From owner-svn-src-head@freebsd.org  Wed Mar 11 10:33:40 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9731925CED7;
 Wed, 11 Mar 2020 10:33:40 +0000 (UTC)
 (envelope-from ohartmann@walstatt.org)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "mout.gmx.net",
 Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48cpGC6lJMz4dxT;
 Wed, 11 Mar 2020 10:33:39 +0000 (UTC)
 (envelope-from ohartmann@walstatt.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1583922817;
 bh=Y3TMaJWyyPmK9CCBdbo1cRuiZsbtFt4Z8QgGLEE09FE=;
 h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References;
 b=XzkISAn8bEZkOx+7n3OzWG+f88DqA3Oz8az0oXIY6dFLUlVJaybT1RbeIukv/5Htc
 7LYCoEMmOyVjCRJJjDR0JISRVbkhgctGzAkFEUBEnPpw21m1qXNzaKBPrMzhF718GL
 n2TWD+foydiIwU/IexgP4F1ZlkkzR/2W9Sx4g7mY=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from freyja ([79.192.162.249]) by mail.gmx.com (mrgmx005
 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N63Vi-1jMqdt0vTE-016Q6I; Wed, 11
 Mar 2020 11:33:37 +0100
Date: Wed, 11 Mar 2020 11:33:30 +0100
From: "O. Hartmann" <ohartmann@walstatt.org>
To: "Alexander V. Chernikov" <melifaro@freebsd.org>
Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>
Subject: Re: svn commit: r358858 - head/sbin/ipfw
Message-ID: <20200311113327.2b3ffaa2@freyja>
In-Reply-To: <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net>
References: <202003102030.02AKUL0q031391@repo.freebsd.org>
 <20200311081346.0e78d715@freyja>
 <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:5CCmZUnUgfD/Sh7lMgJ7WwlTlMDGKswQUUWanPtGqvp7qgY//6c
 mhb2vju/mHCRMzYzGjeUXWtnwxKvzIrny4NIhTkLqDl7J9/ItW0Q9dYwZ2tDMbV7kM2eNXr
 K5jUObqMdHzufu2FqnEtTr1+xP3yrSDmf3w4kwnvoXGHiNUWla5aBzKo9B0TmrDUdtG5vz0
 UCLJo9Sd4WANr6hQwgTWg==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:exqEeJRaBc8=:dNAP4PNIVZeBUISFB0JKer
 0BAbHO6XJ1j16wFUNpoIGsTqrUsm+OjG2ebsRzG6LZ+4w6AOqu+gbYfUDICh+flIlUqSKriLW
 b+dKJuk14pBE0aMBQE+e5Gz9qDH/dzL2tCK87mY3zKFksnjF6dN47oJqEJepHt9AxDdOPIjSb
 psUvq61XDLdnlAVBq9tjtNpTdss7+whu65bhgLUZKGzc4JTuQqHl4f2qRH9bh6J3+pb9vIPEP
 s57ux+sN5Z8WgafbQNJVRuPHDLlzORFS3t0xjo7kUv7QakdQ0cuRBDs3HwBE5N3aBVB2ZvyFJ
 W29ou6U+6OTsalky6na3vuZT+zkIXJd0IpfHDebS/4lsh/6I64KGnkW9J5Z7vB7NEKZ6rOHfG
 Hq6sT1CruVECS6cYAvKbayeh9FluVlnlVdVwtoZpqnLdVkvwFjjV2Jkn4dJifMxqM2MxssZgJ
 C/g3ore00AWjdHIshWIGcstucKV3+DDtwEDSOOvZuP5Y5ZRcz3NRjCjC4lVPtGwsiJ1xynygx
 u8Jcut26EDzpbwO0EvbeDp34oGGBRY87mGeiX7v1bWbpOGS/FK2C00BuA+82HC5bh2vaxWwTx
 PmwY7E8w94EvWN8xSHlJ1HQbO9SJbAgzFZnVSpQ+e9uvY+0hF9l4nj9cKQzYqFRVD8+wzodHM
 vhQuWaJWxvsGeBmptSq6NqFERGqfzDIU1ezSztBkdzVhdwAL8t71iKkvE0CKsGLgx0yopYiBB
 hP920Gj4/CvL0XW7H4rWHnTxtj9ele4flxOoK0ZnkeHd6wLWXAFXZlQJ3iPZTCz9+ALSOEp5R
 sS2+8zynXUo/cMNKGnmeky/4jdb/CTwhbUxzyVkZpEXXQcQ3zTzuY25MjCOXGoAyec2I0cEcK
 dV1FBcKXWbWPQw4bOXADrUyZPA0l9PiqtvheUzE0IwFYwZtl9T0y3H9YWNmWxXKeyrY+/B6h3
 ivJ3sgiIuTrZStpeS/yFVc5sSdd1rL+MMzRduOqiilGfoHVtjKiA/ZdIS1H2hA5WA39zbdg4W
 VW6M9b23NyAPXj/mVsRWbdfOMrwCPEdBhzb48yzKq65Si3dJDytSnCs9URuftBiAHFj0gsFT4
 XEdzfFJYw5p3ZrMakBfPTzAogqpHa5B5AqDPu9c0wdHmZt11tfJxS2S6IrJOnYydBrOE72THj
 ouD7kO/ANR/iW1TIBLcV6m04wBO8yk6LTeshE2FeX94FWpuNxomRtHF8No3nRPs9TQQxwX2wl
 5R4OhI4LqczZJ/p4M
X-Rspamd-Queue-Id: 48cpGC6lJMz4dxT
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.20 / 15.00];
 NEURAL_SPAM_MEDIUM(0.79)[0.792,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-0.99)[-0.993,0]
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 10:33:40 -0000

On Wed, 11 Mar 2020 08:10:13 +0000
Alexander V. Chernikov <melifaro@freebsd.org> wrote:

> 11.03.2020, 07:14, "O. Hartmann" <o.hartmann@walstatt.org>:
> > On Tue, 10 Mar 2020 20:30:21 +0000 (UTC)
> > "Alexander V. Chernikov" <melifaro@FreeBSD.org> wrote:
> > =20
> >> =C2=A0Author: melifaro
> >> =C2=A0Date: Tue Mar 10 20:30:21 2020
> >> =C2=A0New Revision: 358858
> >> =C2=A0URL: https://svnweb.freebsd.org/changeset/base/358858
> >>
> >> =C2=A0Log:
> >> =C2=A0=C2=A0=C2=A0Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and =
add_dst().
> >>
> >> =C2=A0=C2=A0=C2=A0Submitted by: Neel Chauhan <neel AT neelc DOT org>
> >> =C2=A0=C2=A0=C2=A0MFC after: 2 weeks
> >> =C2=A0=C2=A0=C2=A0Differential Revision: https://reviews.freebsd.org/D=
21812
> >>
> >> =C2=A0Modified:
> >> =C2=A0=C2=A0=C2=A0head/sbin/ipfw/ipfw2.c
> >>
> >> =C2=A0Modified: head/sbin/ipfw/ipfw2.c
> >> =C2=A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
> >> =C2=A0--- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857)
> >> =C2=A0+++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858)
> >> =C2=A0@@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char=
 proto,
> >> int cb if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 ||
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0inet_pton(AF_INET6, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_srcip6(cmd, av, cblen, t=
state);
> >> =C2=A0- /* XXX: should check for IPv4, not !IPv6 */
> >> =C2=A0- if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, =
"me") =3D=3D 0 ||
> >> =C2=A0- inet_pton(AF_INET6, host, &a) !=3D 1))
> >> =C2=A0+ else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 =
||
> >> =C2=A0+ inet_pton(AF_INET, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_srcip(cmd, av, cblen, ts=
tate);
> >> =C2=A0- if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0+ else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D cmd;
> >>
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return ret;
> >> =C2=A0@@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char=
 proto,
> >> int cb if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 ||
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0inet_pton(AF_INET6, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_dstip6(cmd, av, cblen, t=
state);
> >> =C2=A0- /* XXX: should check for IPv4, not !IPv6 */
> >> =C2=A0- if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, =
"me") =3D=3D 0 ||
> >> =C2=A0- inet_pton(AF_INET6, host, &a) !=3D 1))
> >> =C2=A0+ else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 =
||
> >> =C2=A0+ inet_pton(AF_INET, host, &a) =3D=3D 1)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D add_dstip(cmd, av, cblen, ts=
tate);
> >> =C2=A0- if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0+ else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0)
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret =3D cmd;
> >>
> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return ret;
> >> =C2=A0_______________________________________________
> >> =C2=A0svn-src-head@freebsd.org mailing list
> >> =C2=A0https://lists.freebsd.org/mailman/listinfo/svn-src-head
> >> =C2=A0To unsubscribe, send any mail to "svn-src-head-unsubscribe@freeb=
sd.org" =20
> >
> > This seems to trigger some issues in CURRENT's ipfw script handling rul=
es.
> > On all CURRENT boxes running =20
> >> =C2=A0FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 am=
d64, the
> >> boxes =20
> >
> > aren't accessible via net due to errors occuring when loading ipfw rule=
s: =20
> Whoops.
> Terribly sorry for breaking your setup. Reverted in r358871.

It is not a specific setup of mine, since we use the standard supplied by
FreeBSD, just filling some variables.

So, in theory, the patch should have broken much more setups if people use
FreeBSD's ipfw.

Thanks for reverting.

> >
> > [/etc/rc.conf]
> > firewall_type=3D"WORKSTATION"
> > firewall_myservices=3D"22/tcp 80/tcp 443/tcp" # List of TCP ports on
> > which this host
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# offers services for "work=
station"
> > firewall. firewall_allowservices=3D"192.168.0.0/24 fd11:43:2::/64" # Li=
st of
> > IPs which have access to
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# $firewall_myservices for =
"workstation"
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# firewall.
> > firewall_trusted=3D"" # List of IPs which have full access to this
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# host for "workstation" fi=
rewall.
> >
> > [...]
> > # service ipfw restart
> > Flushed all rules.
> > 00100 allow ip from any to any via lo0
> > 00200 deny ip from any to 127.0.0.0/8
> > 00300 deny ip from 127.0.0.0/8 to any
> > 00400 deny ip from any to ::1
> > 00500 deny ip from ::1 to any
> > 00600 allow ipv6-icmp from :: to ff02::/16
> > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 00000 check-state :default
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 01100 allow udp from fe80::/10 to me 546 in
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > [...]
> >
> > The problem also occur if set
> >
> > firewall_allowservices=3D"any"
> >
> > in /etc/rc.conf =20