kern/48674: ipfilter send TCP-reset packets for non-TCP packets with return-rst

[Wolfgang.Stukenbrock%nagler-company.com@localhost]

>Number:         48674
>Category:       kern
>Synopsis:       ipfilter send TCP-reset packets for non-TCP packets with 
>return-rst
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 21 12:25:00 +0000 2014
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 6.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD test-s0 5.1.2 NetBSD 5.1.2 (NSW-WS) #3: Fri Dec 21 15:15:43 CET 
2012 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
        The implementation of ipfilter will send TCP-reset packets for all 
packet types, not only TCP.
        So a rule like "block return-rst in quick on wm0 all head 1234" will 
send a TCP-reset packet
        for all packets not explicitly allowed in group 1234.
        A "blocked" UDP packet will result in a TCP-reset packet send - this 
does not make sence ...
>How-To-Repeat:
        Setup a rule like above and send some packets that will be blocked. You 
will see the TCP-reset answers.
>Fix:
        There is a workaround for this problem:
        Duplicate all head rules in the following way:
          block return-rst in quick on wm0 proto tcp all head 1234
          block            in quick on wm0           all head 1234
        This will suppress the TCP-reset packets, but it is ugly in the config 
file.

        To fix this issue, prior generating the reset packet a check for 
incomming TCP should be added.
        Sorry - no time to create a patch at the moment.
          

>Unformatted: