, 30 Aug 2006 13:39:34 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: SUZUKI Shinsuke <suz@freebsd.org>, freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <200608301339.42374.max@love2party.net> In-Reply-To: <x71wqz6n5v.wl%suz@alaxala.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <x71wqz6n5v.wl%suz@alaxala.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] SUZUKI-san, since you are looking at this already could I interest you in a related problem? On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box. > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See > > below for ruleset used). The reply then comes via lo0 and matches the > > state (if state-policy is floating). The third packet (again via > > bge0) then does no longer match the state - however: > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Your patch looks good for the problem reported, there is - however - another problem that maybe related. The bottom line is that packets to or from local addresses never show up on bpf as they are not processed by lo0's input/output routines. Do you have any idea how to address this? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE9Xj+XyyEoT62BG0RAimwAJ4s0elYgCMVPOUEtzk8jjS/hSQmLACfakuq ueTEDz/pV8klfRGbVhNiS1U= =C21O -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608301339.42374.max>