Subject: kern/27086: ipfilter 4 parsing differently "keep frags keep state" vs. "keep state keep frags"
To: None <>
From: None <>
List: netbsd-bugs
Date: 09/30/2004 09:50:03
>Number:         27086
>Category:       kern
>Synopsis:       ipfilter 4 parsing differently "keep frags keep state" vs. "keep state keep frags"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 30 09:51:00 UTC 2004
>Originator:     Arto Selonen
>Release:        NetBSD-current ~20040923
NetBSD blah 2.0H NetBSD 2.0H (BLAH) #1: Fri Sep 24 20:43:03 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

When migrating services from old hardware to new, and updating current
at the same time, the following error message was received from
ipfilter 4.1.3 parsing the old, working rule set in /etc/ipf.conf:

syntax error error at "keep", line 521

The offending line contained the following keep tokens:

"keep frags keep state"

and it used to work (seemingly, no problems observed) with ipfilter 3.4
series. In fact, the 'keep frags' was added to it after some 
fragmentation issues were observed, and it had solved them.

After getting the parse error, all 'keep frags' were removed from the rule set, and it then worked fine, since no fragmentation had been 
observed and no workaround was known at the time.

I've since then learned that if one changes the ordering, then
the rule is accepted. Since there has been no fragmentation issues
lately, I don't know if the functionality would be the same, or if that
has changed, too.

ipf.conf(5) gives the following BNF regarding keep rules:

  filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
                [ proto ] ip [ group ].
  ip   = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
  keep = "keep" "state" | "keep" "frags" .

If I read that correctly, then only one of them would be allowed,
in which case one could not create a rule set that would allow
fragmented packets through ONLY if there was a matching state entry
(or I'm just failing to realize how it could be done).

So, ipf.conf parsing should be fixed, and probably the man page updated, too.
Create /etc/ipf.conf rules that have something like this:
(I haven't tested this particular case; I'm having enough
fun as it is discovering all these ipfilter4 issues for what
used to be a working packet filter system).

"pass in quick proto tcp from any to any flags S keep frags keep state"

and observe error error message.
No fix, but one can possibly use

  "keep state keep frags"

instead of

  "keep frags keep state"

as a workaround.