Project

General

Profile

Actions

Bug #14630

open

ipf return-rst does not work without IP forwarding

Added by Andy Fiddaman 3 months ago. Updated 3 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
networking
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

For a long time I have had ipf rules on mail servers to immediately reject inbound TCP connections on port 113, rather than just dropping the packets, to prevent unnecessary delays on outbound mail to MTAs which attempt to retrieve the ident.

block return-rst in quick on igb0 proto tcp from any to any port = 113 flags S
pass out quick on igb0 proto tcp from any port = 113 to any flags R/RSFUP

This does not work with illumos today, although it definitely did at some point in the past.

Using dtrace to see what's going on around fr_send_reset():

%  pfexec dtrace -n 'fr_send_reset:return,fr_send_ip:return,fr_forwarding_enabled:return,fr_fastroute:return,net_inject:return{printf("%x", arg1)}' -n 'fr_forwarding_enabled:return{stack()}' -F
dtrace: description 'fr_send_reset:return,fr_send_ip:return,fr_forwarding_enabled:return,fr_fastroute:return,net_inject:return' matched 5 probes
dtrace: description 'fr_forwarding_enabled:return' matched 1 probe
CPU FUNCTION
 12 | fr_forwarding_enabled:return            0
 12  <- fr_forwarding_enabled
              ipf`fr_fastroute+0x6e
              ipf`fr_send_ip+0x148
              ipf`fr_send_reset+0x194
              ipf`fr_check+0x8f3

 12  <- fr_fastroute                          ffffffff
 12  <- fr_send_ip                            ffffffff
 12  <- fr_send_reset                         ffffffff

If I enable IP forwarding on the machine, then this rule starts to work.

bloody# ndd -set /dev/ip ip_forwarding 1
bloody#  pfexec dtrace -n 'fr_send_reset:return,fr_send_ip:return,fr_forwarding_enabled:return,fr_fastroute:return,net_inject:return{printf("%x", arg1)}' -F
dtrace: description 'fr_send_reset:return,fr_send_ip:return,fr_forwarding_enabled:return,fr_fastroute:return,net_inject:return' matched 5 probes
CPU FUNCTION
 12  <- fr_forwarding_enabled                 1
 12  <- fr_forwarding_enabled                 1
 12  <- net_inject                            0
 12  <- fr_fastroute                          0
 12  <- fr_send_ip                            0
 12  <- fr_send_reset                         0

and if I disable IP forwarding, but patch the fr_forwarding_enabled() function to always return 1, this also works:

> fr_forwarding_enabled/Z 1b8
> fr_forwarding_enabled+5/v c3

> fr_forwarding_enabled::dis
fr_forwarding_enabled:          movl   $0x1,%eax
fr_forwarding_enabled+5:        ret
bloody# snoop -rd vioif0 tcp port 113
Using device vioif0 (promiscuous mode)
172.27.10.254 -> 172.27.10.9  AUTH C port=49737
 172.27.10.9 -> 172.27.10.254 AUTH R port=49737

and the client reports Connection refused.

It appears that the forwarding check introduced in #5733 is a bit over-zealous and should at least not apply to the cases when ipf is returning a TCP reset or ICMP unreach packet.


Related issues

Related to illumos gate - Bug #5733: ipf should only forward when forwarding is enabledClosedJerry Jelinek2015-03-20

Actions
Actions #1

Updated by Andy Fiddaman 3 months ago

  • Related to Bug #5733: ipf should only forward when forwarding is enabled added
Actions #2

Updated by Electric Monk 3 months ago

  • Gerrit CR set to 2110
Actions

Also available in: Atom PDF