From owner-freebsd-bugs@FreeBSD.ORG  Tue Aug 29 16:40:18 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 429FA16A4E2
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 29 Aug 2006 16:40:18 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 88A6C43D5D
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 29 Aug 2006 16:40:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7TGeHrT087503
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 29 Aug 2006 16:40:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7TGeHQI087502;
	Tue, 29 Aug 2006 16:40:17 GMT (envelope-from gnats)
Resent-Date: Tue, 29 Aug 2006 16:40:17 GMT
Resent-Message-Id: <200608291640.k7TGeHQI087502@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Frank Steinborn <steinex@nognu.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4A11A16A4E0
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 29 Aug 2006 16:37:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 13BDB43D46
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 29 Aug 2006 16:37:24 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k7TGbNt5002410
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 29 Aug 2006 16:37:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k7TGbNxd002409;
	Tue, 29 Aug 2006 16:37:23 GMT (envelope-from nobody)
Message-Id: <200608291637.k7TGbNxd002409@www.freebsd.org>
Date: Tue, 29 Aug 2006 16:37:23 GMT
From: Frank Steinborn <steinex@nognu.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/102647: Using pf stateful rules for inet6 fails for
	connections originating from the firewall itself to a service
	running on thesame box
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2006 16:40:18 -0000


>Number:         102647
>Category:       kern
>Synopsis:       Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 29 16:40:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Frank Steinborn
>Release:        6.1-RELEASE-p3
>Organization:
>Environment:
FreeBSD shodan.nognu.de 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #0: Sun Jul 23 22:12:17 CEST 2006     steinex@shodan.nognu.de:/usr/home/steinex/obj/usr/src/sys/SHODAN  i386
>Description:
Thanks to Max Laier for examining this, I'll just paste him:

Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box.  Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0).

tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used).  The reply then comes via lo0 and matches the state (if state-policy is floating).  The third packet (again via bge0) then does no longer match the state - however:

17:51:17.594100 rule 3/0(match): pass in on bge0: 3000::1.54335 > 3000::1.22:
S 3551126931:3551126931(0) win 65535 <mss 1440,nop,wscale 1,nop,nop,timestamp
2188256 0,sackOK,eol>

17:51:17.594150 rule 3/0(match): pass out on lo0: 3000::1.22 > 3000::1.54335:
S 3700289867:3700289867(0) ack 3551126932 win 65535 <mss 1440,nop,wscale
1,nop,nop,timestamp 2188256 2188256,sackOK,eol>

17:51:17.594157 rule 2/0(match): block in on bge0: 3000::1.22 > 3000::1.54335:
S 3700289867:3700289867(0) ack 3551126932 win 65535 <mss 1440,nop,wscale
1,nop,nop,timestamp 2188256 2188256,sackOK,eol>

>How-To-Repeat:
Use this ruleset:

pass quick on lo0 all
pass quick on bge0 inet all
block drop log all
pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state

Then try to open an inet6-connection to a service running on the firewall itself from the firewall itself.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: