NetBSD Problem Report #48956

From www@NetBSD.org  Mon Jun 30 19:48:24 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 3EF0DA653E
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 30 Jun 2014 19:48:24 +0000 (UTC)
Message-Id: <20140630194822.E6714A653F@mollari.NetBSD.org>
Date: Mon, 30 Jun 2014 19:48:22 +0000 (UTC)
From: 6bone@6bone.informatik.uni-leipzig.de
Reply-To: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Subject: ipv6-icmp ipfilter keep state issue
X-Send-Pr-Version: www-1.0

>Number:         48956
>Category:       kern
>Synopsis:       IPF: ipv6-icmp keep state issue
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 30 19:50:00 +0000 2014
>Last-Modified:  Sun Feb 25 17:19:42 +0000 2018
>Originator:     Uwe Toenjes
>Release:        NetBSD 6.99.40
>Organization:
University of Leipzig
>Environment:
NetBSD augate.ipv6.uni-leipzig.de 6.99.40 NetBSD 6.99.40 (MYCONF7) #1: Sat Apr 12 23:18:17 CEST 2014  root@augate.ipv6.uni-leipzig.de:/usr/obj/sys/arch/amd64/compile/MYCONF7 amd64
>Description:
if you configure a router and add a 'keep state' ipfilter rule like

pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state

icmp6 echo replay packets incoming in interface vlan1 are dropped. This is wrong because a ping from outside into the network connected to interface vlan1 is not forbidden.

I think the drop reason is 'input block reason cannot add state', but I am not sure.
>How-To-Repeat:
configure an ipv6 router with two interfaces. add a keep state rule like

pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state

now ping from outside to network 2001:638:902::/64. the echo request will pass the router correctly, the echo replay will be dropped from the rule. that is wrong.
>Fix:

>Release-Note:

>Audit-Trail:
From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org
Cc: 
Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Date: Tue, 01 Jul 2014 17:17:48 +0900

 (07/01/14 04:50), 6bone@6bone.informatik.uni-leipzig.de wrote:
 >> Description:
 > if you configure a router and add a 'keep state' ipfilter rule like
 >
 > pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state
 >
 > icmp6 echo replay packets incoming in interface vlan1 are dropped. This is wrong because a ping from outside into the network connected to interface vlan1 is not forbidden.

 This rule seems to block implicitly ipv6-icmp neighbor advertisement
 packets from outside host.
 If 'quick' modifier is added, this does not happen.

 -- 
 t-hash

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Date: Tue, 1 Jul 2014 10:35:32 +0200 (CEST)

 On Tue, 1 Jul 2014, Takahiro HAYASHI wrote:

 > Date: Tue,  1 Jul 2014 08:20:00 +0000 (UTC)
 > From: Takahiro HAYASHI <t.hash425@gmail.com>
 > Reply-To: gnats-bugs@NetBSD.org
 > To: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
 >     netbsd-bugs@netbsd.org, 6bone@6bone.informatik.uni-leipzig.de
 > Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
 > 
 > The following reply was made to PR kern/48956; it has been noted by GNATS.
 >
 > From: Takahiro HAYASHI <t.hash425@gmail.com>
 > To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org
 > Cc:
 > Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
 > Date: Tue, 01 Jul 2014 17:17:48 +0900
 >
 > (07/01/14 04:50), 6bone@6bone.informatik.uni-leipzig.de wrote:
 > >> Description:
 > > if you configure a router and add a 'keep state' ipfilter rule like
 > >
 > > pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state
 > >
 > > icmp6 echo replay packets incoming in interface vlan1 are dropped. This is wrong because a ping from outside into the network connected to interface vlan1 is not forbidden.
 >
 > This rule seems to block implicitly ipv6-icmp neighbor advertisement
 > packets from outside host.
 > If 'quick' modifier is added, this does not happen.
 >

 The rule doen't match to ipv6-icmp neighbor advertisement packets. 
 tcmpdump shows, that ipv6-icmp echo replay packet reach the interface 
 vlan1, but the packets are dropped and do not leave the router at the 
 outside interface. If you remove the rule or remove the keep state 
 statement all works well. So I think, ipfilter try to assign the echo 
 replay to any connection. this will fail. Now the packet is dropped and 
 that is the mistake.

 Regards
 Uwe

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.