From owner-freebsd-bugs@FreeBSD.ORG Sun Oct 12 11:40:24 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0386F16A4B3 for ; Sun, 12 Oct 2003 11:40:24 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AD3943FD7 for ; Sun, 12 Oct 2003 11:40:20 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9CIeJFY019906 for ; Sun, 12 Oct 2003 11:40:19 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9CIeJLJ019905; Sun, 12 Oct 2003 11:40:19 -0700 (PDT) (envelope-from gnats) Resent-Date: Sun, 12 Oct 2003 11:40:19 -0700 (PDT) Resent-Message-Id: <200310121840.h9CIeJLJ019905@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D3F816A4B3 for ; Sun, 12 Oct 2003 11:35:03 -0700 (PDT) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6624743F85 for ; Sun, 12 Oct 2003 11:35:02 -0700 (PDT) (envelope-from andrei@andruxa.sytes.net) Received: from h-68-164-30-157.snvacaid.dynamic.covad.net ([68.164.30.157] helo=andruxa.sytes.net) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1A8l3T-0004Wr-00 for FreeBSD-gnats-submit@freebsd.org; Sun, 12 Oct 2003 11:34:59 -0700 Received: from andruxa.sytes.net (localhost [127.0.0.1]) by andruxa.sytes.net (8.12.9p2/8.12.9) with ESMTP id h9CIYTRl000557 for ; Sun, 12 Oct 2003 11:34:29 -0700 (PDT) (envelope-from andrei@andruxa.sytes.net) Received: (from andrei@localhost) by andruxa.sytes.net (8.12.9p2/8.12.9/Submit) id h9CIYOkG000556; Sun, 12 Oct 2003 11:34:24 -0700 (PDT) (envelope-from andrei) Message-Id: <200310121834.h9CIYOkG000556@andruxa.sytes.net> Date: Sun, 12 Oct 2003 11:34:24 -0700 (PDT) From: Andrew Konstantinov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/57908: 'return-rst' does not work for ipv6 in ipfilter X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Konstantinov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2003 18:40:24 -0000 >Number: 57908 >Category: kern >Synopsis: 'return-rst' does not work for ipv6 in ipfilter >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 12 11:40:19 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Andrew Konstantinov >Release: FreeBSD 4.9-RC i386 >Organization: Andrew's Co. >Environment: System: FreeBSD andruxa.sytes.net 4.9-RC FreeBSD 4.9-RC #0: Fri Oct 10 19:29:06 PDT 2003 root@andruxa.sytes.net:/usr/obj/usr/src/sys/CUSTOM i386 RELENG_4, with IPFILTER and INET6 compiled in kernel >Description: IPfilter has a feature called 'return-rst.' Whenever a packet matches the description and the line with that description contains 'return-rst,' ipfilter simply returns the TCP packet (provided that the original packet was also TCP) with RST flag on. This works perfectly fine with ipv4, but it does not work with ipv6. >How-To-Repeat: Get RELENG_4 sources, compile IPFILTER and INET6 in kernel. Then put the following line in the configuration file for ipf and reload that file with ipf -6f /path/to/your/file The line is: block return-rst in quick on lo0 proto tcp from any to any port = 111 Try to 'telnet localhost 111' and you will get connection timeout, while originally, ipfilter is supposed to send RST packet and abort the connection. >Fix: I found an old patch originated by Peter Postma, changed it a little and here it is. After applying this patch everything works perfectly (return-rst returns RST packets). --- ip_fil.patch begins here --- --- ip_fil.c.orig Fri Dec 6 12:45:45 2002 +++ ip_fil.c Tue Mar 25 17:05:09 2003 @@ -1937,24 +1937,24 @@ struct route_in6 ip6route; struct sockaddr_in6 *dst6; struct route_in6 *ro; - struct ifnet *ifp; + struct ifnet *ifp = (fdp != NULL) ? fdp->fd_ifp : fin->fin_ifp; frentry_t *fr; #if defined(OpenBSD) && (OpenBSD >= 200211) struct route_in6 *ro_pmtu = NULL; struct in6_addr finaldst; - ip6_t *ip6; #endif + ip6_t *ip6; u_long mtu; int error; - ifp = NULL; ro = &ip6route; + ip6 = mtod(m0, struct ip6_t *); fr = fin->fin_fr; bzero((caddr_t)ro, sizeof(*ro)); dst6 = (struct sockaddr_in6 *)&ro->ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(struct sockaddr_in6); - dst6->sin6_addr = fin->fin_fi.fi_src.in6; + dst6->sin6_addr = ip6->ip6_dst; if (fdp != NULL) ifp = fdp->fd_ifp; --- ip_fil.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: