NetBSD Problem Report #38390
From cube@cubidou.net Tue Apr 8 23:05:22 2008
Return-Path: <cube@cubidou.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 9873F63B293
for <gnats-bugs@gnats.NetBSD.org>; Tue, 8 Apr 2008 23:05:22 +0000 (UTC)
Message-Id: <20080408220736.DE92014CDD@yoda.cubidou.net>
Date: Wed, 9 Apr 2008 00:07:36 +0200 (CEST)
From: cube@cubidou.net
Reply-To: cube@cubidou.net
To: gnats-bugs@gnats.NetBSD.org
Subject: "keep state" rules block matching packets that belong to an existing state
X-Send-Pr-Version: 3.95
>Number: 38390
>Category: kern
>Synopsis: "keep state" rules block matching packets that belong to an existing state
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 08 23:10:01 +0000 2008
>Last-Modified: Mon Jun 02 11:20:00 +0000 2008
>Originator: Quentin Garnier
>Release: NetBSD 4.0
>Organization:
NetBSD
>Environment:
NetBSD/i386
>Description:
I have a system which blocks most of incoming packets, except
stuff like a few selected TCP connections.
The gateway uses IPFilter, and has keep state rules for those
TCP connections that it is supposed to route.
In the "out" direction of the considered interface, I only have
pass rules, but "keep state" ones for tcp, udp and icmp.
Whenever the gateway will try and generate an ICMP needfrag
packet for a managed TCP connection, the out icmp keep state
rule will block it.
That's not nice.
>How-To-Repeat:
Something along the lines of:
block in all
pass in proto tcp from any to any keep state
pass out all
pass out proto icmp from any to any keep state
And try that on a network with an output route where MTU is
deceased.
>Fix:
A workaround is to explicitely allow ICMPs generated by the
gateway, to match after the keep state rule, or before but with
quick.
>Audit-Trail:
From: Wolfgang Solfrank <Wolfgang@Solfrank.net>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/38390: "keep state" rules block matching packets that belong
to an existing state
Date: Wed, 09 Apr 2008 11:54:44 +0200
Hi,
The problem here is the "keep state" on the "proto icmp" line.
What happens is this:
The routine fr_scanlist, after determining that some packet matches the
"pass out proto icmp from any to any keep state" rule, calls fr_addstate.
Now fr_addstate sees the icmp packet and looks into the icmp type to
determine whether it should be expecting a response for the packet. If it
does not, it doesn't allocate a state and returns a NULL pointer to the
caller, just as it does for some error cases (unable to allocate memory,
bucket full etc.) The caller cannot distinguish the "no need to allocate
state" from the error cases and decides that it's safer to block the packet
(which is certainly correct for the error cases).
One solution would be for fr_addstate to return not the pointer to the
allocated state (which isn't used by any caller anyway) but to return
only an error code (which would be 0 on success or on unneeded state
allocation).
For now, the workaround is to explicitly add rules for icmp with keep
state for the specific icmp types that fr_addstate expects responses for,
i.e. something like
pass out proto icmp from any to any icmp-type 8 keep state
pass out proto icmp from any to any icmp-type 13 keep state
pass out proto icmp from any to any icmp-type 15 keep state
pass out proto icmp from any to any icmp-type 17 keep state
The equivalent lines for IPv6 would be:
pass out proto ipv6-icmp from any to any icmp-type 128 keep state
pass out proto ipv6-icmp from any to any icmp-type 130 keep state
pass out proto ipv6-icmp from any to any icmp-type 133 keep state
pass out proto ipv6-icmp from any to any icmp-type 135 keep state
pass out proto ipv6-icmp from any to any icmp-type 139 keep state
Note however that ipfilter doesn't currently work with IPv6 fragments
anyway (PR with patch coming soon...)
Ciao,
Wolfgang
--
Wolfgang@Solfrank.net
From: Darren Reed <darrenr@netbsd.org>
To: cube@cubidou.net, gnats-bugs@gnats.NetBSD.org
Cc:
Subject: Re: kern/38390
Date: Mon, 02 Jun 2008 04:18:36 -0700
If the firewall generates an ICMP packet in response to a TCP packet
that is part of
a "keep state" session, then it should be automatically letting it
through, without the need
for any special "proto icmp .. keep state" rules.
With regard to Wolfgang's comment, checking ICMP errors to match an existing
state should happen before the "proto icmp" rule is checked...
Is NAT also active here or not?
Darren
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.