NetBSD Problem Report #48674

From Wolfgang.Stukenbrock@nagler-company.com  Fri Mar 21 12:21:34 2014
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 5BE89A5809
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 21 Mar 2014 12:21:34 +0000 (UTC)
Message-Id: <20140321105305.87D06123B93@test-s0.nagler-company.com>
Date: Fri, 21 Mar 2014 11:53:05 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: ipfilter send TCP-reset packets for non-TCP packets with return-rst
X-Send-Pr-Version: 3.95

>Number:         48674
>Category:       kern
>Synopsis:       ipfilter send TCP-reset packets for non-TCP packets with return-rst
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 21 12:25:00 +0000 2014
>Last-Modified:  Sat Apr 26 04:12:13 +0000 2014
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 6.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:


System: NetBSD test-s0 5.1.2 NetBSD 5.1.2 (NSW-WS) #3: Fri Dec 21 15:15:43 CET 2012 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
	The implementation of ipfilter will send TCP-reset packets for all packet types, not only TCP.
	So a rule like "block return-rst in quick on wm0 all head 1234" will send a TCP-reset packet
	for all packets not explicitly allowed in group 1234.
	A "blocked" UDP packet will result in a TCP-reset packet send - this does not make sence ...
>How-To-Repeat:
	Setup a rule like above and send some packets that will be blocked. You will see the TCP-reset answers.
>Fix:
	There is a workaround for this problem:
	Duplicate all head rules in the following way:
	  block return-rst in quick on wm0 proto tcp all head 1234
	  block            in quick on wm0           all head 1234
	This will suppress the TCP-reset packets, but it is ugly in the config file.

	To fix this issue, prior generating the reset packet a check for incomming TCP should be added.
	Sorry - no time to create a patch at the moment.


>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Sat, 26 Apr 2014 04:12:13 +0000
Responsible-Changed-Why:
ipf has its own Responsible:


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.