From owner-freebsd-pf@FreeBSD.ORG Wed Aug 30 01:20:32 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B92BC16A4DD for ; Wed, 30 Aug 2006 01:20:32 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7951643D45 for ; Wed, 30 Aug 2006 01:20:32 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7U1KWwT033761 for ; Wed, 30 Aug 2006 01:20:32 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7U1KWjU033760; Wed, 30 Aug 2006 01:20:32 GMT (envelope-from gnats) Date: Wed, 30 Aug 2006 01:20:32 GMT Message-Id: <200608300120.k7U1KWjU033760@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: SUZUKI Shinsuke Cc: Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SUZUKI Shinsuke List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 01:20:32 -0000 The following reply was made to PR kern/102647; it has been noted by GNATS. From: SUZUKI Shinsuke To: steinex@nognu.de, freebsd-pf@FreeBSD.org Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Date: Wed, 30 Aug 2006 10:13:32 +0900 --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Tue, 29 Aug 2006 16:37:23 GMT >>>>> steinex@nognu.de(Frank Steinborn) said: > Thanks to Max Laier for examining this, I'll just paste him: > > Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box. Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0). > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used). The reply then comes via lo0 and matches the state (if state-policy is floating). The third packet (again via bge0) then does no longer match the state - however: > >How-To-Repeat: > Use this ruleset: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state > > Then try to open an inet6-connection to a service running on the > firewall itself from the firewall itself. Could you please try the attached patch for kernel? Using this patch, PF regards the initial SYN (and the third packet) is coming from lo0, instead of bge0. (There was a similar bug-report regarding PF for looped-back IPv6 packet, and this patch fixed the problem) If it seems okay from the PF's point of view, I'll commit it to -current. Thanks, ---- SUZUKI, Shinsuke @ KAME Project --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Index: ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.88 diff -u -u -r1.88 ip6_input.c --- ip6_input.c 4 Aug 2006 21:27:39 -0000 1.88 +++ ip6_input.c 30 Aug 2006 00:49:48 -0000 @@ -407,7 +407,18 @@ if (!PFIL_HOOKED(&inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + /* + * When the packet loops back from the host itself, m_pkthdr.rcvif points + * to the lo0 in case of IPv4. Whereas in case of IPv6, it points to the + * interface with the destination IPv6 address, to support IPv6 scoped + * address. + * To keep the legacy assumption in filter configuration (looped-back + * packet comes from lo0), explicitly passes lo0 as the incoming interface + * of a looped-back packet. + */ + if (pfil_run_hooks(&inet6_pfil_hook, &m, + m->m_flags & M_LOOP ? &loif[0] : m->m_pkthdr.rcvif, + PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; --Multipart_Wed_Aug_30_10:13:32_2006-1--