Date: Wed, 22 Jul 2009 11:48:39 +0200 (CEST) From: "raffaele.delorenzo@libero.it" <raffaele.delorenzo@libero.it> To: <wjw@digiware.nl>, <net@freebsd.org>, freebsd-ipfw@freebsd.org Cc: rizzo@icir.org Subject: R: IPv6 and ipfw Message-ID: <3164304.442981248256119643.JavaMail.defaultUser@defaultHost>
next in thread | raw e-mail | index | archive | help
Hi all,
You has found a parser bug.
When the protocol is "ipv6" and you are a
comma separated ipv6 addresses, the parser work fine because the "add_srcip6"
function is called and recognize all addresses.
When the protocol is "!=ipv6"
(like TCP,UDP,ICMP6) the "add_src" fuction is called and it cause troubles
because the "inet_pton()" fails and erroneously is called the "add_srcip"
function (see the code below).
(from "ipfw2.c")
add_src(ipfw_insn *cmd, char
*av, u_char proto)
{
struct in6_addr a;
char *host, *ch;
ipfw_insn *ret =
NULL;
if ((host = strdup(av)) == NULL)
return NULL;
if ((ch = strrchr
(host, '/')) != NULL)
*ch = '\0';
if (proto == IPPROTO_IPV6 || strcmp(av,
"me6") == 0 ||
inet_pton(AF_INET6, host, &a))
ret = add_srcip6(cmd, av);
/* XXX: should check for IPv4, not !IPv6 */
if (ret == NULL && (proto ==
IPPROTO_IP || strcmp(av, "me") == 0 ||
!inet_pton(AF_INET6, host, &a)))
ret = add_srcip(cmd, av);
if (ret == NULL && strcmp(av, "any") != 0)
ret =
cmd;
free(host);
return ret;
}
I think that possibles solutions are the
follows:
1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
avoid parser confusions, and check about this protocol inside the "add_src"
fuction (easy to implement).
2) Check the comma separated ip/ipv6 addresses
inside the "add_src" function (a little too hard to implement).
I appreciate
suggestions from the community experts about this problem.
Ciao
Raffaele
>----Messaggio originale----
>Da: wjw@digiware.nl
>Data: 22/07/2009 10.20
>A:
<net@freebsd.org>
>Ogg: IPv6 and ipfw
>
>Hi,
>
>Running 7.2 I tried to insert
this into my IPFW rules
>
># ipfw add allow udp from any to 2001:xxx:3::
113,2001:xxxx:3::116 \
> dst-port 10001-10100 keep-state
>ipfw: bad netmask
``xxxx:3::113''
>
>also:
># ipfw add allow udp from any to trixbox.ip6 dst-port
10001-10100 keep-state
>ipfw: hostname ``trixbox.ip6'' unknown
>Exit 68
># host
trixbox.ip6
>trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>
>So it
looks like what is in the manual is overly optimistic:
>----
> addr6-list:
ip6-addr[,addr6-list]
>
> ip6-addr:
> A host or subnet
specified one of the following ways:
>
> numeric-ip | hostname
> Matches a single IPv6 address as allowed by inet_pton(3)
> or a hostname. Hostnames are resolved at the time the
> rule is added to the firewall list.
>
>
addr/masklen
> Matches all IPv6 addresses with base addr
(specified as
> allowed by inet_pton or a hostname) and
mask width of
> masklen bits.
>
> No support
for sets of IPv6 addresses is provided because IPv6
> addresses
are typically random past the initial prefix.
>----
>
>Anybody else ran into
this?
>Or should I file this as a PR.
>
>--WjW
>_______________________________________________
>freebsd-net@freebsd.org
mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To
unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3164304.442981248256119643.JavaMail.defaultUser>