From owner-freebsd-pf@FreeBSD.ORG Fri Sep 1 19:23:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 054CE16A4E0; Fri, 1 Sep 2006 19:23:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C3B243D46; Fri, 1 Sep 2006 19:23:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.191.14] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1GJEbN2wef-0007jk; Fri, 01 Sep 2006 21:22:53 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 1 Sep 2006 21:22:45 +0200 User-Agent: KMail/1.9.3 References: <200608291637.k7TGbNxd002409@www.freebsd.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8266172.WiydWlPtKC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609012122.53206.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: SUZUKI Shinsuke , freebsd-gnats-submit@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Sep 2006 19:23:02 -0000 --nextPart8266172.WiydWlPtKC Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 30 August 2006 03:13, SUZUKI Shinsuke wrote: > Hi, > > >>>>> On Tue, 29 Aug 2006 16:37:23 GMT > >>>>> steinex@nognu.de(Frank Steinborn) said: > > > > Thanks to Max Laier for examining this, I'll just paste him: > > > > Using pf stateful rules for inet6 fails for connections originating > > from the firewall itself to a service running on the same box.=20 > > Culprit seems to be interface selection in inet6 (switching between > > the interface that has the address configured and lo0). > > > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See=20 > > below for ruleset used). The reply then comes via lo0 and matches the= =20 > > state (if state-policy is floating). The third packet (again via=20 > > bge0) then does no longer match the state - however: =20 > > >How-To-Repeat: > > > > Use this ruleset: > > > > pass quick on lo0 all > > pass quick on bge0 inet all > > block drop log all > > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D > > ssh flags S/SA keep state > > > > Then try to open an inet6-connection to a service running on the > > firewall itself from the firewall itself. > > Could you please try the attached patch for kernel? > > Using this patch, PF regards the initial SYN (and the third packet) is > coming from lo0, instead of bge0. (There was a similar bug-report > regarding PF for looped-back IPv6 packet, and this patch fixed the > problem) > > If it seems okay from the PF's point of view, I'll commit it to > -current. Thinking about this for a bit we might want to use the patch below=20 instead. i.e. do the fixup locally in the pfil wrapper instead. This=20 way other filters don't break if they have adapted to the new world=20 order. Thoughts? Please test and report back, either way. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.25 diff -u -r1.25 pf_ioctl.c =2D-- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 @@ -3442,7 +3442,8 @@ */ int chk; =20 =2D chk =3D pf_test6(PF_IN, ifp, m, NULL, inp); + chk =3D pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, + NULL, inp); if (chk && *m) { m_freem(*m); *m =3D NULL; --nextPart8266172.WiydWlPtKC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE+IiNXyyEoT62BG0RAkzdAJ4ihqjT9VOrWXhRRO1//iZpP1ogvwCfYzRs 4StEPzlMg/h1KOUA2tpGKA4= =gyfj -----END PGP SIGNATURE----- --nextPart8266172.WiydWlPtKC--