R: IPv6 and ipfw

Willem Jan Withagen wjw at digiware.nl
Wed Jul 22 15:11:00 UTC 2009 

Reply below, and an also reorganised the yours...
raffaele.delorenzo at libero.it wrote:
>> Hi,
>>
>> Running 7.2 I tried to insert 
> this into my IPFW rules
>> # ipfw add allow udp from any to 2001:xxx:3::
> 113,2001:xxxx:3::116 \
>> 	dst-port 10001-10100 keep-state
>> ipfw: bad netmask 
> ``xxxx:3::113''
>> also:
>> # ipfw add allow udp from any to trixbox.ip6 dst-port 
> 10001-10100 keep-state
>> ipfw: hostname ``trixbox.ip6'' unknown
>> Exit 68
>> # host 
> trixbox.ip6
>> trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>>
>> So it 
> looks like what is in the manual is overly optimistic:
>> ----
>>      addr6-list: 
> ip6-addr[,addr6-list]
>>      ip6-addr:
>>              A host or subnet 
> specified one of the following ways:
>>              numeric-ip | hostname
> 
>>                      Matches a single IPv6 address as allowed by inet_pton(3)
> 
>>                      or a hostname.  Hostnames are resolved at the time the
> 
>>                      rule is added to the firewall list.
>>
>>              
> addr/masklen
>>                      Matches all IPv6 addresses with base addr 
> (specified as
>>                      allowed by inet_pton or a hostname) and 
> mask width of
>>                      masklen bits.
>>
>>              No support 
> for sets of IPv6 addresses is provided because IPv6
>>              addresses 
> are typically random past the initial prefix.
>> ----
>>
>> Anybody else ran into 
> this?
>> Or should I file this as a PR.

 > Hi all,
 > You has found a parser bug.
 > When the protocol is "ipv6" and you are a
 > comma separated ipv6 addresses, the parser work fine because the 
"add_srcip6"
 > function is called and recognize all addresses.
 > When the protocol is "!=ipv6"
 > (like TCP,UDP,ICMP6)  the "add_src" fuction is called and it cause troubles
 > because the "inet_pton()" fails and erroneously is called the "add_srcip"
 > function (see the code below).
 >
 > (from "ipfw2.c")
 >  add_src(ipfw_insn *cmd, char
 > *av, u_char proto)
 > {
 > 	struct in6_addr a;
 > 	char *host, *ch;
 > 	ipfw_insn *ret =
 > NULL;
 >
 > 	if ((host = strdup(av)) == NULL)
 > 		return NULL;
 > 	if ((ch = strrchr
 > (host, '/')) != NULL)
 > 		*ch = '\0';
 >
 > 	if (proto == IPPROTO_IPV6  || strcmp(av,
 > "me6") == 0 ||
 > 	    inet_pton(AF_INET6, host, &a))
 > 		ret = add_srcip6(cmd, av);
 >
 > 	/* XXX: should check for IPv4, not !IPv6 */
 > 	if (ret == NULL && (proto ==
 > IPPROTO_IP || strcmp(av, "me") == 0 ||
 > 	    !inet_pton(AF_INET6, host, &a)))
 > 		
 > ret = add_srcip(cmd, av);
 > 	if (ret == NULL && strcmp(av, "any") != 0)
 > 		ret =
 > cmd;
 >
 > 	free(host);
 > 	return ret;
 > }
 >
 > I think that possibles solutions are the
 > follows:
 >
 > 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
 > avoid parser confusions, and check about this protocol inside the "add_src"
 > fuction (easy to implement).
 > 2) Check the comma separated ip/ipv6 addresses
 > inside the "add_src" function (a little too hard to implement).
 >
 > I appreciate
 > suggestions from the community experts about this problem.

I would prefer not to make seperate tcp6 and udp6 items, since what i would 
like to do is things like:

hostlist="a.b.c.d,A:B:C:D::F"

and then in the firewall something like
	ipfw add allow tcp from any to ${hostlist} dst-port 80 setup

and if tcp now goes into tcp and tcp6 I need to double my rules etc.

Which raises one other point:
	using a FQDN with more A and AAAA records also just inserts the
	first reply in the list.
	Now I don't use FQDN since most of the time in the Firewall DNS
	is not quite up yet.

--WjW

More information about the freebsd-net mailing list