[Bug 284866] pf: state-policy if-bound breaks ICMPv6 error delivery

bugzilla-noreply Mon, 17 Feb 2025 13:57:40 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284866


            Bug ID: 284866
           Summary: pf: state-policy if-bound breaks ICMPv6 error delivery
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: b...@freebsd.org
          Reporter: l...@hemlock.eden.le-fay.org

interface configuration:

--o<--
cxl3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0
mtu 1500
       
options=6ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRXTSTMP,MEXTPG>
        ether 00:07:43:3f:e7:78
        inet 81.2.96.162/28 broadcast 81.2.96.175
        inet6 fe80::207:43ff:fe3f:e778%cxl3/64 scopeid 0x4
        inet6 2001:8b0:aab5:c401::1:5/64
        inet6 fd5b:a83:b06b:c401::1:5/64
        media: Ethernet 10Gbase-Twinax <full-duplex,rxpause,txpause>
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
--o<--

pf.conf:

--o<--
set skip on lo
set reassemble yes
set state-policy floating

block return in log
block return in quick proto tcp flags /S
pass out

# + a few 'pass in on cxl3 ...' rules for services
--o<--

with state-policy floating, traceroute works:

# traceroute6 -I ns1.burble.dn42
traceroute6 to ns1.burble.dn42 (fd42:4242:2601:ac53::1) from
fd5b:a83:b06b:c401::1:5, 64 hops max, 20 byte packets
 1  vlan401.core-1.inet.eden.le-fay.dn42 (fd5b:a83:b06b:c401::1)  0.219 ms 
0.144 ms  0.136 ms
 2  ix0-3004.willow.eden.le-fay.org (2001:8b0:aab5:3004::2)  0.139 ms  0.081 ms
 0.073 ms
 3  yarrow.eden.le-fay.dn42 (fd5b:a83:b06b:10::1)  6.846 ms  7.246 ms  6.996 ms
 4  uk-lon1.burble.dn42 (fd42:4242:2601:35::1)  8.576 ms  8.873 ms  8.756 ms
 5  ns1.burble.dn42 (fd42:4242:2601:ac53::1)  8.445 ms  8.829 ms  8.325 ms

with state-policy if-bound, traceroute doesn't work:

# traceroute6 -I ns1.burble.dn42
traceroute6 to ns1.burble.dn42 (fd42:4242:2601:ac53::1) from
fd5b:a83:b06b:c401::1:5, 64 hops max, 20 byte packets
 1  * * *
 2  * * *

because the ICMP errors are blocked by pf:

21:53:39.119122 rule 0/0(match): block in on cxl3: fd5b:a83:b06b:c401::1 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68
21:53:44.174904 rule 0/0(match): block in on cxl3: fd5b:a83:b06b:c401::1 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68
21:53:49.724459 rule 0/0(match): block in on cxl3: fd5b:a83:b06b:c401::1 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68
21:53:54.846427 rule 0/0(match): block in on cxl3: 2001:8b0:aab5:3004::2 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68
21:54:00.869729 rule 0/0(match): block in on cxl3: 2001:8b0:aab5:3004::2 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68
21:54:06.568530 rule 0/0(match): block in on cxl3: 2001:8b0:aab5:3004::2 >
fd5b:a83:b06b:c401::1:5: ICMP6, time exceeded in-transit for
fd42:4242:2601:ac53::1, length 68

using src f5aff1871d3273b3cd3621ea5d3e37cdd807e66f on amd64, pf is statically
compiler with PF_DEFAULT_TO_DROP.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 284866] pf: state-policy if-bound breaks ICMPv6 error delivery

Reply via email to