kern/48956: ipv6-icmp ipfilter keep state issue

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/48956: ipv6-icmp ipfilter keep state issue
From: 6bone%6bone.informatik.uni-leipzig.de@localhost
Date: Mon, 30 Jun 2014 19:50:01 +0000 (UTC)

>Number:         48956
>Category:       kern
>Synopsis:       ipv6-icmp ipfilter keep state issue
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 30 19:50:00 +0000 2014
>Originator:     Uwe Toenjes
>Release:        NetBSD 6.99.40
>Organization:
University of Leipzig
>Environment:
NetBSD augate.ipv6.uni-leipzig.de 6.99.40 NetBSD 6.99.40 (MYCONF7) #1: Sat Apr 
12 23:18:17 CEST 2014  
root%augate.ipv6.uni-leipzig.de@localhost:/usr/obj/sys/arch/amd64/compile/MYCONF7
 amd64
>Description:
if you configure a router and add a 'keep state' ipfilter rule like

pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state

icmp6 echo replay packets incoming in interface vlan1 are dropped. This is 
wrong because a ping from outside into the network connected to interface vlan1 
is not forbidden.

I think the drop reason is 'input block reason cannot add state', but I am not 
sure.
>How-To-Repeat:
configure an ipv6 router with two interfaces. add a keep state rule like

pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state

now ping from outside to network 2001:638:902::/64. the echo request will pass 
the router correctly, the echo replay will be dropped from the rule. that is 
wrong.
>Fix:

Prev by Date: Re: kern/48954: USB diagconstic message: actlen (-15996) > len (4)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: lib/48955: NetBSD is missing frexpl(3) in libm
Next by Thread: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Indexes:

Home | Main Index | Thread Index | Old Index