Re: kern/38390: "keep state" rules block matching packets that belong to an existing state

[Wolfgang Solfrank <Wolfgang%Solfrank.net@localhost>]

Hi,

The problem here is the "keep state" on the "proto icmp" line.
What happens is this:

The routine fr_scanlist, after determining that some packet matches the
"pass out proto icmp from any to any keep state" rule, calls fr_addstate.
Now fr_addstate sees the icmp packet and looks into the icmp type to
determine whether it should be expecting a response for the packet. If it
does not, it doesn't allocate a state and returns a NULL pointer to the
caller, just as it does for some error cases (unable to allocate memory,
bucket full etc.)  The caller cannot distinguish the "no need to allocate
state" from the error cases and decides that it's safer to block the packet
(which is certainly correct for the error cases).

One solution would be for fr_addstate to return not the pointer to the
allocated state (which isn't used by any caller anyway) but to return
only an error code (which would be 0 on success or on unneeded state
allocation).

For now, the workaround is to explicitly add rules for icmp with keep
state for the specific icmp types that fr_addstate expects responses for,
i.e. something like

pass out proto icmp from any to any icmp-type 8 keep state
pass out proto icmp from any to any icmp-type 13 keep state
pass out proto icmp from any to any icmp-type 15 keep state
pass out proto icmp from any to any icmp-type 17 keep state

The equivalent lines for IPv6 would be:

pass out proto ipv6-icmp from any to any icmp-type 128 keep state
pass out proto ipv6-icmp from any to any icmp-type 130 keep state
pass out proto ipv6-icmp from any to any icmp-type 133 keep state
pass out proto ipv6-icmp from any to any icmp-type 135 keep state
pass out proto ipv6-icmp from any to any icmp-type 139 keep state

Note however that ipfilter doesn't currently work with IPv6 fragments
anyway (PR with patch coming soon...)

Ciao,
Wolfgang
--
Wolfgang%Solfrank.net@localhost