From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 01:13:42 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8548316A4DD; Wed, 30 Aug 2006 01:13:42 +0000 (UTC) (envelope-from suz@alaxala.net) Received: from pc1.alaxala.net (pc1.alaxala.net [203.178.142.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE8A43D45; Wed, 30 Aug 2006 01:13:41 +0000 (GMT) (envelope-from suz@alaxala.net) Received: from localhost (localhost [127.0.0.1]) by pc1.alaxala.net (Postfix) with ESMTP id 69596B990; Wed, 30 Aug 2006 10:13:40 +0900 (JST) X-Virus-Scanned: amavisd-new at alaxala.net Received: from pc1.alaxala.net ([127.0.0.1]) by localhost (pc1.alaxala.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE24zyYpnT3U; Wed, 30 Aug 2006 10:13:36 +0900 (JST) Received: from flora220.uki-uki.net (pc2.alaxala.net [203.178.142.163]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pc1.alaxala.net (Postfix) with ESMTP id 0CC6CB8C5; Wed, 30 Aug 2006 10:13:35 +0900 (JST) Date: Wed, 30 Aug 2006 10:13:32 +0900 Message-ID: From: SUZUKI Shinsuke To: steinex@nognu.de, freebsd-pf@FreeBSD.org X-cite: xcite 1.33 In-Reply-To: <200608291637.k7TGbNxd002409@www.freebsd.org> References: <200608291637.k7TGbNxd002409@www.freebsd.org> User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI) Organization: Networking Technology Development Dept., ALAXALA Networks Corporation MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: multipart/mixed; boundary="Multipart_Wed_Aug_30_10:13:32_2006-1" Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 01:13:42 -0000 --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Tue, 29 Aug 2006 16:37:23 GMT >>>>> steinex@nognu.de(Frank Steinborn) said: > Thanks to Max Laier for examining this, I'll just paste him: > > Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box. Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0). > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used). The reply then comes via lo0 and matches the state (if state-policy is floating). The third packet (again via bge0) then does no longer match the state - however: > >How-To-Repeat: > Use this ruleset: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state > > Then try to open an inet6-connection to a service running on the > firewall itself from the firewall itself. Could you please try the attached patch for kernel? Using this patch, PF regards the initial SYN (and the third packet) is coming from lo0, instead of bge0. (There was a similar bug-report regarding PF for looped-back IPv6 packet, and this patch fixed the problem) If it seems okay from the PF's point of view, I'll commit it to -current. Thanks, ---- SUZUKI, Shinsuke @ KAME Project --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Index: ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.88 diff -u -u -r1.88 ip6_input.c --- ip6_input.c 4 Aug 2006 21:27:39 -0000 1.88 +++ ip6_input.c 30 Aug 2006 00:49:48 -0000 @@ -407,7 +407,18 @@ if (!PFIL_HOOKED(&inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + /* + * When the packet loops back from the host itself, m_pkthdr.rcvif points + * to the lo0 in case of IPv4. Whereas in case of IPv6, it points to the + * interface with the destination IPv6 address, to support IPv6 scoped + * address. + * To keep the legacy assumption in filter configuration (looped-back + * packet comes from lo0), explicitly passes lo0 as the incoming interface + * of a looped-back packet. + */ + if (pfil_run_hooks(&inet6_pfil_hook, &m, + m->m_flags & M_LOOP ? &loif[0] : m->m_pkthdr.rcvif, + PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; --Multipart_Wed_Aug_30_10:13:32_2006-1--