From nobody@FreeBSD.org  Mon Dec 13 23:37:06 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C015916A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 13 Dec 2004 23:37:06 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB28E43D1F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 13 Dec 2004 23:37:06 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id iBDNb6RB046526
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 13 Dec 2004 23:37:06 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id iBDNb69k046519;
	Mon, 13 Dec 2004 23:37:06 GMT
	(envelope-from nobody)
Message-Id: <200412132337.iBDNb69k046519@www.freebsd.org>
Date: Mon, 13 Dec 2004 23:37:06 GMT
From: Arne Wrner <arne_woerner@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf / icmp 64 / operation wrongully not permitted?
X-Send-Pr-Version: www-2.3

>Number:         75036
>Category:       kern
>Synopsis:       pf / icmp 64 / operation wrongully not permitted?
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 13 23:40:26 GMT 2004
>Closed-Date:    Tue Dec 14 14:56:00 GMT 2004
>Last-Modified:  Tue Dec 14 14:56:00 GMT 2004
>Originator:     Arne Wrner
>Release:        R5.3
>Organization:
>Environment:
FreeBSD neo.riddick.homeunix.org. 5.3-RELEASE FreeBSD 5.3-RELEASE #9: Thu Dec  2 20:23:28 UTC 2004     aw@neo.riddick.homeunix.org.:/usr/src/sys/i386/compile/RIDDICK  i386

>Description:
I just tried to do
  ping -R localhost
With pf enabled: The ping command says that the operation is not permitted.
With pf disabled: The ping command works as expected.

tcpdump (pflog) said, that rule 2 (pass out quick on lo0 all) matched for every sequence number once:
 neo# tcpdump -nr /var/log/pflog icmp and rulenum 2
 23:23:34.017915 IP 127.0.0.1 > 127.0.0.1: icmp 64: echo request seq 9

>How-To-Repeat:
pf rules:
 scrub in all fragment reassemble
 block drop in log all
 pass in quick on lo0 all
 pass out quick on lo0 all
 block drop in log on tun0 all
 block drop in log on tun0 from any to (tun0)
 pass out log-all on tun0 proto icmp from (tun0) to any keep state
 pass out log-all on tun0 proto tcp from (tun0) to any keep state
 pass out log-all on tun0 proto udp from (tun0) to any keep state

ping said:
neo# ping -R localhost
PING localhost (127.0.0.1): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
^C
--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

neo# ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.116 ms
^C
--- localhost ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.116/0.116/0.116/0.000 ms

>Fix:

>Release-Note:
>Audit-Trail:

From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Arne =?iso-8859-1?Q?W=F6rner?= <arne_woerner@yahoo.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/75036: pf / icmp 64 / operation wrongully not permitted?
Date: Tue, 14 Dec 2004 11:47:16 +0100

 On Mon, Dec 13, 2004 at 11:37:06PM +0000, Arne Wrner wrote:
 
 > >Number:         75036
 > >Synopsis:       pf / icmp 64 / operation wrongully not permitted?
 
 > I just tried to do
 >   ping -R localhost
 > With pf enabled: The ping command says that the operation is not permitted.
 
 Record route (-R) is an IP option. By default, pf blocks all packets
 with IP options, unless the last-matching rule contains the 'allow-opts'
 keyword.
 
 Here's the relevant section from pf.conf(5)
 
   allow-opts
      By default, packets which contain IP options are blocked.  When
      allow-opts is specified for a pass rule, packets that pass the fil-
      ter based on that rule (last matching) do so even if they contain
      IP options.  For packets that match state, the rule that initially
      created the state is used.  The implicit pass rule that is used
      when a packet does not match any rules does not allow IP options.
 
 >  pass in quick on lo0 all
 >  pass out quick on lo0 all
 
 Try
 
   pass in quick on lo0 all allow-opts
   pass out quick on lo0 all allow-opts
 
 Daniel

From: Arne "Wrner" <arne_woerner@yahoo.com>
To: Daniel Hartmeier <daniel@benzedrine.cx>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/75036: pf / icmp 64 / operation wrongully not permitted?
Date: Tue, 14 Dec 2004 06:44:34 -0800 (PST)

 > Try
 >   pass in quick on lo0 all allow-opts
 >   pass out quick on lo0 all allow-opts
 > 
 Now it works... :-))
 It does not look like a bug anymore to me...
 
 -Arne
 
 
 
 	
 		
 __________________________________ 
 Do you Yahoo!? 
 Yahoo! Mail - You care about security. So do we. 
 http://promotions.yahoo.com/new_mail
State-Changed-From-To: open->closed 
State-Changed-By: dhartmei 
State-Changed-When: Tue Dec 14 14:55:35 GMT 2004 
State-Changed-Why:  
not a bug, submitter agrees 

http://www.freebsd.org/cgi/query-pr.cgi?pr=75036 
>Unformatted:
