Date: Thu, 31 Mar 2005 23:07:14 GMT From: Jonathan Dama <devteam@donut.ugcs.caltech.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/79416: ipf in 4.11 breaks POLA Message-ID: <200503312307.j2VN7EOm074138@www.freebsd.org> Resent-Message-ID: <200503312310.j2VNA6rH075479@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 79416 >Category: kern >Synopsis: ipf in 4.11 breaks POLA >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 31 23:10:06 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jonathan Dama >Release: 4.11-STABLE >Organization: ASCIT, inc. >Environment: FreeBSD donut.ugcs.caltech.edu 4.11-STABLE FreeBSD 4.11-STABLE #1: Tue Mar 22 00:12:05 PST 2005 root@donut.ugcs.caltech.edu:/usr/obj/usr/src/sys/BEARCLAW i386 >Description: ipf's interpretation of icmp rules has changed. This constitutes a POLA violation. See kern/73399 for a report of this problem against 5.3 as a regression versus 4.x. Original PR was closed because a simple rule rewrite resolves the issue. Some MFC has brought this regression into 4.x. As 4.x is a STABLE release branch, POLA holds; "simply change your configuration files" is not acceptable solution for stable branches in relationship to components of the base system. Problem summary: ipf cites a pass rule as grounds for blocking a packet. This applies specifically to protocol type icmp and the keep-state directive. >How-To-Repeat: Create a rule set such as: block in all pass in quick on lo0 from any to any pass out quick on lo0 from any to any pass out quick on fxp0 proto tcp from any to any flags S/FSRPAU keep state keep frags pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state pass in quick on fxp0 proto icmp from trustnet to any This results in the following activity: 31/03/2005 01:36:37.333242 fxp0 @0:3 p trustedip -> localip PR icmp len 20 84 icmp echo/0 IN 31/03/2005 01:36:37.333259 fxp0 @0:4 B localip -> trustedip PR icmp rule #4, "pass out quick on fxp0 proto icmp from any to any keep state" is cited as cause to block the reply packet. 1) This is textual nonsense. A pass-rule should never be cited as cause for dropping a packet. 2) This is behavioral change in 4.11-STABLE relative to earler 4.x releases, as such it constitutes a POLA violation. The echo reply should have matched rule #4 and been passed. >Fix: Only the original hack given by pr/73399, replace the keep-state icmp pass-rule with pass out quick on fxp0 proto icmp >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503312307.j2VN7EOm074138>