NetBSD Problem Report #38390

From cube@cubidou.net  Tue Apr  8 23:05:22 2008
Return-Path: <cube@cubidou.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9873F63B293
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  8 Apr 2008 23:05:22 +0000 (UTC)
Message-Id: <20080408220736.DE92014CDD@yoda.cubidou.net>
Date: Wed,  9 Apr 2008 00:07:36 +0200 (CEST)
From: cube@cubidou.net
Reply-To: cube@cubidou.net
To: gnats-bugs@gnats.NetBSD.org
Subject: "keep state" rules block matching packets that belong to an existing state
X-Send-Pr-Version: 3.95

>Number:         38390
>Category:       kern
>Synopsis:       "keep state" rules block matching packets that belong to an existing state
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 08 23:10:01 +0000 2008
>Last-Modified:  Mon Jun 02 11:20:00 +0000 2008
>Originator:     Quentin Garnier
>Release:        NetBSD 4.0
>Organization:
	NetBSD
>Environment:
NetBSD/i386
>Description:
	I have a system which blocks most of incoming packets, except
	stuff like a few selected TCP connections.
	The gateway uses IPFilter, and has keep state rules for those
	TCP connections that it is supposed to route.
	In the "out" direction of the considered interface, I only have
	pass rules, but "keep state" ones for tcp, udp and icmp.
	Whenever the gateway will try and generate an ICMP needfrag
	packet for a managed TCP connection, the out icmp keep state
	rule will block it.

	That's not nice.
>How-To-Repeat:
	Something along the lines of:

	block in all
	pass in proto tcp from any to any keep state
	pass out all
	pass out proto icmp from any to any keep state

	And try that on a network with an output route where MTU is
	deceased.
>Fix:
	A workaround is to explicitely allow ICMPs generated by the
	gateway, to match after the keep state rule, or before but with
	quick.

>Audit-Trail:
From: Wolfgang Solfrank <Wolfgang@Solfrank.net>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, 
 netbsd-bugs@netbsd.org
Subject: Re: kern/38390: "keep state" rules block matching packets that belong
 to an existing state
Date: Wed, 09 Apr 2008 11:54:44 +0200

 Hi,

 The problem here is the "keep state" on the "proto icmp" line.
 What happens is this:

 The routine fr_scanlist, after determining that some packet matches the
 "pass out proto icmp from any to any keep state" rule, calls fr_addstate.
 Now fr_addstate sees the icmp packet and looks into the icmp type to
 determine whether it should be expecting a response for the packet. If it
 does not, it doesn't allocate a state and returns a NULL pointer to the
 caller, just as it does for some error cases (unable to allocate memory,
 bucket full etc.)  The caller cannot distinguish the "no need to allocate
 state" from the error cases and decides that it's safer to block the packet
 (which is certainly correct for the error cases).

 One solution would be for fr_addstate to return not the pointer to the
 allocated state (which isn't used by any caller anyway) but to return
 only an error code (which would be 0 on success or on unneeded state
 allocation).

 For now, the workaround is to explicitly add rules for icmp with keep
 state for the specific icmp types that fr_addstate expects responses for,
 i.e. something like

 pass out proto icmp from any to any icmp-type 8 keep state
 pass out proto icmp from any to any icmp-type 13 keep state
 pass out proto icmp from any to any icmp-type 15 keep state
 pass out proto icmp from any to any icmp-type 17 keep state

 The equivalent lines for IPv6 would be:

 pass out proto ipv6-icmp from any to any icmp-type 128 keep state
 pass out proto ipv6-icmp from any to any icmp-type 130 keep state
 pass out proto ipv6-icmp from any to any icmp-type 133 keep state
 pass out proto ipv6-icmp from any to any icmp-type 135 keep state
 pass out proto ipv6-icmp from any to any icmp-type 139 keep state

 Note however that ipfilter doesn't currently work with IPv6 fragments
 anyway (PR with patch coming soon...)

 Ciao,
 Wolfgang
 -- 
 Wolfgang@Solfrank.net

From: Darren Reed <darrenr@netbsd.org>
To: cube@cubidou.net,  gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: Re: kern/38390
Date: Mon, 02 Jun 2008 04:18:36 -0700

 If the firewall generates an ICMP packet in response to a TCP packet 
 that is part of
 a "keep state" session, then it should be automatically letting it 
 through, without the need
 for any special "proto icmp .. keep state" rules.

 With regard to Wolfgang's comment, checking ICMP errors to match an existing
 state should happen before the "proto icmp" rule is checked...

 Is NAT also active here or not?

 Darren
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.