From owner-freebsd-bugs@FreeBSD.ORG Tue Feb 8 17:20:10 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26D5A16A4CF for ; Tue, 8 Feb 2005 17:20:10 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1CB443D4C for ; Tue, 8 Feb 2005 17:20:09 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j18HK9fU010765 for ; Tue, 8 Feb 2005 17:20:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j18HK922010764; Tue, 8 Feb 2005 17:20:09 GMT (envelope-from gnats) Resent-Date: Tue, 8 Feb 2005 17:20:09 GMT Resent-Message-Id: <200502081720.j18HK922010764@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vladimir Kotal Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2217616A4CE for ; Tue, 8 Feb 2005 17:19:35 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6FBA43D1F for ; Tue, 8 Feb 2005 17:19:34 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j18HJYC4025874 for ; Tue, 8 Feb 2005 17:19:34 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j18HJYl9025873; Tue, 8 Feb 2005 17:19:34 GMT (envelope-from nobody) Message-Id: <200502081719.j18HJYl9025873@www.freebsd.org> Date: Tue, 8 Feb 2005 17:19:34 GMT From: Vladimir Kotal To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/77273: ipfilter breaks ipv6 statefull filtering on 5.3 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 17:20:10 -0000 >Number: 77273 >Category: kern >Synopsis: ipfilter breaks ipv6 statefull filtering on 5.3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 08 17:20:09 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Vladimir Kotal >Release: 5.3-RELEASE-p1 >Organization: >Environment: FreeBSD news 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #0: Tue Feb 8 12:45:22 CET 2005 root@news:/usr/src/sys/i386/compile/news_5.3 i386 >Description: ipfilter with statefull IPv6 ruleset is broken on FreeBSD 5.3 consider following ACL: block in log on fxp0 all head 600 block out log on fxp0 all head 650 # ingress rules # ND stuff at link-local pass in quick proto ipv6-icmp from fe80::/10 to fe80::/10 group 600 pass in quick proto ipv6-icmp from fe80::/10 to 2001:XXXX:1003:a::2 group 600 # NS # encompases DAD pass in quick proto ipv6-icmp from any to ff02::/16 icmp-type 135 code 0 group 600 pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-typ e 135 code 0 group 600 # NA pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-typ e 136 code 0 group 600 # permit ICMPv6 echo-request pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2 icmp-type 128 c ode 0 keep state group 600 # outgress rules pass out quick proto tcp/udp all keep state group 650 pass out quick proto ipv6-icmp all group 650 when this ACL is loaded via 'ipf -6 -Fa -f ACL', it is possible to connect to this host or ping it via ping6, but it is not possible to connect from this host to outside - this is normal behavior. however, when the last rule is replaced with pass out quick proto ipv6-icmp all keep state group 650 it is now possible to connect from this host to outside, but it is not possible to ping this host. there are no log entries in ipf.log which would indicate denied packets. with the last rule replaced, traffic dump looks like this: 18:15:46.290000 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] 18:15:47.289251 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] 18:15:48.289262 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0] no NA messages are sent out, nothing in ipf.log. the same access list works on FreeBSD 4.x without any problem (e.g. it is possible to connect to host using this ACL from outside as well to connect from this host to arbitrary host outside) >How-To-Repeat: try to load above mentioned access list and try to ping otherwise IPv6 reachable machine. >Fix: use stateless access lists - this is not applicable in some enviroments. more investigation of this problem is needed. >Release-Note: >Audit-Trail: >Unformatted: