bin/54124: npfctl only applies 'flags S/SAFR' to a stateful rule if the protocol is explicitly TCP, not when proto is omitted

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/54124: npfctl only applies 'flags S/SAFR' to a stateful rule if the protocol is explicitly TCP, not when proto is omitted
From: venture37%geeklan.co.uk@localhost
Date: Tue, 16 Apr 2019 14:50:00 +0000 (UTC)

>Number:         54124
>Category:       bin
>Synopsis:       npfctl only applies 'flags S/SAFR' to a stateful rule if the protocol is explicitly TCP, not when proto is omitted
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 16 14:50:00 +0000 2019
>Originator:     Sevan Janiyan
>Release:        NetBSD-HEAD
>Organization:
>Environment:
NetBSD 8.99.37 amd64 x86_64
>Description:
When using a generic 'pass stateful out all' rule without explicitly specifying a protocol and a default "block return all' rule, a state is created for all tcp related traffic, including for traffic which was blocked.
>How-To-Repeat:
Use the following npf ruleset:

alg "icmp"

procedure "log" {
    # Send log events to npflog0, see npfd(8)
    log: npflog0
}

group default {
    # Default deny, otherwise last matching rule wins
    block return all apply "log"

    # Don't block loopback
    pass on lo0 all

    # Allow incoming DHCP server responses
    pass in family inet4 proto udp from any port bootps to any port bootpc
    pass in family inet6 proto udp from any to any port "dhcpv6-client"

    # Allow IPv6 ICMP
    pass family inet6 proto ipv6-icmp all

    # Allow incoming IPv4 pings
    pass in family inet4 proto icmp icmp-type echo all

    # Allow being tracerouted
    pass in proto udp to any port 33434-33600

    # Allow incoming mDNS traffic from neighbours
    pass in proto udp to any port mdns

    # Allow all outbound traffic
    pass stateful out all
}

load ruleset and check stats with 'npfctl stats', note the ruleset block and state allocations count

from another host, run 'nmap -v -A $netbsdhost' where $netbsdhost is the machine with the npf rules set loaded.

Run 'npfctl stats' again and you should see a rise in both ruleset block and state allocations count.
>Fix:
As a workaround, one has to supplement the 'pass stateful out all' rule with
pass out proto tcp all
pass stateful out proto tcp all

npfctl validate will show the generated rules set as

pass stateful out all # id="0"
pass out proto tcp # id="0"
pass stateful out proto tcp flags S/FSRA # id="0"

Repeating the nmap test, with these rules in place, only the ruleset block count rises.

Prev by Date: Re: xsrc/54113: xdm edit fields broken
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: PR/54111 CVS commit: src/tests/lib/libc/sys
Next by Thread: Re: bin/54124: npfctl only applies 'flags S/SAFR' to a stateful rule if the protocol is explicitly TCP, not when proto is omitted
Indexes:

Home | Main Index | Thread Index | Old Index