Date: Wed, 11 Mar 2020 08:13:51 +0100 From: "O. Hartmann" <o.hartmann@walstatt.org> To: "Alexander V. Chernikov" <melifaro@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r358858 - head/sbin/ipfw Message-ID: <20200311081346.0e78d715@freyja> In-Reply-To: <202003102030.02AKUL0q031391@repo.freebsd.org> References: <202003102030.02AKUL0q031391@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Mar 2020 20:30:21 +0000 (UTC) "Alexander V. Chernikov" <melifaro@FreeBSD.org> wrote: > Author: melifaro > Date: Tue Mar 10 20:30:21 2020 > New Revision: 358858 > URL: https://svnweb.freebsd.org/changeset/base/358858 > > Log: > Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). > > Submitted by: Neel Chauhan <neel AT neelc DOT org> > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D21812 > > Modified: > head/sbin/ipfw/ipfw2.c > > Modified: head/sbin/ipfw/ipfw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) > +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) > @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, = int cb > if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 || > inet_pton(AF_INET6, host, &a) =3D=3D 1) > ret =3D add_srcip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, "me") = =3D=3D 0 || > - inet_pton(AF_INET6, host, &a) !=3D 1)) > + else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 || > + inet_pton(AF_INET, host, &a) =3D=3D 1) > ret =3D add_srcip(cmd, av, cblen, tstate); > - if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > + else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > ret =3D cmd; > > return ret; > @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, = int cb > if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 || > inet_pton(AF_INET6, host, &a) =3D=3D 1) > ret =3D add_dstip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, "me") = =3D=3D 0 || > - inet_pton(AF_INET6, host, &a) !=3D 1)) > + else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 || > + inet_pton(AF_INET, host, &a) =3D=3D 1) > ret =3D add_dstip(cmd, av, cblen, tstate); > - if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > + else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > ret =3D cmd; > > return ret; > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" This seems to trigger some issues in CURRENT's ipfw script handling rules= . On all CURRENT boxes running > FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the= boxes aren't accessible via net due to errors occuring when loading ipfw rules: [/etc/rc.conf] firewall_type=3D"WORKSTATION" firewall_myservices=3D"22/tcp 80/tcp 443/tcp" # List of TCP ports= on which this host # offers services for "workstation" firewa= ll. firewall_allowservices=3D"192.168.0.0/24 fd11:43:2::/64" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. firewall_trusted=3D"" # List of IPs which have full access to = this # host for "workstation" firewall. [...] # service ipfw restart Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 ipfw: bad source address any ipfw: bad source address any 00000 check-state :default ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out ipfw: bad source address any ipfw: bad source address any 01100 allow udp from fe80::/10 to me 546 in ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any [...] The problem also occur if set firewall_allowservices=3D"any" in /etc/rc.conf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200311081346.0e78d715>