NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/48956: ipv6-icmp ipfilter keep state issue
The following reply was made to PR kern/48956; it has been noted by GNATS.
From: 6bone%6bone.informatik.uni-leipzig.de@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
Date: Tue, 1 Jul 2014 10:35:32 +0200 (CEST)
On Tue, 1 Jul 2014, Takahiro HAYASHI wrote:
> Date: Tue, 1 Jul 2014 08:20:00 +0000 (UTC)
> From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
> Reply-To: gnats-bugs%NetBSD.org@localhost
> To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
> netbsd-bugs%netbsd.org@localhost,
> 6bone%6bone.informatik.uni-leipzig.de@localhost
> Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
>
> The following reply was made to PR kern/48956; it has been noted by GNATS.
>
> From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
> To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost
> Cc:
> Subject: Re: kern/48956: ipv6-icmp ipfilter keep state issue
> Date: Tue, 01 Jul 2014 17:17:48 +0900
>
> (07/01/14 04:50), 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
> >> Description:
> > if you configure a router and add a 'keep state' ipfilter rule like
> >
> > pass in on vlan1 from 2001:638:902::/64 to 2000::/3 keep state
> >
> > icmp6 echo replay packets incoming in interface vlan1 are dropped. This is
> > wrong because a ping from outside into the network connected to interface
> > vlan1 is not forbidden.
>
> This rule seems to block implicitly ipv6-icmp neighbor advertisement
> packets from outside host.
> If 'quick' modifier is added, this does not happen.
>
The rule doen't match to ipv6-icmp neighbor advertisement packets.
tcmpdump shows, that ipv6-icmp echo replay packet reach the interface
vlan1, but the packets are dropped and do not leave the router at the
outside interface. If you remove the rule or remove the keep state
statement all works well. So I think, ipfilter try to assign the echo
replay to any connection. this will fail. Now the packet is dropped and
that is the mistake.
Regards
Uwe
Home |
Main Index |
Thread Index |
Old Index