Re: kern/38390: "keep state" rules block matching packets that belong to an existing state

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,cube%cubidou.net@localhost
Subject: Re: kern/38390: "keep state" rules block matching packets that belong to an existing state
From: Wolfgang Solfrank <Wolfgang%Solfrank.net@localhost>
Date: Wed, 9 Apr 2008 11:15:03 +0000 (UTC)

The following reply was made to PR kern/38390; it has been noted by GNATS.

From: Wolfgang Solfrank <Wolfgang%Solfrank.net@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, 
 netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/38390: "keep state" rules block matching packets that belong
 to an existing state
Date: Wed, 09 Apr 2008 11:54:44 +0200

 Hi,

 The problem here is the "keep state" on the "proto icmp" line.
 What happens is this:

 The routine fr_scanlist, after determining that some packet matches the
 "pass out proto icmp from any to any keep state" rule, calls fr_addstate.
 Now fr_addstate sees the icmp packet and looks into the icmp type to
 determine whether it should be expecting a response for the packet. If it
 does not, it doesn't allocate a state and returns a NULL pointer to the
 caller, just as it does for some error cases (unable to allocate memory,
 bucket full etc.)  The caller cannot distinguish the "no need to allocate
 state" from the error cases and decides that it's safer to block the packet
 (which is certainly correct for the error cases).

 One solution would be for fr_addstate to return not the pointer to the
 allocated state (which isn't used by any caller anyway) but to return
 only an error code (which would be 0 on success or on unneeded state
 allocation).

 For now, the workaround is to explicitly add rules for icmp with keep
 state for the specific icmp types that fr_addstate expects responses for,
 i.e. something like

 pass out proto icmp from any to any icmp-type 8 keep state
 pass out proto icmp from any to any icmp-type 13 keep state
 pass out proto icmp from any to any icmp-type 15 keep state
 pass out proto icmp from any to any icmp-type 17 keep state

 The equivalent lines for IPv6 would be:

 pass out proto ipv6-icmp from any to any icmp-type 128 keep state
 pass out proto ipv6-icmp from any to any icmp-type 130 keep state
 pass out proto ipv6-icmp from any to any icmp-type 133 keep state
 pass out proto ipv6-icmp from any to any icmp-type 135 keep state
 pass out proto ipv6-icmp from any to any icmp-type 139 keep state

 Note however that ipfilter doesn't currently work with IPv6 fragments
 anyway (PR with patch coming soon...)

 Ciao,
 Wolfgang
 -- 
 Wolfgang%Solfrank.net@localhost

Prev by Date: Re: kern/38390: "keep state" rules block matching packets that belong to an existing state
Next by Date: Re: bin/32120 (Upgrading to netbsd-3 gives strange prompts for ssh)
Previous by Thread: Re: kern/38390: "keep state" rules block matching packets that belong to an existing state
Next by Thread: Re: PR/32626: ehci + umass + stress = umass stall cycle
Indexes:

Home | Main Index | Thread Index | Old Index