Date: Tue, 22 Jan 2002 18:49:07 +0100 (CET) From: Dimitry Andric <dim@xs4all.nl> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/34174: IPv6 doesn't work if IPFILTER_DEFAULT_BLOCK is used Message-ID: <20020122174907.D71EB54CF@tensor.xs4all.nl>
next in thread | raw e-mail | index | archive | help
>Number: 34174
>Category: kern
>Synopsis: IPv6 doesn't work if IPFILTER_DEFAULT_BLOCK is used
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 22 09:50:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Dimitry Andric
>Release: FreeBSD 4.5-RC i386
>Organization:
n/a
>Environment:
System: FreeBSD tensor.xs4all.nl 4.5-RC FreeBSD 4.5-RC #0: Mon Jan 21 20:52:33 CET 2002 root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR i386
========== kernel configuration:
#
# TENSOR -- Kernel configuration file for FreeBSD/i386
#
machine i386
cpu I586_CPU
ident TENSOR
maxusers 0
options INET #InterNETworking
options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options MFS #Memory Filesystem
options NFS #Network Filesystem
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_DEFAULT_BLOCK #block all packets by default
device isa
device pci
# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device lpt # Printer
# PCI Ethernet NICs that use the common MII bus controller code.
device miibus # MII bus support
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
pseudo-device gif # IPv6 and IPv4 tunneling
pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
# EOF
==========
========== dmesg:
Copyright (c) 1992-2002 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.5-RC #0: Mon Jan 21 20:52:33 CET 2002
root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR
Timecounter "i8254" frequency 1193182 Hz
Timecounter "TSC" frequency 150000567 Hz
CPU: Pentium/P54C (150.00-MHz 586-class CPU)
Origin = "GenuineIntel" Id = 0x52c Stepping = 12
Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
real memory = 67108864 (65536K bytes)
avail memory = 62140416 (60684K bytes)
Preloaded elf kernel "kernel" at 0xc0324000.
Intel Pentium detected, installing workaround for F00F bug
md0: Malloc disk
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
isab0: <Intel 82371SB PCI to ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX3 ATA controller> port 0xf000-0xf00f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0x6100-0x617f mem 0xe4000000-0xe400007f irq 11 at device 15.0 on pci0
xl0: Ethernet address: 00:01:02:08:d3:92
miibus0: <MII bus> on xl0
xlphy0: <3Com internal media interface> on miibus0
xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pci0: <S3 ViRGE graphics accelerator> at 16.0 irq 10
xl1: <3Com 3c905B-TX Fast Etherlink XL> port 0x6200-0x627f mem 0xe4001000-0xe400107f irq 9 at device 17.0 on pci0
xl1: Ethernet address: 00:50:04:62:2a:d4
miibus1: <MII bus> on xl1
ukphy0: <Generic IEEE 802.3u media interface> on miibus1
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x100>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A, console
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/16 bytes threshold
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
IP Filter: v3.4.20 initialized. Default = pass all, Logging = enabled
ad0: 6149MB <QUANTUM FIREBALL CR6.4A> [13328/15/63] at ata0-master WDMA2
ad2: 4028MB <QUANTUM FIREBALL CR4.2A> [8184/16/63] at ata1-master WDMA2
Mounting root from ufs:/dev/ad0a
==========
>Description:
When IPv6 support is compiled into the kernel (using options INET6),
and at the same time options IPFILTER and IPFILTER_DEFAULT_BLOCK are
set, IPv6 fails to work, probably because it is being blocked, even
if the filter rules are explicitly set to:
pass in from any to any
pass out from any to any
For example, even ping6 ::1 will time out, as will all other IPv6
operations. At the same time, IPv4 works as expected.
If you then remove IPFILTER_DEFAULT_BLOCK, rebuild the kernel, and
use exactly the same rules as above, IPv6 will start working again.
Also, any IPv6 rules for ipfilter will work fine. For example, I now
have the following in /etc/ipf.rules:
block in log from any to any
block out log from any to any
---snip---
pass in quick on xl1 proto ipv6 from any to any
pass out quick on xl1 proto ipv6 from any to any
which works as intended. (Note that ipv6 doesn't have any support for
keep state at the moment, alas.)
>How-To-Repeat:
Compile a kernel with:
options INET6 #IPv6 communications protocols
options IPFILTER #ipfilter support
options IPFILTER_DEFAULT_BLOCK #block all packets by default
then observe how IPv6 doesn't work (try ping6'ing ::1, which will time
out), even if you set ipfilter to pass in/out everything.
>Fix:
I have never before looked at the ipfilter code, so I'm quite unable
to come up with a fix for this. Maybe after a week of digging, but
there must be plenty of people with more insight into ipfilter than
me... (Darren? :)
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122174907.D71EB54CF>