From owner-freebsd-bugs@FreeBSD.ORG  Mon Dec 13 23:40:28 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E200816A4E1
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 13 Dec 2004 23:40:27 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87FB343D64
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 13 Dec 2004 23:40:27 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iBDNeQCj070436
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 13 Dec 2004 23:40:26 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iBDNeQY5070435;
	Mon, 13 Dec 2004 23:40:26 GMT
	(envelope-from gnats)
Resent-Date: Mon, 13 Dec 2004 23:40:26 GMT
Resent-Message-Id: <200412132340.iBDNeQY5070435@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Arne Wörner <arne_woerner@yahoo.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C015916A4CE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 13 Dec 2004 23:37:06 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB28E43D1F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 13 Dec 2004 23:37:06 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id iBDNb6RB046526
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 13 Dec 2004 23:37:06 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id iBDNb69k046519;
	Mon, 13 Dec 2004 23:37:06 GMT
	(envelope-from nobody)
Message-Id: <200412132337.iBDNb69k046519@www.freebsd.org>
Date: Mon, 13 Dec 2004 23:37:06 GMT
From: Arne Wörner <arne_woerner@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Subject: kern/75036: pf / icmp 64 / operation wrongully not permitted?
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2004 23:40:28 -0000


>Number:         75036
>Category:       kern
>Synopsis:       pf / icmp 64 / operation wrongully not permitted?
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 13 23:40:26 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Arne Wörner
>Release:        R5.3
>Organization:
>Environment:
FreeBSD neo.riddick.homeunix.org. 5.3-RELEASE FreeBSD 5.3-RELEASE #9: Thu Dec  2 20:23:28 UTC 2004     aw@neo.riddick.homeunix.org.:/usr/src/sys/i386/compile/RIDDICK  i386

>Description:
I just tried to do
  ping -R localhost
With pf enabled: The ping command says that the operation is not permitted.
With pf disabled: The ping command works as expected.

tcpdump (pflog) said, that rule 2 (pass out quick on lo0 all) matched for every sequence number once:
 neo# tcpdump -nr /var/log/pflog icmp and rulenum 2
 23:23:34.017915 IP 127.0.0.1 > 127.0.0.1: icmp 64: echo request seq 9

>How-To-Repeat:
pf rules:
 scrub in all fragment reassemble
 block drop in log all
 pass in quick on lo0 all
 pass out quick on lo0 all
 block drop in log on tun0 all
 block drop in log on tun0 from any to (tun0)
 pass out log-all on tun0 proto icmp from (tun0) to any keep state
 pass out log-all on tun0 proto tcp from (tun0) to any keep state
 pass out log-all on tun0 proto udp from (tun0) to any keep state

ping said:
neo# ping -R localhost
PING localhost (127.0.0.1): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
^C
--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

neo# ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.116 ms
^C
--- localhost ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.116/0.116/0.116/0.000 ms

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: