Project

General

Profile

Actions

Bug #2537

open

Host-based firewall blocks NFS over UDP packet that should be passed

Added by Ichiko Sakamoto over 10 years ago. Updated over 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2012-03-26
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

How to reproduce.

1. On nfs server, allow from nfs clients

server # svccfg -s ipfilter:default setprop firewall_config_default/policy = allow
server # svccfg -s rpc/bind setprop firewall_config/policy = allow
server # svccfg -s rpc/bind setprop firewall_config/apply_to = network:172.16.0.1/16
server # svccfg -s nfs/server setprop firewall_config/policy = allow
server # svccfg -s nfs/server setprop firewall_config/apply_to = network:172.16.0.1/16
server # svcadm refresh rpc/bind nfs/server ipfilter:default

2. Mount from client with UDP option

client # mount -o proto=udp,vers=3 server:/export /mnt

3. While the client writes to a file, ipmon on the server shows IP fragmented packets is blocked

client $ mkfile 10m /mnt/testfile

server # ipmon
26/03/2012 12:05:59.279976 e1000g0 @0:5 p 172.16.xx.yy,1008 -> 172.16.xx.zz,2049 PR udp len 20 148 IN
26/03/2012 12:05:59.280759 e1000g0 @0:1 p 172.16.xx.zz,2049 -> 172.16.xx.yy,1008 PR udp len 20 144 K-S OUT
26/03/2012 12:05:59.285711 e1000g0 @0:5 p 172.16.xx.yy,1007 -> 172.16.xx.zz,2049 PR udp len 20 140 IN
26/03/2012 12:05:59.285852 e1000g0 @0:1 p 172.16.xx.zz,2049 -> 172.16.xx.yy,1007 PR udp len 20 164 K-S OUT
26/03/2012 12:05:59.286224 e1000g0 @0:5 p 172.16.xx.yy,1006 -> 172.16.xx.zz,2049 PR udp len 20 148 IN
26/03/2012 12:05:59.286316 e1000g0 @0:1 p 172.16.xx.zz,2049 -> 172.16.xx.yy,1006 PR udp len 20 144 K-S OUT
26/03/2012 12:05:59.286593 e1000g0 @0:5 p 172.16.xx.yy,1005 -> 172.16.xx.zz,2049 PR udp len 20 192 IN
26/03/2012 12:05:59.287679 e1000g0 @0:1 p 172.16.xx.zz,2049 -> 172.16.xx.yy,1005 PR udp len 20 300 K-S OUT
26/03/2012 12:05:59.288039 e1000g0 @0:5 p 172.16.xx.yy,1004 -> 172.16.xx.zz,2049 PR udp len 20 136 IN
26/03/2012 12:05:59.288127 e1000g0 @0:1 p 172.16.xx.zz,2049 -> 172.16.xx.yy,1004 PR udp len 20 140 K-S OUT
26/03/2012 12:05:59.288621 e1000g0 @0:5 p 172.16.xx.yy,1003 -> 172.16.xx.zz,2049 PR udp len 20 1500 IN
26/03/2012 12:05:59.288691 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1500) (frag 21586:1480@1480+) IN
26/03/2012 12:05:59.288701 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1292) (frag 21586:1272@2960) IN
26/03/2012 12:06:00.536316 e1000g0 @0:5 p 172.16.xx.yy,1003 -> 172.16.xx.zz,2049 PR udp len 20 1500 IN
26/03/2012 12:06:00.536329 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1500) (frag 21589:1480@1480+) IN
26/03/2012 12:06:00.536334 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1292) (frag 21589:1272@2960) IN
26/03/2012 12:06:03.036283 e1000g0 @0:5 p 172.16.xx.yy,1003 -> 172.16.xx.zz,2049 PR udp len 20 1500 IN
26/03/2012 12:06:03.036298 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1500) (frag 21591:1480@1480+) IN
26/03/2012 12:06:03.036303 e1000g0 @0:19 b 172.16.xx.yy -> 172.16.xx.zz PR udp len 20 (1292) (frag 21591:1272@2960) IN
...
(172.16.xx.yy is client, 172.16.xx.zz is server)

Created rules.

server # ipfstat -in
@1 pass in log quick proto tcp from any to any port = lockd flags S/FSRPAU keep state
@2 pass in log quick proto udp from any to any port = lockd
@3 pass in log quick proto tcp from 172.16.0.0/16 to any port = nfsd flags S/FSRPAU keep state keep frags
@4 block in log quick proto tcp from any to any port = nfsd flags S/FSRPAU keep state keep frags
@5 pass in log quick proto udp from 172.16.0.0/16 to any port = nfsd
@6 block in log quick proto udp from any to any port = nfsd
@7 pass in log quick proto tcp from 172.16.0.0/16 to any port = 37218 flags S/FSRPAU keep state keep frags
@8 block in log quick proto tcp from any to any port = 37218 flags S/FSRPAU keep state keep frags
@9 pass in log quick proto udp from 172.16.0.0/16 to any port = 39318
@10 block in log quick proto udp from any to any port = 39318
@11 pass in log quick proto tcp from any to any port = 36011 flags S/FSRPAU keep state
@12 pass in log quick proto udp from any to any port = 47679
@13 pass in log quick proto icmp from any to any icmp-type routersol
@14 pass in log quick proto icmp from any to any icmp-type routerad
@15 pass in log quick proto tcp from 172.16.0.0/16 to any port = sunrpc flags S/FSRPAU keep state keep frags
@16 block in log quick proto tcp from any to any port = sunrpc flags S/FSRPAU keep state keep frags
@17 pass in log quick proto udp from 172.16.0.0/16 to any port = sunrpc
@18 block in log quick proto udp from any to any port = sunrpc
@19 block in log all

server # ipfstat -on
@1 pass out log quick all keep state

'proto udp' filter cannot seem to match IP fragmented packet that does not have UDP header.

Work around patch.

--- /lib/svc/share/ipf_include.sh.orig  2012-03-26 12:39:51.724658659 +0900
+++ /lib/svc/share/ipf_include.sh       2012-03-26 12:48:33.773288370 +0900
@@ -644,6 +644,10 @@
                fi
        done

+       if [ "${proto}" = "udp" ]; then
+               echo "${acmd} in log quick proto ${proto} from ${addr}" \
+                   "to ${ip} with frag-body" >>${out}
+       fi
        echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \
            "port = ${port} ${tcp_opts}" >>${out}

Actions #1

Updated by Ichiko Sakamoto over 10 years ago

Sorry, I updated work around patch.

--- /lib/svc/share/ipf_include.sh.orig  2012-03-26 12:39:51.724658659 +0900
+++ /lib/svc/share/ipf_include.sh       2012-03-26 13:44:16.164720806 +0900
@@ -641,6 +641,12 @@
                if [ $? -eq 0 -a -n "$addr" ]; then
                        echo "${acmd} in log quick proto ${proto} from ${addr}" \
                            "to ${ip} port = ${port} ${tcp_opts}" >>${out}
+                       if [ "${proto}" = "udp" ]; then
+                               echo "${acmd} in log quick proto ${proto} from ${addr}" \
+                                   "to ${ip} with frag-body" >>${out}
+                               echo "${acmd} out log quick proto ${proto} from ${ip}" \
+                                   "to ${addr} with frag-body" >>${out}
+                       fi
                fi
        done

Actions

Also available in: Atom PDF