From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 16 18:20:07 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6E31065688 for ; Fri, 16 Jul 2010 18:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 22B608FC20 for ; Fri, 16 Jul 2010 18:20:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6GIK7wM007423 for ; Fri, 16 Jul 2010 18:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6GIK68U007422; Fri, 16 Jul 2010 18:20:07 GMT (envelope-from gnats) Resent-Date: Fri, 16 Jul 2010 18:20:07 GMT Resent-Message-Id: <201007161820.o6GIK68U007422@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexander Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F2581065673 for ; Fri, 16 Jul 2010 18:12:10 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id E7BCE8FC21 for ; Fri, 16 Jul 2010 18:12:09 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o6GIC9Ks082105 for ; Fri, 16 Jul 2010 18:12:09 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o6GIC9Es082104; Fri, 16 Jul 2010 18:12:09 GMT (envelope-from nobody) Message-Id: <201007161812.o6GIC9Es082104@www.freebsd.org> Date: Fri, 16 Jul 2010 18:12:09 GMT From: Alexander To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/148689: [ipfw2] antispoof wrongly triggers on link local IPv6 addresses X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 18:20:07 -0000 >Number: 148689 >Category: kern >Synopsis: [ipfw2] antispoof wrongly triggers on link local IPv6 addresses >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 16 18:20:06 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Alexander >Release: 8.1-PRERELEASE >Organization: Wittig >Environment: FreeBSD hotzenplotz.wittig.name 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #2: Tue Jul 13 11:09:46 CEST 2010 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64 >Description: It seems as if the IPFW2 option "antispoof" is not properly implemented for IPv6 packages. The rule "deny ip from any to any not antispoof in" will block all IPv6 traffic to locally set up IPv6 addresses on interfaces. However, traffic coming in to the very same IPv6 address from outside (i.e. a different machine) passes without problem. This was already described in this thread back in 2006 along with a workaround: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg127596.html This issue should probably be mentioned in ipfw(8) if it is not fixed. >How-To-Repeat: Note: Addresses are anonymized. 1) Set up an interface with public IPv6 address as well as automatic link local address. E.g. inet6 fe80::xx:xx:xx:de48%re0 prefixlen 64 scopeid 0x1 inet6 2a02:180:xx:xx:xx:xx:de48:0 prefixlen 64 2) Set up following IPFW2 rules ipfw flush ipfw add deny ip from any to any not antispoof in ipfw add allow ip from any to any 3) Set up some service on IPv6, e.g. HTTP: netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) .. tcp46 0 0 *.http *.* LISTEN .. 4) Try to connect to local http server via public IPv6 address (blocked, times out) wget 'http://[2a02:xx:xx:xx:xx:xx:de48:0]' --2010-07-16 20:04:39-- http://[2a02:xx:xx:xx:xx:xx:de48:0]/ Verbindungsaufbau zu 2a02:xx:xx:xx:xx:xx:de48:0:80... fehlgeschlagen: Operation timed out. Erneuter Versuch. .. >Fix: If not a solution, at least a workaround is possible by restricting antispoof rules to IPv4 where they work just fine: 1) Set up modified IPFW2 rules: ipfw flush ipfw add deny ip4 from any to any not antispoof in ipfw add allow ip from any to any 2) Try to connect to local http server via public IPv6 address (works as expected) wget 'http://[2a02:xx:xx:xx:xx:xx:de48:0]' --2010-07-16 19:52:45-- http://[2a02:xx:xx:xx:xx:xx:de48:0]/ Verbindungsaufbau zu 2a02:xx:xx:xx:xx:xx:de48:0:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: nicht spezifiziert [text/html] In »»index.html«« speichern. [ <=> ] 3.128 --.-K/s in 0s 2010-07-16 19:52:45 (22,2 MB/s) - »»index.html«« gespeichert [3128] >Release-Note: >Audit-Trail: >Unformatted: