Re: kern/48956: ipv6-icmp ipfilter keep state issue

[6bone%6bone.informatik.uni-leipzig.de@localhost]

On Tue, 1 Jul 2014, Takahiro HAYASHI wrote:

> Date: Tue,  1 Jul 2014 08:20:00 +0000 (UTC)
> From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
> Reply-To: gnats-bugs%NetBSD.org@localhost
> To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
>     netbsd-bugs%netbsd.org@localhost, 
> 6bone%6bone.informatik.uni-leipzig.de@localhost
> Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
>
> The following reply was made to PR kern/48956; it has been noted by GNATS.
>
> From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
> To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost
> Cc:
> Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
> Date: Tue, 01 Jul 2014 17:17:48 +0900
>
> (07/01/14 04:50), 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
> >> Description:
> > if you configure a router and add a 'keep state' ipfilter rule like
> >
> > pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state
> >
> > icmp6 echo replay packets incoming in interface vlan1 are dropped. This is 
> wrong because a ping from outside into the network connected to interface vlan1 is 
> not forbidden.
>
> This rule seems to block implicitly ipv6-icmp neighbor advertisement
> packets from outside host.
> If 'quick' modifier is added, this does not happen.

The rule doen't match to ipv6-icmp neighbor advertisement packets. 
tcmpdump shows, that ipv6-icmp echo replay packet reach the interface 
vlan1, but the packets are dropped and do not leave the router at the 
outside interface. If you remove the rule or remove the keep state 
statement all works well. So I think, ipfilter try to assign the echo 
replay to any connection. this will fail. Now the packet is dropped and 
that is the mistake.

Regards
Uwe