From nobody Mon Apr 01 06:29:02 2024
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V7Lgy48XXz5FjFt
	for <bugs@mlmmj.nyi.freebsd.org>; Mon,  1 Apr 2024 06:29:02 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V7Lgy1p5wz4cMb
	for <bugs@FreeBSD.org>; Mon,  1 Apr 2024 06:29:02 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711952942; a=rsa-sha256; cv=none;
	b=HFM3yhoQxlozh8/hJb7fRsE1Uw8tyO5h2FC8VIbAMkU943dJLCACvw/baO3JHWk/A72DEp
	ylZ6iFcgEFjdaABE3EHYwLiC0OTiu2ssAVY4zQC6+5XbxdWRoUxIbQy+fpDcfshzbYkDO9
	Ti45dJJaeBJRY3NNKQiKjDFvw1J5XCmrHWkbtUZudrhQJok2LCbjIco5yKdaiuy+4q3OBb
	F4SM6FT6g5oOxEq3IWVGLqkzXFYG4EVm/sDPFPNeMzBQrqitWEKrUa8gE+RssPD5HOxTen
	6dwEIUVxIHuAZ3YvwaM86UTqAWU2xxh/a6XgIDgc80apuWW3fcN7NMsuyyrF/Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1711952942;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=G+6gN/UBbStGUE9VBNyaBNJ/v3lnRi3k1HXVZa8c2DI=;
	b=X43aDM1XcbyuNj/aOu3RpljGp+JLpa5qNJASzN/FdSFkhvjJSOYtq5ot6BztNZWuvNH1s1
	/Kd0a5k4nYvATR1UoFIkGhfSuyY7+Vb+/17ivLUXFRzvGV/9GT3QdEQMb8tbmPYuMVR01i
	goxoZ1xFZlAbgQLn80QaB2cFNi87mx3Zj3m6GgB6BxWVr+3E9ON3hU2fwWzYpLuu0hoc6j
	YIRDfoAL1EwxyUFUIsT94vy09a7AkwHrSLlfVmPg3R0RqiVKPklZhkLjeOn7WxDHmxrDC/
	5KKMKRFlFodeO1F9cztJiNEiDEnKaHM0lObHRLtBnD3wCTIzTUzbTAqaQHCfVg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V7Lgy1PW6z19J4
	for <bugs@FreeBSD.org>; Mon,  1 Apr 2024 06:29:02 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4316T2HG018769
	for <bugs@FreeBSD.org>; Mon, 1 Apr 2024 06:29:02 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4316T2d6018768
	for bugs@FreeBSD.org; Mon, 1 Apr 2024 06:29:02 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 278088] ipfw missing options for some useful IPv6 features for
 RFC 4890
Date: Mon, 01 Apr 2024 06:29:02 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 15.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: freebsd@kumba.dev
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-278088-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278088

            Bug ID: 278088
           Summary: ipfw missing options for some useful IPv6 features for
                    RFC 4890
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: freebsd@kumba.dev

I was reading through RFC 4890 "Recommendations for Filtering ICMPv6 Messag=
es
in Firewalls", and it looks like some of the recommendations cannot be
implemented using FreeBSD's ipfw(8).  Specifically, there isn't an option f=
or
IPv6's "hop limit".  I at first thought "ipttl" was a synonym for it, and t=
he
rule parser doesn't error out if using it with an IPv6-only rule (e.g., 'ip=
6'
or 'ipv6-icmp').  But further digging reveals that it is only applicable for
IPv4 (sys/netpfil/ipfw/ip_fw2.c in function ipfw_chk()):
>                        case O_IPID:
>                        case O_IPTTL:
>                                if (!is_ipv4)
>                                        break;

Support for this option would be necessary for things like this, from Pg 15:
>   Administrators may also wish to consider providing rules in firewall/
>   routers to catch illegal packets sent with hop limit =3D 1 to avoid
>   ICMPv6 Time Exceeded messages being generated for these packets.
>
>   Address Configuration and Router Selection messages (must be received
>   with hop limit =3D 255):
>
>   o  Router Solicitation (Type 133)
>   o  Router Advertisement (Type 134)
>   o  Neighbor Solicitation (Type 135)
>   o  Neighbor Advertisement (Type 136)
>   o  Redirect (Type 137)
>   o  Inverse Neighbor Discovery Solicitation (Type 141)
>   o  Inverse Neighbor Discovery Advertisement (Type 142)
If implemented, I proposed that the option be called one of "hoplimit" or
"ip6hoplimit"

In another case, there is no support for specifying ICMPv6 Codes (similar to
Bug #153161, which is for IPv4 ICMP).  This would be relevant to limit cert=
ain
ICMPv6 Type 3 codes, as referenced down in Appendix B using Linux's ip6tabl=
es
format (Pg 34):
>   # Allow outgoing time exceeded code 0 messages
>   for inner_prefix in $INNER_PREFIXES
>   do
>   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
>            --icmpv6-type ttl-zero-during-transit -j ACCEPT
>   done
>
>   #@POLICY@
>   # Allow outgoing time exceeded code 1 messages
>   for inner_prefix in $INNER_PREFIXES
>   do
>   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
>            --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
>   done
If implemented, the best name for the option should be "icmp6code" and/or
"icmp6codes", to align with icmp6type/icmp6types.

I also noticed that there isn't support in "tcpflags" for the CWR and ECE
flags, which are used for congestion control.

--=20
You are receiving this mail because:
You are the assignee for the bug.=