From andrei@andruxa.sytes.net  Sun Oct 12 11:35:03 2003
Return-Path: <andrei@andruxa.sytes.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9D3F816A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 Oct 2003 11:35:03 -0700 (PDT)
Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6624743F85
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 Oct 2003 11:35:02 -0700 (PDT)
	(envelope-from andrei@andruxa.sytes.net)
Received: from h-68-164-30-157.snvacaid.dynamic.covad.net ([68.164.30.157] helo=andruxa.sytes.net)
	by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 1A8l3T-0004Wr-00
	for FreeBSD-gnats-submit@freebsd.org; Sun, 12 Oct 2003 11:34:59 -0700
Received: from andruxa.sytes.net (localhost [127.0.0.1])
	by andruxa.sytes.net (8.12.9p2/8.12.9) with ESMTP id h9CIYTRl000557
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 Oct 2003 11:34:29 -0700 (PDT)
	(envelope-from andrei@andruxa.sytes.net)
Received: (from andrei@localhost)
	by andruxa.sytes.net (8.12.9p2/8.12.9/Submit) id h9CIYOkG000556;
	Sun, 12 Oct 2003 11:34:24 -0700 (PDT)
	(envelope-from andrei)
Message-Id: <200310121834.h9CIYOkG000556@andruxa.sytes.net>
Date: Sun, 12 Oct 2003 11:34:24 -0700 (PDT)
From: Andrew Konstantinov <andrei@andruxa.sytes.net>
Reply-To: Andrew Konstantinov <abkonstantinov_at_earthlink_net@andruxa.sytes.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: 'return-rst' does not work for ipv6 in ipfilter
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         57908
>Category:       kern
>Synopsis:       'return-rst' does not work for ipv6 in ipfilter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 12 11:40:19 PDT 2003
>Closed-Date:    Mon Jul 05 17:00:59 GMT 2004
>Last-Modified:  Mon Jul 05 17:00:59 GMT 2004
>Originator:     Andrew Konstantinov
>Release:        FreeBSD 4.9-RC i386
>Organization:
Andrew's Co.
>Environment:
System: FreeBSD andruxa.sytes.net 4.9-RC FreeBSD 4.9-RC #0: Fri Oct 10 19:29:06 PDT 2003 root@andruxa.sytes.net:/usr/obj/usr/src/sys/CUSTOM i386
RELENG_4, with IPFILTER and INET6 compiled in kernel

>Description:
IPfilter has a feature called 'return-rst.' Whenever a packet matches the description and the line with that description contains 'return-rst,' ipfilter simply returns the TCP packet (provided that the original packet was also TCP) with RST flag on. This works perfectly fine with ipv4, but it does not work with ipv6.

>How-To-Repeat:
Get RELENG_4 sources, compile IPFILTER and INET6 in kernel. Then put the following line in the configuration file for ipf and reload that file with ipf -6f /path/to/your/file
The line is:
block return-rst in quick on lo0 proto tcp from any to any port = 111
Try to 'telnet localhost 111' and you will get connection timeout, while originally, ipfilter is supposed to send RST packet and abort the connection.

>Fix:

I found an old patch originated by Peter Postma, changed it a little and here it is. After applying this patch everything works perfectly (return-rst returns RST packets).


--- ip_fil.patch begins here ---
--- ip_fil.c.orig       Fri Dec  6 12:45:45 2002
+++ ip_fil.c    Tue Mar 25 17:05:09 2003
@@ -1937,24 +1937,24 @@
        struct route_in6 ip6route;
        struct sockaddr_in6 *dst6;
        struct route_in6 *ro;
-       struct ifnet *ifp;
+       struct ifnet *ifp = (fdp != NULL) ? fdp->fd_ifp : fin->fin_ifp;
        frentry_t *fr;
 #if defined(OpenBSD) && (OpenBSD >= 200211)
        struct route_in6 *ro_pmtu = NULL;
        struct in6_addr finaldst;
-       ip6_t *ip6;
 #endif
+       ip6_t *ip6;
        u_long mtu;
        int error;

-       ifp = NULL;
        ro = &ip6route;
+       ip6 = mtod(m0, struct ip6_t *);
        fr = fin->fin_fr;
        bzero((caddr_t)ro, sizeof(*ro));
        dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
        dst6->sin6_family = AF_INET6;
        dst6->sin6_len = sizeof(struct sockaddr_in6);
-       dst6->sin6_addr = fin->fin_fi.fi_src.in6;
+       dst6->sin6_addr = ip6->ip6_dst;

        if (fdp != NULL)
                ifp = fdp->fd_ifp;
--- ip_fil.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Peter Postma <peter@pointless.nl>
To: freebsd-gnats-submit@FreeBSD.org, abkonstantinov@earthlink.net
Cc:  
Subject: Re: kern/57908: 'return-rst' does not work for ipv6 in ipfilter
Date: Mon, 13 Oct 2003 03:27:08 +0200

 That patch isn't correct...
 
 This one (from Darren) is better:
 
 
 --- ip_fil.c.orig	Sat Mar  1 04:55:54 2003
 +++ ip_fil.c	Sat May 10 16:48:51 2003
 @@ -1950,17 +1950,18 @@
   	u_long mtu;
   	int error;
 
 -	ifp = NULL;
   	ro = &ip6route;
   	fr = fin->fin_fr;
   	bzero((caddr_t)ro, sizeof(*ro));
   	dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
   	dst6->sin6_family = AF_INET6;
   	dst6->sin6_len = sizeof(struct sockaddr_in6);
 -	dst6->sin6_addr = fin->fin_fi.fi_src.in6;
 +	dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
 
   	if (fdp != NULL)
   		ifp = fdp->fd_ifp;
 +	else
 +		ifp = fin->fin_ifp;
 
   	if ((fr != NULL) && (fin->fin_rev != 0)) {
   		if ((ifp != NULL) && (fdp == &fr->fr_tif))
 
 
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Oct 16 23:28:15 PDT 2003 
Responsible-Changed-Why:  
Assign to ipfilter author 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57908 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Tue Apr 20 05:51:56 PDT 2004 
State-Changed-Why:  
this change has been merged into ipfilter 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57908 
State-Changed-From-To: feedback->closed 
State-Changed-By: darrenr 
State-Changed-When: Mon Jul 5 16:59:33 GMT 2004 
State-Changed-Why:  
patch now in -current & RELENG_4 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57908 
>Unformatted:
