Date: Tue, 3 Jan 2006 01:27:46 +0100 From: Fredrik Lindberg <fli@shapeshifter.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/91245: [patch] ipfw(8) sometimes treat ipv6 input as ipv4 Message-ID: <20060103002733.790541A9D4@mx1.h3q.net> Resent-Message-ID: <200601030030.k030U9TH085025@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 91245 >Category: bin >Synopsis: [patch] ipfw(8) sometimes treat ipv6 input as ipv4 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 03 00:30:08 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Fredrik Lindberg >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD genesis.int.shapeshifter.se 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Tue Dec 6 22:01:51 CET 2005 root@genesis.int.shapeshifter.se:/usr/obj/usr/src/sys/GENESIS i386 >Description: ipfw(8) fails to parse ipv6 input when given a netmask or list of ipv6 addresses. The input is then treated as ipv4 internally by ipfw(8). >How-To-Repeat: >Fix: This occurs in add_src()/add_dst(). Because the ipfw commands which triggers this never explicitly states that it is ipv6 (allow tcp from), proto will never be set to IPPROTO_IPV6/IPPROTO_IP and the code will resort to the inet_pton() check, which is fine with a single ipv6-address but not with a netmask or a list. This is the easiest possible fix. Treat input as ipv6 if there are atleast two colon signs `:' in it. Another solution might be to extract the recognition logic from the fill_ip/fill_ip6 routines for use in add_src/add_dst, but that would require alot more work. --- ipfw2.c-20060102.patch begins here --- Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.80 diff -u -r1.80 ipfw2.c --- ipfw2.c 29 Nov 2005 15:25:09 -0000 1.80 +++ ipfw2.c 2 Jan 2006 20:22:14 -0000 @@ -3703,7 +3703,8 @@ struct in6_addr a; if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || - inet_pton(AF_INET6, av, &a)) + inet_pton(AF_INET6, av, &a) || + strchr(av, ':') != strrchr(av, ':')) return add_srcip6(cmd, av); /* XXX: should check for IPv4, not !IPv6 */ if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || @@ -3721,7 +3722,8 @@ struct in6_addr a; if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || - inet_pton(AF_INET6, av, &a)) + inet_pton(AF_INET6, av, &a) || + strchr(av, ':') != strrchr(av, ':')) return add_dstip6(cmd, av); /* XXX: should check for IPv4, not !IPv6 */ if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || --- ipfw2.c-20060102.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: >ipfw add allow tcp from 03f1::234:123:0342/24 to me ipfw: hostname ``03f1'' unknown >ipfw add allow tcp from 1234::234:123:1,03f1::234:123:2 to me ipfw: bad netmask ``:234:123:1,03f1::234:123:2''
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060103002733.790541A9D4>