Date: Thu, 24 Jan 2002 00:04:37 +0100 From: aaron <aaron@lo-res.org>(by way of aaron <aaron@lo-res.org>) To: dim@xs4all.nl Cc: freebsd-bugs@freebsd.org Subject: Re: kern/34174: IPv6 doesn't work if IPFILTER_DEFAULT_BLOCK is used Message-ID: <200201232306.g0NN6Cn18736@meta.lo-res.org>
next in thread | raw e-mail | index | archive | help
On Tuesday 22 January 2002 18:49, Dimitry Andric wrote: Hi Dimitry, quick question... could it be that you forgot to allow rules with the -6 option? aaron. > >Number: 34174 > >Category: kern > >Synopsis: IPv6 doesn't work if IPFILTER_DEFAULT_BLOCK is used > >Confidential: no > >Severity: serious > >Priority: medium > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Tue Jan 22 09:50:00 PST 2002 > >Closed-Date: > >Last-Modified: > >Originator: Dimitry Andric > >Release: FreeBSD 4.5-RC i386 > >Organization: > > n/a > > >Environment: > > System: FreeBSD tensor.xs4all.nl 4.5-RC FreeBSD 4.5-RC #0: Mon Jan 21 > 20:52:33 CET 2002 root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR i386 > > ========== kernel configuration: > # > # TENSOR -- Kernel configuration file for FreeBSD/i386 > # > > machine i386 > cpu I586_CPU > ident TENSOR > maxusers 0 > > options INET #InterNETworking > options INET6 #IPv6 communications protocols > options FFS #Berkeley Fast Filesystem > options FFS_ROOT #FFS usable as root device [keep this!] > options SOFTUPDATES #Enable FFS soft updates support > options UFS_DIRHASH #Improve performance on big directories > options MFS #Memory Filesystem > options NFS #Network Filesystem > options MSDOSFS #MSDOS Filesystem > options CD9660 #ISO 9660 Filesystem > options PROCFS #Process filesystem > options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] > options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI > options UCONSOLE #Allow users to grab the console > options KTRACE #ktrace(1) support > options SYSVSHM #SYSV-style shared memory > options SYSVMSG #SYSV-style message queues > options SYSVSEM #SYSV-style semaphores > options P1003_1B #Posix P1003_1B real-time extensions > options _KPOSIX_PRIORITY_SCHEDULING > options ICMP_BANDLIM #Rate limit bad replies > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options IPFILTER #ipfilter support > options IPFILTER_LOG #ipfilter logging > options IPFILTER_DEFAULT_BLOCK #block all packets by default > > device isa > device pci > > # Floppy drives > device fdc0 at isa? port IO_FD1 irq 6 drq 2 > device fd0 at fdc0 drive 0 > > # ATA and ATAPI devices > device ata0 at isa? port IO_WD1 irq 14 > device ata1 at isa? port IO_WD2 irq 15 > device ata > device atadisk # ATA disk drives > device atapicd # ATAPI CDROM drives > options ATA_STATIC_ID #Static device numbering > > # atkbdc0 controls both the keyboard and the PS/2 mouse > device atkbdc0 at isa? port IO_KBD > device atkbd0 at atkbdc? irq 1 flags 0x1 > device psm0 at atkbdc? irq 12 > > device vga0 at isa? > > # syscons is the default console driver, resembling an SCO console > device sc0 at isa? flags 0x100 > > # Floating point support - do not disable. > device npx0 at nexus? port IO_NPX irq 13 > > # Serial (COM) ports > device sio0 at isa? port IO_COM1 flags 0x10 irq 4 > device sio1 at isa? port IO_COM2 irq 3 > > # Parallel port > device ppc0 at isa? irq 7 > device ppbus # Parallel port bus (required) > device lpt # Printer > > # PCI Ethernet NICs that use the common MII bus controller code. > device miibus # MII bus support > device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') > > # Pseudo devices - the number indicates how many units to allocate. > pseudo-device loop # Network loopback > pseudo-device ether # Ethernet support > pseudo-device tun # Packet tunnel. > pseudo-device pty # Pseudo-ttys (telnet etc) > pseudo-device md # Memory "disks" > pseudo-device gif # IPv6 and IPv4 tunneling > pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) > > # The `bpf' pseudo-device enables the Berkeley Packet Filter. > # Be aware of the administrative consequences of enabling this! > pseudo-device bpf #Berkeley packet filter > > # EOF > ========== > > ========== dmesg: > Copyright (c) 1992-2002 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD 4.5-RC #0: Mon Jan 21 20:52:33 CET 2002 > root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR > Timecounter "i8254" frequency 1193182 Hz > Timecounter "TSC" frequency 150000567 Hz > CPU: Pentium/P54C (150.00-MHz 586-class CPU) > Origin = "GenuineIntel" Id = 0x52c Stepping = 12 > Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8> > real memory = 67108864 (65536K bytes) > avail memory = 62140416 (60684K bytes) > Preloaded elf kernel "kernel" at 0xc0324000. > Intel Pentium detected, installing workaround for F00F bug > md0: Malloc disk > npx0: <math processor> on motherboard > npx0: INT 16 interface > pcib0: <Host to PCI bridge> on motherboard > pci0: <PCI bus> on pcib0 > isab0: <Intel 82371SB PCI to ISA bridge> at device 7.0 on pci0 > isa0: <ISA bus> on isab0 > atapci0: <Intel PIIX3 ATA controller> port 0xf000-0xf00f at device 7.1 on > pci0 ata0: at 0x1f0 irq 14 on atapci0 > ata1: at 0x170 irq 15 on atapci0 > xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0x6100-0x617f mem > 0xe4000000-0xe400007f irq 11 at device 15.0 on pci0 xl0: Ethernet address: > 00:01:02:08:d3:92 > miibus0: <MII bus> on xl0 > xlphy0: <3Com internal media interface> on miibus0 > xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > pci0: <S3 ViRGE graphics accelerator> at 16.0 irq 10 > xl1: <3Com 3c905B-TX Fast Etherlink XL> port 0x6200-0x627f mem > 0xe4001000-0xe400107f irq 9 at device 17.0 on pci0 xl1: Ethernet address: > 00:50:04:62:2a:d4 > miibus1: <MII bus> on xl1 > ukphy0: <Generic IEEE 802.3u media interface> on miibus1 > ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0 > fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 > fdc0: FIFO enabled, 8 bytes threshold > fd0: <1440-KB 3.5" drive> on fdc0 drive 0 > atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 > vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > sc0: <System console> at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x100> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > sio0: type 16550A, console > sio1 at port 0x2f8-0x2ff irq 3 on isa0 > sio1: type 16550A > ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 > ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode > ppc0: FIFO with 16/16/16 bytes threshold > lpt0: <Printer> on ppbus0 > lpt0: Interrupt-driven port > IP Filter: v3.4.20 initialized. Default = pass all, Logging = enabled > ad0: 6149MB <QUANTUM FIREBALL CR6.4A> [13328/15/63] at ata0-master WDMA2 > ad2: 4028MB <QUANTUM FIREBALL CR4.2A> [8184/16/63] at ata1-master WDMA2 > Mounting root from ufs:/dev/ad0a > ========== > > >Description: > > When IPv6 support is compiled into the kernel (using options INET6), > and at the same time options IPFILTER and IPFILTER_DEFAULT_BLOCK are > set, IPv6 fails to work, probably because it is being blocked, even > if the filter rules are explicitly set to: > > pass in from any to any > pass out from any to any > > For example, even ping6 ::1 will time out, as will all other IPv6 > operations. At the same time, IPv4 works as expected. > > If you then remove IPFILTER_DEFAULT_BLOCK, rebuild the kernel, and > use exactly the same rules as above, IPv6 will start working again. > Also, any IPv6 rules for ipfilter will work fine. For example, I now > have the following in /etc/ipf.rules: > > block in log from any to any > block out log from any to any > ---snip--- > pass in quick on xl1 proto ipv6 from any to any > pass out quick on xl1 proto ipv6 from any to any > > which works as intended. (Note that ipv6 doesn't have any support for > keep state at the moment, alas.) > > >How-To-Repeat: > > Compile a kernel with: > > options INET6 #IPv6 communications protocols > options IPFILTER #ipfilter support > options IPFILTER_DEFAULT_BLOCK #block all packets by default > > then observe how IPv6 doesn't work (try ping6'ing ::1, which will time > out), even if you set ipfilter to pass in/out everything. > > >Fix: > > I have never before looked at the ipfilter code, so I'm quite unable > to come up with a fix for this. Maybe after a week of digging, but > there must be plenty of people with more insight into ipfilter than > me... (Darren? :) > > >Release-Note: > >Audit-Trail: > >Unformatted: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message -- COSHER - completely open source headers engineering and research To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201232306.g0NN6Cn18736>