Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 12 Oct 2003 11:34:24 -0700 (PDT)
From:      Andrew Konstantinov <andrei@andruxa.sytes.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/57908: 'return-rst' does not work for ipv6 in ipfilter
Message-ID:  <200310121834.h9CIYOkG000556@andruxa.sytes.net>
Resent-Message-ID: <200310121840.h9CIeJLJ019905@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         57908
>Category:       kern
>Synopsis:       'return-rst' does not work for ipv6 in ipfilter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 12 11:40:19 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Konstantinov
>Release:        FreeBSD 4.9-RC i386
>Organization:
Andrew's Co.
>Environment:
System: FreeBSD andruxa.sytes.net 4.9-RC FreeBSD 4.9-RC #0: Fri Oct 10 19:29:06 PDT 2003 root@andruxa.sytes.net:/usr/obj/usr/src/sys/CUSTOM i386
RELENG_4, with IPFILTER and INET6 compiled in kernel

>Description:
IPfilter has a feature called 'return-rst.' Whenever a packet matches the description and the line with that description contains 'return-rst,' ipfilter simply returns the TCP packet (provided that the original packet was also TCP) with RST flag on. This works perfectly fine with ipv4, but it does not work with ipv6.

>How-To-Repeat:
Get RELENG_4 sources, compile IPFILTER and INET6 in kernel. Then put the following line in the configuration file for ipf and reload that file with ipf -6f /path/to/your/file
The line is:
block return-rst in quick on lo0 proto tcp from any to any port = 111
Try to 'telnet localhost 111' and you will get connection timeout, while originally, ipfilter is supposed to send RST packet and abort the connection.

>Fix:

I found an old patch originated by Peter Postma, changed it a little and here it is. After applying this patch everything works perfectly (return-rst returns RST packets).


--- ip_fil.patch begins here ---
--- ip_fil.c.orig       Fri Dec  6 12:45:45 2002
+++ ip_fil.c    Tue Mar 25 17:05:09 2003
@@ -1937,24 +1937,24 @@
        struct route_in6 ip6route;
        struct sockaddr_in6 *dst6;
        struct route_in6 *ro;
-       struct ifnet *ifp;
+       struct ifnet *ifp = (fdp != NULL) ? fdp->fd_ifp : fin->fin_ifp;
        frentry_t *fr;
 #if defined(OpenBSD) && (OpenBSD >= 200211)
        struct route_in6 *ro_pmtu = NULL;
        struct in6_addr finaldst;
-       ip6_t *ip6;
 #endif
+       ip6_t *ip6;
        u_long mtu;
        int error;

-       ifp = NULL;
        ro = &ip6route;
+       ip6 = mtod(m0, struct ip6_t *);
        fr = fin->fin_fr;
        bzero((caddr_t)ro, sizeof(*ro));
        dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
        dst6->sin6_family = AF_INET6;
        dst6->sin6_len = sizeof(struct sockaddr_in6);
-       dst6->sin6_addr = fin->fin_fi.fi_src.in6;
+       dst6->sin6_addr = ip6->ip6_dst;

        if (fdp != NULL)
                ifp = fdp->fd_ifp;
--- ip_fil.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310121834.h9CIYOkG000556>