>Number:         22157
>Category:       kern
>Synopsis:       ipfilter: block return-rst doesn't work with IPv6
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 16 13:37:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Peter Postma
>Release:        NetBSD 1.6U
>Organization:
	None
>Environment:
System: NetBSD mercury.pointless.nl 1.6U NetBSD 1.6U (mercury) #4: Fri Jun 27 20:51:25 CEST 2003 peter@mercury.pointless.nl:/usr/obj/sys/arch/sparc64/compile/mercury sparc64
Architecture: sparc64
Machine: sparc64

>Description:
	block return-rst doesn't work in IPv6 mode. IPFilter should send a RST
	packet but it silently drops packets. ipfstat counts those packets as 
	'fastroute failure'.

>How-To-Repeat:
	ipf6.conf:
	  block return-rst in log quick on hme0 proto tcp all

	Try to connect from the outside to a port, the packet will be dropped. 

>Fix:
	See the diff below.
	In the latest IPFilter (3.4.32) is this bug also fixed.


Index: ip_fil.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_fil.c,v
retrieving revision 1.93
diff -u -r1.93 ip_fil.c
--- ip_fil.c    2003/06/30 00:15:12     1.93
+++ ip_fil.c    2003/07/16 13:10:48
@@ -1938,17 +1938,18 @@
        frentry_t *fr;
        int error;

-       ifp = NULL;
        ro = &ip6route;
        fr = fin->fin_fr;
        bzero((caddr_t)ro, sizeof(*ro));
        dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
        dst6->sin6_family = AF_INET6;
        dst6->sin6_len = sizeof(struct sockaddr_in6);
-       dst6->sin6_addr = fin->fin_fi.fi_src.in6;
+       dst6->sin6_addr = fin->fin_fi.fi_dst.in6;

        if (fdp != NULL)
                ifp = fdp->fd_ifp;
+       else
+               ifp = fin->fin_ifp;

        if ((fr != NULL) && (fin->fin_rev != 0)) {
                if ((ifp != NULL) && (fdp == &fr->fr_tif))

>Release-Note:
>Audit-Trail:
>Unformatted: