Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Jul 2009 19:02:09 +0200
From:      Raffaele De Lorenzo <raffaele.delorenzo@libero.it>
To:        Willem Jan Withagen <wjw@digiware.nl>
Cc:        freebsd-ipfw@freebsd.org, net@freebsd.org
Subject:   Re: R: IPv6 and ipfw
Message-ID:  <11956F97-0C87-456F-A769-70BEDBA351BE@libero.it>
In-Reply-To: <4A672C79.3000006@digiware.nl>
References:  <3164304.442981248256119643.JavaMail.defaultUser@defaultHost> <4A672C79.3000006@digiware.nl>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--Apple-Mail-18--176010067
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

Hi all,
I attached a patch that solve this problem. I will send a PR as soon  
as possible.

Instructions:

Patch the follow files:

/usr/src/sbin/ipfw/ipfw2.c (patch is ipfw2.c.diff)
/usr/src/sbin/ipfw/ipfw2.h (patch is ipfw2.h.diff)
/usr/src/sbin/ipfw/ipv6.c (patch is ipv6.c.diff)

This patch was tested on FreeBSD 8 Beta 2 AMD64 and official FreeBSD 8  
BETA 2 Sources.

Let me know any suggestion or problem.

Regards
Raffaele

On Jul 22, 2009, at 5:12 PM, Willem Jan Withagen wrote:

> Reply below, and an also reorganised the yours...
> raffaele.delorenzo@libero.it wrote:
>>> Hi,
>>>
>>> Running 7.2 I tried to insert
>> this into my IPFW rules
>>> # ipfw add allow udp from any to 2001:xxx:3::
--Apple-Mail-18--176010067
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

>> 113,2001:xxxx:3::116 \
>>> 	dst-port 10001-10100 keep-state
>>> ipfw: bad netmask
>> ``xxxx:3::113''
>>> also:
>>> # ipfw add allow udp from any to trixbox.ip6 dst-port
>> 10001-10100 keep-state
>>> ipfw: hostname ``trixbox.ip6'' unknown
>>> Exit 68
>>> # host
>> trixbox.ip6
>>> trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>>>
>>> So it
>> looks like what is in the manual is overly optimistic:
>>> ----
>>>     addr6-list:
>> ip6-addr[,addr6-list]
>>>     ip6-addr:
>>>             A host or subnet
>> specified one of the following ways:
>>>             numeric-ip | hostname
>>>                     Matches a single IPv6 address as allowed by  
>>> inet_pton(3)
>>>                     or a hostname.  Hostnames are resolved at the  
>>> time the
>>>                     rule is added to the firewall list.
>>>
>>>
>> addr/masklen
>>>                     Matches all IPv6 addresses with base addr
>> (specified as
>>>                     allowed by inet_pton or a hostname) and
>> mask width of
>>>                     masklen bits.
>>>
>>>             No support
>> for sets of IPv6 addresses is provided because IPv6
>>>             addresses
>> are typically random past the initial prefix.
>>> ----
>>>
>>> Anybody else ran into
>> this?
>>> Or should I file this as a PR.
>
> > Hi all,
> > You has found a parser bug.
> > When the protocol is "ipv6" and you are a
> > comma separated ipv6 addresses, the parser work fine because the  
> "add_srcip6"
> > function is called and recognize all addresses.
> > When the protocol is "!=ipv6"
> > (like TCP,UDP,ICMP6)  the "add_src" fuction is called and it cause  
> troubles
> > because the "inet_pton()" fails and erroneously is called the  
> "add_srcip"
> > function (see the code below).
> >
> > (from "ipfw2.c")
> >  add_src(ipfw_insn *cmd, char
> > *av, u_char proto)
> > {
> > 	struct in6_addr a;
> > 	char *host, *ch;
> > 	ipfw_insn *ret =
> > NULL;
> >
> > 	if ((host = strdup(av)) == NULL)
> > 		return NULL;
> > 	if ((ch = strrchr
> > (host, '/')) != NULL)
> > 		*ch = '\0';
> >
> > 	if (proto == IPPROTO_IPV6  || strcmp(av,
> > "me6") == 0 ||
> > 	    inet_pton(AF_INET6, host, &a))
> > 		ret = add_srcip6(cmd, av);
> >
> > 	/* XXX: should check for IPv4, not !IPv6 */
> > 	if (ret == NULL && (proto ==
> > IPPROTO_IP || strcmp(av, "me") == 0 ||
> > 	    !inet_pton(AF_INET6, host, &a)))
> > 		
> > ret = add_srcip(cmd, av);
> > 	if (ret == NULL && strcmp(av, "any") != 0)
> > 		ret =
> > cmd;
> >
> > 	free(host);
> > 	return ret;
> > }
> >
> > I think that possibles solutions are the
> > follows:
> >
> > 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
> > avoid parser confusions, and check about this protocol inside the  
> "add_src"
> > fuction (easy to implement).
> > 2) Check the comma separated ip/ipv6 addresses
> > inside the "add_src" function (a little too hard to implement).
> >
> > I appreciate
> > suggestions from the community experts about this problem.
>
> I would prefer not to make seperate tcp6 and udp6 items, since what  
> i would like to do is things like:
>
> hostlist="a.b.c.d,A:B:C:D::F"
>
> and then in the firewall something like
> 	ipfw add allow tcp from any to ${hostlist} dst-port 80 setup
>
> and if tcp now goes into tcp and tcp6 I need to double my rules etc.
>
> Which raises one other point:
> 	using a FQDN with more A and AAAA records also just inserts the
> 	first reply in the list.
> 	Now I don't use FQDN since most of the time in the Firewall DNS
> 	is not quite up yet.
>
> --WjW
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw- 
> unsubscribe@freebsd.org"


--Apple-Mail-18--176010067--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?11956F97-0C87-456F-A769-70BEDBA351BE>