Re: kern/48956: ipv6-icmp ipfilter keep state issue

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,6bone%6bone.informatik.uni-leipzig.de@localhost
Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
Date: Tue, 1 Jul 2014 08:20:00 +0000 (UTC)

The following reply was made to PR kern/48956; it has been noted by GNATS.

From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost
Cc: 
Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Date: Tue, 01 Jul 2014 17:17:48 +0900

 (07/01/14 04:50), 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
 >> Description:
 > if you configure a router and add a 'keep state' ipfilter rule like
 >
 > pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state
 >
 > icmp6 echo replay packets incoming in interface vlan1 are dropped. This is 
 > wrong because a ping from outside into the network connected to interface 
 > vlan1 is not forbidden.
 
 This rule seems to block implicitly ipv6-icmp neighbor advertisement
 packets from outside host.
 If 'quick' modifier is added, this does not happen.
 
 -- 
 t-hash

Follow-Ups:
- Re: kern/48956: ipv6-icmp ipfilter keep state issue
  - From: 6bone

Prev by Date: Re: bin/48810
Next by Date: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Previous by Thread: kern/48956: ipv6-icmp ipfilter keep state issue
Next by Thread: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Indexes:

Home | Main Index | Thread Index | Old Index