Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Mar 2020 11:33:30 +0100
From:      "O. Hartmann" <ohartmann@walstatt.org>
To:        "Alexander V. Chernikov" <melifaro@freebsd.org>
Cc:        "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>
Subject:   Re: svn commit: r358858 - head/sbin/ipfw
Message-ID:  <20200311113327.2b3ffaa2@freyja>
In-Reply-To: <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net>
References:  <202003102030.02AKUL0q031391@repo.freebsd.org> <20200311081346.0e78d715@freyja> <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 11 Mar 2020 08:10:13 +0000
Alexander V. Chernikov <melifaro@freebsd.org> wrote:

> 11.03.2020, 07:14, "O. Hartmann" <o.hartmann@walstatt.org>:
> > On Tue, 10 Mar 2020 20:30:21 +0000 (UTC)
> > "Alexander V. Chernikov" <melifaro@FreeBSD.org> wrote:
> > =20
> >> =C2=A0Author: melifaro
> >> =C2=A0Date: Tue Mar 10 20:30:21 2020
> >> =C2=A0New Revision: 358858
> >> =C2=A0URL: https://svnweb.freebsd.org/changeset/base/358858
> >>
> >> =C2=A0Log:
> >> =C2=A0=C2=A0=C2=A0Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and =
add_dst().
> >>
> >> =C2=A0=C2=A0=C2=A0Submitted by: Neel Chauhan <neel AT neelc DOT org>
> >> =C2=A0=C2=A0=C2=A0MFC after: 2 weeks
> >> =C2=A0=C2=A0=C2=A0Differential Revision: https://reviews.freebsd.org/D=
21812
> >>
> >> =C2=A0Modified:
> >> =C2=A0=C2=A0=C2=A0head/sbin/ipfw/ipfw2.c
> >>
> >> =C2=A0Modified: head/sbin/ipfw/ipfw2.c
> >> =C2=A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
> >> =C2=A0--- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857)
> >> =C2=A0+++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858)
> >> =C2=A0@@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char=
 proto,
> >> int cb if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 ||
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0inet_pton(AF_INET6, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_srcip6(cmd, av, cblen, t=
state);
> >> =C2=A0- /* XXX: should check for IPv4, not !IPv6 */
> >> =C2=A0- if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, =
"me") =3D=3D 0 ||
> >> =C2=A0- inet_pton(AF_INET6, host, &a) !=3D 1))
> >> =C2=A0+ else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 =
||
> >> =C2=A0+ inet_pton(AF_INET, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_srcip(cmd, av, cblen, ts=
tate);
> >> =C2=A0- if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0+ else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D cmd;
> >>
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return ret;
> >> =C2=A0@@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char=
 proto,
> >> int cb if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 ||
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0inet_pton(AF_INET6, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_dstip6(cmd, av, cblen, t=
state);
> >> =C2=A0- /* XXX: should check for IPv4, not !IPv6 */
> >> =C2=A0- if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, =
"me") =3D=3D 0 ||
> >> =C2=A0- inet_pton(AF_INET6, host, &a) !=3D 1))
> >> =C2=A0+ else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 =
||
> >> =C2=A0+ inet_pton(AF_INET, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_dstip(cmd, av, cblen, ts=
tate);
> >> =C2=A0- if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0+ else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D cmd;
> >>
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return ret;
> >> =C2=A0_______________________________________________
> >> =C2=A0svn-src-head@freebsd.org mailing list
> >> =C2=A0https://lists.freebsd.org/mailman/listinfo/svn-src-head
> >> =C2=A0To unsubscribe, send any mail to "svn-src-head-unsubscribe@freeb=
sd.org" =20
> >
> > This seems to trigger some issues in CURRENT's ipfw script handling rul=
es.
> > On all CURRENT boxes running =20
> >> =C2=A0FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 am=
d64, the
> >> boxes =20
> >
> > aren't accessible via net due to errors occuring when loading ipfw rule=
s: =20
> Whoops.
> Terribly sorry for breaking your setup. Reverted in r358871.

It is not a specific setup of mine, since we use the standard supplied by
FreeBSD, just filling some variables.

So, in theory, the patch should have broken much more setups if people use
FreeBSD's ipfw.

Thanks for reverting.

> >
> > [/etc/rc.conf]
> > firewall_type=3D"WORKSTATION"
> > firewall_myservices=3D"22/tcp 80/tcp 443/tcp" # List of TCP ports on
> > which this host
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# offers services for "work=
station"
> > firewall. firewall_allowservices=3D"192.168.0.0/24 fd11:43:2::/64" # Li=
st of
> > IPs which have access to
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# $firewall_myservices for =
"workstation"
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# firewall.
> > firewall_trusted=3D"" # List of IPs which have full access to this
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# host for "workstation" fi=
rewall.
> >
> > [...]
> > # service ipfw restart
> > Flushed all rules.
> > 00100 allow ip from any to any via lo0
> > 00200 deny ip from any to 127.0.0.0/8
> > 00300 deny ip from 127.0.0.0/8 to any
> > 00400 deny ip from any to ::1
> > 00500 deny ip from ::1 to any
> > 00600 allow ipv6-icmp from :: to ff02::/16
> > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 00000 check-state :default
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 01100 allow udp from fe80::/10 to me 546 in
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > [...]
> >
> > The problem also occur if set
> >
> > firewall_allowservices=3D"any"
> >
> > in /etc/rc.conf =20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200311113327.2b3ffaa2>