kern/58543: NPF rule with multiple addresses in "from" disregards source address constraint

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/58543: NPF rule with multiple addresses in "from" disregards source address constraint
From: tnn%nygren.pp.se@localhost
Date: Fri, 2 Aug 2024 23:10:00 +0000 (UTC)

>Number:         58543
>Category:       kern
>Synopsis:       NPF rule with multiple addresses in "from" disregards source address constraint
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 02 23:10:00 +0000 2024
>Originator:     Tobias Nygren
>Release:        10.99.11
>Organization:
>Environment:
>Description:
Syntactically valid NPF rule does not behave as expected and disregards the configured source address constraint.

---8<---
procedure "log" {
        log: npflog0
}

group "loopback" on lo0 {
        pass in final family inet6 proto tcp from fd42:dead:beef::1 to any port 9000 apply "log"
        pass in final family inet6 proto tcp from {fd42:dead:beef::1} to any port 9001 apply "log"
        pass in final family inet6 proto tcp from {fd42:dead:beef::1, fd42:dead:beef::2} to any port 9002 apply "log"
        block in final family inet6 proto tcp to any port {9000, 9001, 9002} apply "log"
}
group default {
        pass final all
}
---8<---

# tcpdump -n -e -i npflog0 &

## ok packet is blocked
# nc -6 localhost 9000
22:59:56.707978 rule 5.rules.0/0(match): block in on lo0: ::1.65478 > ::1.9000: Flags [S], seq 3480881801, win 32768, options [mss 33564,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0

## ok packet is blocked
root@storage:root> nc -6 localhost 9001
23:00:00.009014 rule 5.rules.0/0(match): block in on lo0: ::1.65477 > ::1.9001: Flags [S], seq 3653343324, win 32768, options [mss 33564,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0

## NOT OK, packet allowed by rule 4 despite wrong source address
# nc -6 localhost 9002
23:00:01.362353 rule 4.rules.0/0(match): pass in on lo0: ::1.65476 > ::1.9002: Flags [S], seq 3710674527, win 32768, options [mss 33564,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0

This is a security problem because it appears to allow any source address when the intent was to only allow two specific ones.

>How-To-Repeat:
See description.
>Fix:
To be investigated.

Prev by Date: Re: lib/57172: LOG_MAKEPRI macro in sys/syslog.h defined incorrectly
Next by Date: Re: port-amd64/57821: On some machines, NetBSD/amd64 cannot get correct century data
Previous by Thread: kern/58541: npf(4) should be able to filter by socket uid/gid
Next by Thread: Re: kern/58543: NPF rule with multiple addresses in "from" disregards source address constraint
Indexes:

Home | Main Index | Thread Index | Old Index