From owner-freebsd-bugs@FreeBSD.ORG Thu Mar 31 23:10:06 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8F5E16A4CE for ; Thu, 31 Mar 2005 23:10:06 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8018C43D64 for ; Thu, 31 Mar 2005 23:10:06 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j2VNA6kW075480 for ; Thu, 31 Mar 2005 23:10:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j2VNA6rH075479; Thu, 31 Mar 2005 23:10:06 GMT (envelope-from gnats) Resent-Date: Thu, 31 Mar 2005 23:10:06 GMT Resent-Message-Id: <200503312310.j2VNA6rH075479@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jonathan Dama Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E041916A4CE for ; Thu, 31 Mar 2005 23:07:14 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id A017043D46 for ; Thu, 31 Mar 2005 23:07:14 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j2VN7EPP074139 for ; Thu, 31 Mar 2005 23:07:14 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j2VN7EOm074138; Thu, 31 Mar 2005 23:07:14 GMT (envelope-from nobody) Message-Id: <200503312307.j2VN7EOm074138@www.freebsd.org> Date: Thu, 31 Mar 2005 23:07:14 GMT From: Jonathan Dama To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/79416: ipf in 4.11 breaks POLA X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 23:10:07 -0000 >Number: 79416 >Category: kern >Synopsis: ipf in 4.11 breaks POLA >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 31 23:10:06 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jonathan Dama >Release: 4.11-STABLE >Organization: ASCIT, inc. >Environment: FreeBSD donut.ugcs.caltech.edu 4.11-STABLE FreeBSD 4.11-STABLE #1: Tue Mar 22 00:12:05 PST 2005 root@donut.ugcs.caltech.edu:/usr/obj/usr/src/sys/BEARCLAW i386 >Description: ipf's interpretation of icmp rules has changed. This constitutes a POLA violation. See kern/73399 for a report of this problem against 5.3 as a regression versus 4.x. Original PR was closed because a simple rule rewrite resolves the issue. Some MFC has brought this regression into 4.x. As 4.x is a STABLE release branch, POLA holds; "simply change your configuration files" is not acceptable solution for stable branches in relationship to components of the base system. Problem summary: ipf cites a pass rule as grounds for blocking a packet. This applies specifically to protocol type icmp and the keep-state directive. >How-To-Repeat: Create a rule set such as: block in all pass in quick on lo0 from any to any pass out quick on lo0 from any to any pass out quick on fxp0 proto tcp from any to any flags S/FSRPAU keep state keep frags pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state pass in quick on fxp0 proto icmp from trustnet to any This results in the following activity: 31/03/2005 01:36:37.333242 fxp0 @0:3 p trustedip -> localip PR icmp len 20 84 icmp echo/0 IN 31/03/2005 01:36:37.333259 fxp0 @0:4 B localip -> trustedip PR icmp rule #4, "pass out quick on fxp0 proto icmp from any to any keep state" is cited as cause to block the reply packet. 1) This is textual nonsense. A pass-rule should never be cited as cause for dropping a packet. 2) This is behavioral change in 4.11-STABLE relative to earler 4.x releases, as such it constitutes a POLA violation. The echo reply should have matched rule #4 and been passed. >Fix: Only the original hack given by pr/73399, replace the keep-state icmp pass-rule with pass out quick on fxp0 proto icmp >Release-Note: >Audit-Trail: >Unformatted: