NetBSD Problem Report #48674
From Wolfgang.Stukenbrock@nagler-company.com Fri Mar 21 12:21:34 2014
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5BE89A5809
for <gnats-bugs@gnats.NetBSD.org>; Fri, 21 Mar 2014 12:21:34 +0000 (UTC)
Message-Id: <20140321105305.87D06123B93@test-s0.nagler-company.com>
Date: Fri, 21 Mar 2014 11:53:05 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: ipfilter send TCP-reset packets for non-TCP packets with return-rst
X-Send-Pr-Version: 3.95
>Number: 48674
>Category: kern
>Synopsis: ipfilter send TCP-reset packets for non-TCP packets with return-rst
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: ipf-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 21 12:25:00 +0000 2014
>Last-Modified: Sat Apr 26 04:12:13 +0000 2014
>Originator: Dr. Wolfgang Stukenbrock
>Release: NetBSD 6.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD test-s0 5.1.2 NetBSD 5.1.2 (NSW-WS) #3: Fri Dec 21 15:15:43 CET 2012 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
The implementation of ipfilter will send TCP-reset packets for all packet types, not only TCP.
So a rule like "block return-rst in quick on wm0 all head 1234" will send a TCP-reset packet
for all packets not explicitly allowed in group 1234.
A "blocked" UDP packet will result in a TCP-reset packet send - this does not make sence ...
>How-To-Repeat:
Setup a rule like above and send some packets that will be blocked. You will see the TCP-reset answers.
>Fix:
There is a workaround for this problem:
Duplicate all head rules in the following way:
block return-rst in quick on wm0 proto tcp all head 1234
block in quick on wm0 all head 1234
This will suppress the TCP-reset packets, but it is ugly in the config file.
To fix this issue, prior generating the reset packet a check for incomming TCP should be added.
Sorry - no time to create a patch at the moment.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Sat, 26 Apr 2014 04:12:13 +0000
Responsible-Changed-Why:
ipf has its own Responsible:
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.