From owner-svn-src-head@freebsd.org Wed Mar 11 08:10:25 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 39510257FE6; Wed, 11 Mar 2020 08:10:25 +0000 (UTC) (envelope-from melifaro@ipfw.ru) Received: from forward500p.mail.yandex.net (forward500p.mail.yandex.net [77.88.28.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48cl4r3jr6z4Z40; Wed, 11 Mar 2020 08:10:19 +0000 (UTC) (envelope-from melifaro@ipfw.ru) Received: from mxback14j.mail.yandex.net (mxback14j.mail.yandex.net [IPv6:2a02:6b8:0:1619::90]) by forward500p.mail.yandex.net (Yandex) with ESMTP id 99AF6940A08; Wed, 11 Mar 2020 11:10:14 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback14j.mail.yandex.net (mxback/Yandex) with ESMTP id 6Qj08Nw8Ur-ADuiNlB7; Wed, 11 Mar 2020 11:10:13 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfw.ru; s=mail; t=1583914213; bh=raAvPRP1wbj4NaNqgLyrXxbZUthSspmBypORolh8YCE=; h=Message-Id:Cc:Subject:In-Reply-To:Date:References:To:From; b=c5U/rSjYBFt1lBol7ucj9UqOoIWtOot/TbISINXYf8mAIYH9h4p9TJKs0Du5Mrup9 Dt1L6s3HOcdROxwiljE9xgy5AAfjtzDrH08/PyMJCX81qsXE9wjHOJrN0JwX7ZOtvW woU5iS0VC0iDDMROveaD4vZqfVCKWtC6rs5EMVLM= Received: by iva2-fa9fd5fad11f.qloud-c.yandex.net with HTTP; Wed, 11 Mar 2020 11:10:13 +0300 From: Alexander V. Chernikov Envelope-From: melifaro@ipfw.ru To: O. Hartmann Cc: "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" In-Reply-To: <20200311081346.0e78d715@freyja> References: <202003102030.02AKUL0q031391@repo.freebsd.org> <20200311081346.0e78d715@freyja> Subject: Re: svn commit: r358858 - head/sbin/ipfw MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Wed, 11 Mar 2020 08:10:13 +0000 Message-Id: <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=utf-8 X-Rspamd-Queue-Id: 48cl4r3jr6z4Z40 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ipfw.ru header.s=mail header.b=c5U/rSjY; dmarc=none; spf=pass (mx1.freebsd.org: domain of melifaro@ipfw.ru designates 77.88.28.110 as permitted sender) smtp.mailfrom=melifaro@ipfw.ru X-Spamd-Result: default: False [-4.03 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[ipfw.ru:s=mail]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:77.88.0.0/18]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ipfw.ru:+]; IP_SCORE(-1.74)[ipnet: 77.88.0.0/18(-4.85), asn: 13238(-3.84), country: RU(0.01)]; FORGED_SENDER(0.30)[melifaro@freebsd.org,melifaro@ipfw.ru]; RCVD_IN_DNSWL_LOW(-0.10)[110.28.88.77.list.dnswl.org : 127.0.5.1]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:13238, ipnet:77.88.0.0/18, country:RU]; FROM_NEQ_ENVFROM(0.00)[melifaro@freebsd.org,melifaro@ipfw.ru] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2020 08:10:25 -0000 11.03.2020, 07:14, "O. Hartmann" : > On Tue, 10 Mar 2020 20:30:21 +0000 (UTC) > "Alexander V. Chernikov" wrote: > >>  Author: melifaro >>  Date: Tue Mar 10 20:30:21 2020 >>  New Revision: 358858 >>  URL: https://svnweb.freebsd.org/changeset/base/358858 >> >>  Log: >>    Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). >> >>    Submitted by: Neel Chauhan >>    MFC after: 2 weeks >>    Differential Revision: https://reviews.freebsd.org/D21812 >> >>  Modified: >>    head/sbin/ipfw/ipfw2.c >> >>  Modified: head/sbin/ipfw/ipfw2.c >>  ============================================================================== >>  --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) >>  +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) >>  @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb >>           if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >>               inet_pton(AF_INET6, host, &a) == 1) >>                   ret = add_srcip6(cmd, av, cblen, tstate); >>  - /* XXX: should check for IPv4, not !IPv6 */ >>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >>  - inet_pton(AF_INET6, host, &a) != 1)) >>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >>  + inet_pton(AF_INET, host, &a) == 1) >>                   ret = add_srcip(cmd, av, cblen, tstate); >>  - if (ret == NULL && strcmp(av, "any") != 0) >>  + else if (ret == NULL && strcmp(av, "any") != 0) >>                   ret = cmd; >> >>           return ret; >>  @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb >>           if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >>               inet_pton(AF_INET6, host, &a) == 1) >>                   ret = add_dstip6(cmd, av, cblen, tstate); >>  - /* XXX: should check for IPv4, not !IPv6 */ >>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >>  - inet_pton(AF_INET6, host, &a) != 1)) >>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >>  + inet_pton(AF_INET, host, &a) == 1) >>                   ret = add_dstip(cmd, av, cblen, tstate); >>  - if (ret == NULL && strcmp(av, "any") != 0) >>  + else if (ret == NULL && strcmp(av, "any") != 0) >>                   ret = cmd; >> >>           return ret; >>  _______________________________________________ >>  svn-src-head@freebsd.org mailing list >>  https://lists.freebsd.org/mailman/listinfo/svn-src-head >>  To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" > > This seems to trigger some issues in CURRENT's ipfw script handling rules. On > all CURRENT boxes running >>  FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the boxes > > aren't accessible via net due to errors occuring when loading ipfw rules: Whoops. Terribly sorry for breaking your setup. Reverted in r358871. > > [/etc/rc.conf] > firewall_type="WORKSTATION" > firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on > which this host >                                 # offers services for "workstation" firewall. > firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of > IPs which have access to >                                 # $firewall_myservices for "workstation" >                                 # firewall. > firewall_trusted="" # List of IPs which have full access to this >                                 # host for "workstation" firewall. > > [...] > # service ipfw restart > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > ipfw: bad source address any > ipfw: bad source address any > 00000 check-state :default > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out > ipfw: bad source address any > ipfw: bad source address any > 01100 allow udp from fe80::/10 to me 546 in > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > [...] > > The problem also occur if set > > firewall_allowservices="any" > > in /etc/rc.conf