Project

General

Profile

Actions

Bug #13934

closed

Killing states by gateway can miss some IPv6 outbound states

Added by Marcos M almost 2 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Gateways
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Due to the default outbound rules, IPv6 outbound states are created with gateway: :: which prevents the states from being deleted when using the feature introduced in #12092.

@159 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000015166
@683 pass in quick on vmx0.5 route-to (vmx0.99 fe80::2a2:89ff:fed1:9868) inet6 proto tcp from 2001:db8:f3:5::/64 to ! <a_Local6:13> flags S/SA keep state label "USER_RULE: internet" label "id:1653875587" label "gw:WAN_GWV6" ridentifier 1653875587

all tcp 2602:801:f006:100::a2fe:c30d[80] <- 2001:db8:f3:5:5:2283:b71e:b7ee[53152]       ESTABLISHED:ESTABLISHED
   [1599067630 + 132096] wscale 8  [3558338110 + 10878976] wscale 8
   age 00:01:28, expires in 23:59:36, 687:763 pkts, 56912:1126469 bytes, rule 683
   id: 64f1376400000000 creatorid: 4da82510 gateway: 2001:db8:76:4::1
   origif: vmx0.5
all tcp 2001:db8:f3:5:5:2283:b71e:b7ee[53152] -> 2602:801:f006:100::a2fe:c30d[80]       ESTABLISHED:ESTABLISHED
   [3558338110 + 10878976] wscale 8  [1599067630 + 132096] wscale 8
   age 00:01:28, expires in 23:59:36, 687:763 pkts, 56912:1126469 bytes, rule 159
   id: 65f1376400000000 creatorid: 4da82510 gateway: ::
   origif: gif0

Current default rules are as follows:

pass out  inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" 
pass out  inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" 

pass out  route-to ( vmx0.99 198.51.100.1 ) from 198.51.100.5 to !198.51.100.0/24 ridentifier 1000016311 keep state allow-opts label "let out anything from firewall host itself" 
pass out  route-to ( vmx0.99 198.51.100.1 ) from 10.66.55.1 to !10.66.55.0/24 ridentifier 1000016312 keep state allow-opts label "let out anything from firewall host itself" 
pass out  route-to ( vmx0.99 fe80::2a2:89ff:fed1:9868%vmx0.99 ) inet6 from 2001:db8:43:0:8928:9ecf:b0d:8b3a to !2001:db8:43:0:8928:9ecf:b0d:8b3a/64 ridentifier 1000016313 keep state allow-opts label "let out anything from firewall host itself" 
pass out  route-to ( gif0 2001:db8:76:4::1 ) inet6 from 2001:db8:76:4::2 to !2001:db8:76:4::2/64 ridentifier 1000016314 keep state allow-opts label "let out anything from firewall host itself" 

The following change is proposed:
  • Create two additional route-to rules per WAN interface - one for IPv4 and one for IPv6 (VIPs should not affect this).
  • Change the current route-to rules to instead remove the route-to tag which overrides the new additional rules for relevant traffic.

This would result in:

# default outbound rules
pass out  inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" 
pass out  inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" 

# new additional route-to rules
pass out on vmx0.99 route-to ( vmx0.99 198.51.100.1 ) inet ridentifier 1000016308 keep state allow-opts label "let out anything from firewall host itself" 
pass out on vmx0.99 route-to ( vmx0.99 fe80::2a2:89ff:fed1:9868%vmx0.99 ) inet6 ridentifier 1000016309 keep state allow-opts label "let out anything from firewall host itself" 
pass out on gif0 route-to ( gif0 2001:db8:76:4::1 ) inet6 ridentifier 1000016310 keep state allow-opts label "let out anything from firewall host itself" 

# previous route-to rules changed by removing the route-to keyword and removing the "!" operator
pass out from 198.51.100.5 to 198.51.100.0/24 ridentifier 1000016311 keep state allow-opts label "let out anything from firewall host itself" 
pass out from 10.66.55.1 to 10.66.55.0/24 ridentifier 1000016312 keep state allow-opts label "let out anything from firewall host itself" 
pass out inet6 from 2001:db8:43:0:8928:9ecf:b0d:8b3a to 2001:db8:43:0:8928:9ecf:b0d:8b3a/64 ridentifier 1000016313 keep state allow-opts label "let out anything from firewall host itself" 
pass out inet6 from 2001:db8:76:4::2 to 2001:db8:76:4::2/64 ridentifier 1000016314 keep state allow-opts label "let out anything from firewall host itself" 

This preserves the behavior of not applying route-to tags for traffic from the firewall itself, hence dpinger states will continue to have a default gateway and be ignored by the kill states feature.


Related issues

Related to Feature #12092: Utilize new ``pfctl`` abilities to kill statesClosedJim Pingle06/29/2021

Actions
Actions #1

Updated by Marcos M almost 2 years ago

  • Related to Feature #12092: Utilize new ``pfctl`` abilities to kill states added
Actions #2

Updated by Marcos M 10 months ago

  • Subject changed from Killing states by gateway does not match all outbound traffic to Killing states by gateway can miss some IPv6 outbound states
  • Status changed from New to Pull Request Review
  • Assignee set to Marcos M
  • Target version set to 2.8.0
  • Plus Target Version set to 24.03
Actions #3

Updated by Marcos M 10 months ago

  • Status changed from Pull Request Review to Closed

This will need to be handled with custom floating rules. With the proposed change, the route-to rules for secondary WANs would not match due to the state being created for the current default WAN interface instead (details on #12630).

Actions #4

Updated by Jim Pingle 10 months ago

  • Category changed from Rules / NAT to Gateways
  • Target version deleted (2.8.0)
  • Plus Target Version deleted (24.03)
Actions

Also available in: Atom PDF