Subject: IPF and source routed packets
To: None <current-users@netbsd.org>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: current-users
Date: 12/01/2004 16:35:03
Hi!

I'm having problems with ipf 4.1.3 and source routed packet. This is the
rule set I'm using:


block in log quick all with opt lsrr
block in log quick all with opt ssrr
pass  in all
pass out all


Packet with source route option looked like this (generated by nessus):


Internet Protocol, Src Addr: xxx.xxx.xxx.121, Dst Addr: xxx.xxx.xxx.122
     Version: 4
     Header length: 24 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 40
     Identification: 0x7a37 (31287)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 64
     Protocol: ICMP (0x01)
     Header checksum: 0x3fd1 (correct)
     Source: xxx.xxx.xxx.121 (xxx.xxx.xxx.121)
     Destination: xxx.xxx.xxx.122 (xxx.xxx.xxx.122)
     Options: (4 bytes)
         Loose source route (3 bytes)
             Pointer: 4
         EOL
Internet Control Message Protocol
     Type: 8 (Echo (ping) request)
     Code: 0
     Checksum: 0x2bfb (correct)
     Identifier: 0x7db6
     Sequence number: 0x0000
     Data (8 bytes)


I tried this as well and the packet is really passed:


# ipftest -F pcap -r ipf.conf -i lsrr
opened pcap file lsrr:
         id: a1b2c3d4 version: 2.4 type: 1 snap 96
pass ip 40(24) 1 xxx.xxx.xxx.121 > xxx.xxx.xxx.122


Then I added "block in log quick all with ipopts" as the first rule
and now the packet is correctly blocked:


ipftest -F pcap -r ipf.conf -i lsrr
opened pcap file lsrr:
         id: a1b2c3d4 version: 2.4 type: 1 snap 96
block ip 40(24) 1 xxx.xxx.xxx.121 > xxx.xxx.xxx.122


All ideas are welcome...

Martti