Subject: kern/24989: ipfilter 4.1.1 does not behave according to rules in ipf.conf
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 03/31/2004 07:52:32
>Number: 24989
>Category: kern
>Synopsis: ipfilter 4.1.1 does not behave according to rules in ipf.conf
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 31 07:53:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Arto Selonen
>Release: -current from ~March 29th (1.6ZL)
>Organization:
>Environment:
NetBSD blah 1.6ZL NetBSD 1.6ZL (BLAH) #30: Mon Mar 29 10:07:04 EEST 2004 blah@blah:/obj/sys/arch/i386/compile/BLAH i386
>Description:
filter blocks packets that it should allow through; this may be related
to keep state for UDP packets. Here is a sample line from ipmon logs:
31/03/2004 10:43:22.932183 fxp0 @10041:9 b A.B.C.D,12345 -> E.F.G.H,53 PR udp len 20 71 IN
And here is the head rule of group 10041 from /etc/ipf.conf
(I've ommited previous rules that lead to this as irrelevant)
block in log quick proto tcp/udp from any to any port = domain head 10041 group 10021
And the first rule of group 10041 from /etc/ipf.conf
pass in quick proto udp from any to E.F.G.H keep state group 10041
So, the rule should match, create a "UDP session state entry" for the
packet (and related packets), allow it to pass. Instead, the packet is
blocked. This used to work before ipfilter 4.1.1 just like one would expect. I could not find documentation that would clearly state this behavious has changed with 4.1 (compared to 3.4).
>How-To-Repeat:
I can't test what would be the minimal rule set that would provide
the results we're seeing. Unfortunately, I'm not willing to post
the whole firewall ruleset publically. So, I'm not sure whether this is
a generic problem with UDP keep state, or a result of some rule combinations. I'd sugegst creating rules like above (UDP keep state), and checking if the traffic gets through.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: