R: IPv6 and ipfw

raffaele.delorenzo at libero.it raffaele.delorenzo at libero.it
Wed Jul 22 10:00:32 UTC 2009 

Hi all,
You has found a parser bug.
When the protocol is "ipv6" and you are a 
comma separated ipv6 addresses, the parser work fine because the "add_srcip6" 
function is called and recognize all addresses.
When the protocol is "!=ipv6" 
(like TCP,UDP,ICMP6)  the "add_src" fuction is called and it cause troubles 
because the "inet_pton()" fails and erroneously is called the "add_srcip" 
function (see the code below).

(from "ipfw2.c")
 add_src(ipfw_insn *cmd, char 
*av, u_char proto)
{
	struct in6_addr a;
	char *host, *ch;
	ipfw_insn *ret = 
NULL;

	if ((host = strdup(av)) == NULL)
		return NULL;
	if ((ch = strrchr
(host, '/')) != NULL)
		*ch = '\0';

	if (proto == IPPROTO_IPV6  || strcmp(av, 
"me6") == 0 ||
	    inet_pton(AF_INET6, host, &a))
		ret = add_srcip6(cmd, av);

	/* XXX: should check for IPv4, not !IPv6 */
	if (ret == NULL && (proto == 
IPPROTO_IP || strcmp(av, "me") == 0 ||
	    !inet_pton(AF_INET6, host, &a)))
		
ret = add_srcip(cmd, av);
	if (ret == NULL && strcmp(av, "any") != 0)
		ret = 
cmd;

	free(host);
	return ret;
}

I think that possibles solutions are the 
follows:

1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to 
avoid parser confusions, and check about this protocol inside the "add_src" 
fuction (easy to implement).
2) Check the comma separated ip/ipv6 addresses 
inside the "add_src" function (a little too hard to implement).

I appreciate 
suggestions from the community experts about this problem.

Ciao

Raffaele


>----Messaggio originale----
>Da: wjw at digiware.nl
>Data: 22/07/2009 10.20
>A: 
<net at freebsd.org>
>Ogg: IPv6 and ipfw
>
>Hi,
>
>Running 7.2 I tried to insert 
this into my IPFW rules
>
># ipfw add allow udp from any to 2001:xxx:3::
113,2001:xxxx:3::116 \
>	dst-port 10001-10100 keep-state
>ipfw: bad netmask 
``xxxx:3::113''
>
>also:
># ipfw add allow udp from any to trixbox.ip6 dst-port 
10001-10100 keep-state
>ipfw: hostname ``trixbox.ip6'' unknown
>Exit 68
># host 
trixbox.ip6
>trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>
>So it 
looks like what is in the manual is overly optimistic:
>----
>      addr6-list: 
ip6-addr[,addr6-list]
>
>      ip6-addr:
>              A host or subnet 
specified one of the following ways:
>
>              numeric-ip | hostname

>                      Matches a single IPv6 address as allowed by inet_pton(3)

>                      or a hostname.  Hostnames are resolved at the time the

>                      rule is added to the firewall list.
>
>              
addr/masklen
>                      Matches all IPv6 addresses with base addr 
(specified as
>                      allowed by inet_pton or a hostname) and 
mask width of
>                      masklen bits.
>
>              No support 
for sets of IPv6 addresses is provided because IPv6
>              addresses 
are typically random past the initial prefix.
>----
>
>Anybody else ran into 
this?
>Or should I file this as a PR.
>
>--WjW

>_______________________________________________
>freebsd-net at freebsd.org 
mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To 
unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list