[Bug 240650] ipfw(8): Check for IPv4 in add_src() and add_dat, don't assume !IPv6 is IPv4

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240650

O. Hartmann <ohartmann at walstatt.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ohartmann at walstatt.org
              Flags|                            |maintainer-feedback+

--- Comment #5 from O. Hartmann <ohartmann at walstatt.org> ---
This patch has been applied to CURRENT as r358858.

It breaks any rc script on CURRENT > r358858 running IPFW  with "from any to...
" or "from me to ...":

[...] (dual stack, IPv6 and IPv4 in use)

/etc/rc.conf:
[...]
firewall_type="WORKSTATION"
firewall_myservices="22/tcp"
firewall_allowservices="" OR firewall_allowservices="any"
[...]

results in bricked systems:

[...]
 service ipfw restart
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw: bad source address any
ipfw: bad source address any
00000 check-state :default
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
ipfw: bad source address any
ipfw: bad source address any
01100 allow udp from fe80::/10 to me 546 in
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
[...]

I think since this is mostly standard rc.conf stuff, the problem can easily
being reproduced.

-- 
You are receiving this mail because:
You are the assignee for the bug.