From roderick@stud187236.mobiel.utwente.nl  Sun Jan 18 11:55:01 2004
Return-Path: <roderick@stud187236.mobiel.utwente.nl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 83A1E16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 Jan 2004 11:55:01 -0800 (PST)
Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F195D43D2F
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 Jan 2004 11:54:56 -0800 (PST)
	(envelope-from roderick@stud187236.mobiel.utwente.nl)
Received: from stud187236.mobiel.utwente.nl (stud187236.mobiel.utwente.nl [130.89.187.236])
          by netlx014.civ.utwente.nl (8.11.7/HKD) with ESMTP id i0IJshJ22515
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 Jan 2004 20:54:43 +0100
Received: from stud187236.mobiel.utwente.nl (localhost [127.0.0.1])
	by stud187236.mobiel.utwente.nl (8.12.10/8.12.10) with ESMTP id i0IJsorl003974
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 Jan 2004 20:54:50 +0100 (CET)
	(envelope-from roderick@stud187236.mobiel.utwente.nl)
Received: (from roderick@localhost)
	by stud187236.mobiel.utwente.nl (8.12.10/8.12.10/Submit) id i0IJso4I003973;
	Sun, 18 Jan 2004 20:54:50 +0100 (CET)
	(envelope-from roderick)
Message-Id: <200401181954.i0IJso4I003973@stud187236.mobiel.utwente.nl>
Date: Sun, 18 Jan 2004 20:54:50 +0100 (CET)
From: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ip6fw breakage on (at least) sparc64
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         61544
>Category:       kern
>Synopsis:       ip6fw breakage on (at least) sparc64
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 18 12:00:38 PST 2004
>Closed-Date:    Sat Mar 01 20:24:25 UTC 2008
>Last-Modified:  Sat Mar 01 20:24:25 UTC 2008
>Originator:     Roderick van Domburg
>Release:        FreeBSD 5.2-CURRENT sparc64
>Organization:
University of Twente 
>Environment:
System: FreeBSD stud187236.mobiel.utwente.nl 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Sun Jan 18 01:30:58 CET 2004 roderick@stud187236.mobiel.utwente.nl:/usr/obj/usr/src/sys/MAGOG sparc64


	
>Description:
I just built and installed a new world and kernel on a sparc64, and
unfortunately ip6fw no longer seems to work correctly.

The box runs an IPv6-enabled Apache server. With the previous kernel (Sun Jan
11 14:03:52 CET 2004), I could access that Apache server without any problems
from my IPv6-enabled workstation.

With today's kernel (Sun Jan 18 01:30:58 CET 2004) the same firewall
configuration no longer does the trick (attached below).

Funny thing: if I issue a "ip6fw add 50 allow ipv6 from any to any", everything
looks peachy, but a "ip6fw add 50 allow tcp from any to any" blocks traffic all
the same.
	
>How-To-Repeat:
Firewall configuration:

00100 allow ipv6 from any to any via lo0 00200 allow ipv6-icmp from :: to ff02::/16 00300 allow ipv6-icmp from fe80::/10 to fe80::/10 00400 allow ipv6-icmp from fe80::/10 to ff02::/16 00500 allow ipv6 from fe80::/10 to ff02::/16 00600 allow ipv6 from 2001:610:1908::/48 to ff02::/16 00700 allow tcp from any to any established 00800 allow ipv6 from any to any frag 00900 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 22 setup 01000 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 25 setup 01100 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 80 setup 01200 allow tcp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any setup 01300 deny tcp from any to any setup 01400 allow udp from any 53 to 2001:610:1908:8000:a00:20ff:fecf:c01b
01500 allow udp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any 53 01600 allow ipv6-icmp from any to any icmptype 33 01700 allow ipv6-icmp from any to any icmptype 34
65535 deny ipv6 from any to any
	
>Fix:
Unknown.
	


>Release-Note:
>Audit-Trail:

From: "Roderick van Domburg" <r.s.a.vandomburg@student.utwente.nl>
To: <freebsd-gnats-submit@FreeBSD.org>,
	<r.s.a.vandomburg@student.utwente.nl>
Cc:  
Subject: Re: kern/61544: ip6fw breakage on (at least) sparc64
Date: Sun, 18 Jan 2004 21:03:57 +0100

 Perhaps clearer:
 
 00100 allow ipv6 from any to any via lo0
 00200 allow ipv6-icmp from :: to ff02::/16
 00300 allow ipv6-icmp from fe80::/10 to fe80::/10
 00400 allow ipv6-icmp from fe80::/10 to ff02::/16
 00500 allow ipv6 from fe80::/10 to ff02::/16
 00600 allow ipv6 from 2001:610:1908::/48 to ff02::/16
 00700 allow tcp from any to any established
 00800 allow ipv6 from any to any frag
 00900 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 22 setup
 01000 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 25 setup
 01100 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 80 setup
 01200 allow tcp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any setup
 01300 deny tcp from any to any setup
 01400 allow udp from any 53 to 2001:610:1908:8000:a00:20ff:fecf:c01b
 01500 allow udp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any 53
 01600 allow ipv6-icmp from any to any icmptype 33
 01700 allow ipv6-icmp from any to any icmptype 34
 65535 deny ipv6 from any to any
 

From: "Roderick van Domburg" <r.s.a.vandomburg@student.utwente.nl>
To: <freebsd-gnats-submit@FreeBSD.org>,
	<r.s.a.vandomburg@student.utwente.nl>
Cc:  
Subject: Re: kern/61544: ip6fw breakage on (at least) sparc64
Date: Sun, 18 Jan 2004 21:06:10 +0100

 Pff... Outlook! >:-( Do excuse me.
 
 Let me know if you require more legible firewall output.
 

From: "Roderick van Domburg" <r.s.a.vandomburg@student.utwente.nl>
To: <freebsd-gnats-submit@FreeBSD.org>,
	<r.s.a.vandomburg@student.utwente.nl>
Cc:  
Subject: Re: kern/61544: ip6fw breakage on (at least) sparc64
Date: Wed, 28 Jan 2004 19:49:25 +0100

 It seems I have misjudged: it's not _all traffic_ but rather has to do with
 accf_http(9) [ACCEPT_FILTER_HTTP]. As long as it's enabled, Apache 2.0.48
 won't budge. Disabling it works wonders, but has proven to work in the
 past...
 

From: "Roderick van Domburg" <r.s.a.vandomburg@student.utwente.nl>
To: <freebsd-gnats-submit@FreeBSD.org>,
	<r.s.a.vandomburg@student.utwente.nl>
Cc:  
Subject: Re: kern/61544: ip6fw breakage on (at least) sparc64
Date: Sat, 14 Feb 2004 17:53:57 +0100

 Well, what I wrote above isn't quite true. I issued the above with a reset
 of the ip6fw sysctl. Whenever the firewall is resetted, the rules are
 applied correctly for about a minute. Then all of the sudden, all traffic is
 rejected.
 
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Tue Nov 20 06:48:35 UTC 2007 
State-Changed-Why:  

Is this still an issue with RELENG_6/7? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61544 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sat Mar 1 20:24:09 UTC 2008 
State-Changed-Why:  
Feedback timeout (> 3 months). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61544 
>Unformatted:
