kern/38390: "keep state" rules block matching packets that belong to an existing state

[cube%cubidou.net@localhost]

>Number:         38390
>Category:       kern
>Synopsis:       "keep state" rules block matching packets that belong to an 
>existing state
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 08 23:10:01 +0000 2008
>Originator:     Quentin Garnier
>Release:        NetBSD 4.0
>Organization:
        NetBSD
>Environment:
NetBSD/i386
>Description:
        I have a system which blocks most of incoming packets, except
        stuff like a few selected TCP connections.
        The gateway uses IPFilter, and has keep state rules for those
        TCP connections that it is supposed to route.
        In the "out" direction of the considered interface, I only have
        pass rules, but "keep state" ones for tcp, udp and icmp.
        Whenever the gateway will try and generate an ICMP needfrag
        packet for a managed TCP connection, the out icmp keep state
        rule will block it.

        That's not nice.
>How-To-Repeat:
        Something along the lines of:

        block in all
        pass in proto tcp from any to any keep state
        pass out all
        pass out proto icmp from any to any keep state

        And try that on a network with an output route where MTU is
        deceased.
>Fix:
        A workaround is to explicitely allow ICMPs generated by the
        gateway, to match after the keep state rule, or before but with
        quick.