From nobody@FreeBSD.org  Tue Feb  8 17:19:35 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2217616A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Feb 2005 17:19:35 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D6FBA43D1F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Feb 2005 17:19:34 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j18HJYC4025874
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 8 Feb 2005 17:19:34 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j18HJYl9025873;
	Tue, 8 Feb 2005 17:19:34 GMT
	(envelope-from nobody)
Message-Id: <200502081719.j18HJYl9025873@www.freebsd.org>
Date: Tue, 8 Feb 2005 17:19:34 GMT
From: Vladimir Kotal <vlada@devnull.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter breaks ipv6 statefull filtering on 5.3
X-Send-Pr-Version: www-2.3

>Number:         77273
>Category:       kern
>Synopsis:       [ipf] ipfilter breaks ipv6 statefull filtering on 5.3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 08 17:20:09 GMT 2005
>Closed-Date:    Sun Feb 19 19:35:03 UTC 2012
>Last-Modified:  Sun Feb 19 19:35:03 UTC 2012
>Originator:     Vladimir Kotal
>Release:        5.3-RELEASE-p1
>Organization:
>Environment:
FreeBSD news 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #0: Tue Feb  8 12:45:22 CET 2005     root@news:/usr/src/sys/i386/compile/news_5.3  i386
>Description:
      ipfilter with statefull IPv6 ruleset is broken on FreeBSD 5.3

consider following ACL:


block in log on fxp0 all head 600
block out log on fxp0 all head 650

# ingress rules
 
  # ND stuff at link-local
  pass in quick proto ipv6-icmp from fe80::/10 to fe80::/10 group 600
  pass in quick proto ipv6-icmp from fe80::/10 to 2001:XXXX:1003:a::2  group 600

  # NS
  # encompases DAD
  pass in quick proto ipv6-icmp from any to ff02::/16        icmp-type 135 code
0   group 600
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 135 code 0   group 600

  # NA
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2         icmp-typ
e 136 code 0   group 600

  # permit ICMPv6 echo-request
  pass in quick proto ipv6-icmp from any to 2001:XXXX:1003:a::2  icmp-type 128 c
ode 0   keep state   group 600

# outgress rules


  pass out quick proto tcp/udp all keep state group 650

  pass out quick proto ipv6-icmp all group 650


when this ACL is loaded via 'ipf -6 -Fa -f ACL', it is possible to connect to this host or ping it via ping6, but it is not possible to connect from this host to outside - this is normal behavior.

however, when the last rule is replaced with

  pass out quick proto ipv6-icmp all keep state group 650

it is now possible to connect from this host to outside, but it is not possible to ping this host.

there are no log entries in ipf.log which would indicate denied packets.

with the last rule replaced, traffic dump looks like this:

18:15:46.290000 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:47.289251 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]
18:15:48.289262 fe80::2d0:baff:feb6:c430 > ff02::1:ff00:2: icmp6: neighbor sol: who has 2001:XXXX:1003:a::2 [class 0xe0]

no NA messages are sent out, nothing in ipf.log.

the same access list works on FreeBSD 4.x without any problem (e.g. it is possible to connect to host using this ACL from outside as well to connect from this host to arbitrary host outside)

>How-To-Repeat:
      try to load above mentioned access list and try to ping otherwise IPv6 reachable machine.
>Fix:
      use stateless access lists - this is not applicable in some enviroments. more investigation of this problem is needed.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: arved 
Responsible-Changed-When: Sat Jun 4 21:02:29 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77273 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 19 19:34:23 UTC 2012 
State-Changed-Why:  
Unfortunately no one looked at this PR at the time.  It has now been 
obsoleted by the passage of time. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77273 
>Unformatted:
