From owner-freebsd-ipfw@FreeBSD.ORG  Mon Aug  6 08:53:34 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E099B16A421
	for <freebsd-ipfw@freebsd.org>; Mon,  6 Aug 2007 08:53:34 +0000 (UTC)
	(envelope-from pekkas@netcore.fi)
Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 171E813C4B3
	for <freebsd-ipfw@freebsd.org>; Mon,  6 Aug 2007 08:53:33 +0000 (UTC)
	(envelope-from pekkas@netcore.fi)
Received: from netcore.fi (localhost [127.0.0.1])
	by netcore.fi (8.13.8/8.13.8) with ESMTP id l768rLwK028862
	for <freebsd-ipfw@freebsd.org>; Mon, 6 Aug 2007 11:53:21 +0300
Received: from localhost (pekkas@localhost)
	by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l768rLkt028859
	for <freebsd-ipfw@freebsd.org>; Mon, 6 Aug 2007 11:53:21 +0300
Date: Mon, 6 Aug 2007 11:53:21 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: freebsd-ipfw@freebsd.org
Message-ID: <Pine.LNX.4.64.0708061142570.28645@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Scanned: ClamAV 0.90.3/3866/Sun Aug 5 22:20:48 2007 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed
	version=3.1.9
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on otso.netcore.fi
Subject: bug in 'ipfw: pullup failed' w/ ipv6-nonxt ?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2007 08:53:35 -0000

Hi,

Recently on FreeBSD-6.2 STABLE I've noticed over 100x increase of 
'ipfw: pullup failed' messages.  This coincides with me starting to 
run a Teredo relay which includes receiving pretty much arbitrary IPv6 
packets from the network.

This appears to trigger a problem in sys/netinet/ip_fw2.c code with a 
packet like:

11:35:48.327605 IP6 (hlim 255, next-header: unknown (59), length: 0) 
2001:0:4136:xxxx:yyyy:zzzz:wwww:vvvv > fe80::fc31:b43b:679c:dcb9: no next header

now, the code in ip_fw2.c appears to be:

 			case IPPROTO_NONE:	/* RFC 2460 */
 				PULLUP_TO(hlen, ulp, struct ip6_ext);
 				/* Packet ends here. if ip6e_len!=0 octets
 				 * must be ignored. */
 				break;

.. but struct ip6_ext is at least 2 bytes long.  Am I reading the code 
correctly that it expects that even with IPPROTO_NONE, the IP header 
needs to include at least 2 bytes of content.  This would probably be 
a bug, and instead of printing "pullup failed" it shouldn't try to 
pull more than the base IPv6 header.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings