Date: Wed, 30 Aug 2006 10:13:32 +0900 From: SUZUKI Shinsuke <suz@freebsd.org> To: steinex@nognu.de, freebsd-pf@FreeBSD.org Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <x71wqz6n5v.wl%suz@alaxala.net> In-Reply-To: <200608291637.k7TGbNxd002409@www.freebsd.org> References: <200608291637.k7TGbNxd002409@www.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Tue, 29 Aug 2006 16:37:23 GMT >>>>> steinex@nognu.de(Frank Steinborn) said: > Thanks to Max Laier for examining this, I'll just paste him: > > Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box. Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0). > > tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used). The reply then comes via lo0 and matches the state (if state-policy is floating). The third packet (again via bge0) then does no longer match the state - however: > >How-To-Repeat: > Use this ruleset: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state > > Then try to open an inet6-connection to a service running on the > firewall itself from the firewall itself. Could you please try the attached patch for kernel? Using this patch, PF regards the initial SYN (and the third packet) is coming from lo0, instead of bge0. (There was a similar bug-report regarding PF for looped-back IPv6 packet, and this patch fixed the problem) If it seems okay from the PF's point of view, I'll commit it to -current. Thanks, ---- SUZUKI, Shinsuke @ KAME Project --Multipart_Wed_Aug_30_10:13:32_2006-1 Content-Type: text/plain; charset=US-ASCII Index: ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.88 diff -u -u -r1.88 ip6_input.c --- ip6_input.c 4 Aug 2006 21:27:39 -0000 1.88 +++ ip6_input.c 30 Aug 2006 00:49:48 -0000 @@ -407,7 +407,18 @@ if (!PFIL_HOOKED(&inet6_pfil_hook)) goto passin; - if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL)) + /* + * When the packet loops back from the host itself, m_pkthdr.rcvif points + * to the lo0 in case of IPv4. Whereas in case of IPv6, it points to the + * interface with the destination IPv6 address, to support IPv6 scoped + * address. + * To keep the legacy assumption in filter configuration (looped-back + * packet comes from lo0), explicitly passes lo0 as the incoming interface + * of a looped-back packet. + */ + if (pfil_run_hooks(&inet6_pfil_hook, &m, + m->m_flags & M_LOOP ? &loif[0] : m->m_pkthdr.rcvif, + PFIL_IN, NULL)) return; if (m == NULL) /* consumed by filter */ return; --Multipart_Wed_Aug_30_10:13:32_2006-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x71wqz6n5v.wl%suz>