NetBSD Problem Report #52470

From www@NetBSD.org  Mon Aug  7 14:32:02 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 263767A213
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  7 Aug 2017 14:32:02 +0000 (UTC)
Message-Id: <20170807143201.128DD7A28A@mollari.NetBSD.org>
Date: Mon,  7 Aug 2017 14:32:01 +0000 (UTC)
From: ef@math.uni-bonn.de
Reply-To: ef@math.uni-bonn.de
To: gnats-bugs@NetBSD.org
Subject: ipf fails to return-icmp on a link-local address
X-Send-Pr-Version: www-1.0

>Number:         52470
>Category:       kern
>Synopsis:       ipf fails to return-icmp on a link-local address
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 07 14:35:00 +0000 2017
>Closed-Date:    Mon Jun 04 21:49:14 +0000 2018
>Last-Modified:  Mon Jun 04 21:49:14 +0000 2018
>Originator:     Edgar Fuß
>Release:        6.1, 7.1
>Organization:
Mathematisches Institut der Universität Bonn
>Environment:
>Description:
If a block rule with a "return-icmp" qualifier matches on a link-local address, no ICMP packet is sent. The problem is that ipf_send_icmp_err() calls ipf_ifpaddr() to find an address of the interface in question, but that routine discards link local addresses. 
>How-To-Repeat:
Install a block rule with "return-icmp" and make it match a packet addressed to a link-local address. Observe no ICMP being sent.
>Fix:
I guess the best fix is to simply use the destination address instead if it is link local, i.e. treat the rule as if return-icmp-as-dest was given in this case.

Note you will also need the fix from kern/52469 or the ICMP packet will fail to get properly routed.

Index: ip_fil_netbsd.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c,v
retrieving revision 1.11
diff -u -p -r1.11 ip_fil_netbsd.c
--- ip_fil_netbsd.c	25 Jul 2014 08:10:39 -0000	1.11
+++ ip_fil_netbsd.c	20 Jul 2017 15:30:20 -0000
@@ -944,7 +944,7 @@ ipf_send_icmp_err(int type, fr_info_t *f
 		}
 		xtra = MIN(fin->fin_plen, avail - iclen - max_linkhdr);
 		xtra = MIN(xtra, IPV6_MMTU - iclen);
-		if (dst == 0) {
+		if (dst == 0 && !IN6_IS_ADDR_LINKLOCAL(&fin->fin_dst6.in6)) {
 			if (ipf_ifpaddr(&ipfmain, 6, FRI_NORMAL, ifp,
 				       &dst6, NULL) == -1) {
 				FREE_MB_T(m);

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Mon, 04 Jun 2018 21:49:14 +0000
State-Changed-Why:
This also got committed by christos and pulled up to netbsd-8 but not netbsd-7. Will handle in 52469 which mentions the same revisions needing to be pulled up to -7.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.