From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 6 11:07:04 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04629106567C for ; Mon, 6 Feb 2012 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E61A28FC1D for ; Mon, 6 Feb 2012 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q16B73Jm007843 for ; Mon, 6 Feb 2012 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q16B73UG007841 for freebsd-ipfw@FreeBSD.org; Mon, 6 Feb 2012 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Feb 2012 11:07:03 GMT Message-Id: <201202061107.q16B73UG007841@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2012 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/164690 ipfw [ipfw] Request for ipv6 support in ipfw tables o kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 9 20:33:15 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BAE91065670 for ; Thu, 9 Feb 2012 20:33:15 +0000 (UTC) (envelope-from public@macfreek.nl) Received: from aphrodite.kinkhorst.nl (aphrodite.kinkhorst.nl [IPv6:2001:888:214f::f4]) by mx1.freebsd.org (Postfix) with ESMTP id D3BA88FC14 for ; Thu, 9 Feb 2012 20:33:14 +0000 (UTC) Received: from lampje.macfreek.nl (unknown [145.99.1.68]) by aphrodite.kinkhorst.nl (Postfix) with ESMTPSA id 037801760AD for ; Thu, 9 Feb 2012 21:33:12 +0100 (CET) Message-ID: <4F342D87.5060208@macfreek.nl> Date: Thu, 09 Feb 2012 21:33:11 +0100 From: Freek Dijkstra User-Agent: Postbox 2.1.4 (Macintosh/20110308) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: IPv6 fragments X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 20:33:15 -0000 Hi all, I'm having trouble configuring ipfw to handle fragmented IPv6 packets. To be honest, I thought that IPv6 would not fragment packets, but as you see below, I'm receiving fragmented IPv6 UDP packets over my SixXS tunnel. In this case responses to my DNS server. My initial idea was to reassamble these packets with: sysctl net.inet.ip.fw.one_pass=0 ipfw add 100 reass ipv6 from any to any in While reass works for IPv4, it is broken in IPv6. It bricked my device... I presume this is the same problem as reported earlier on this list: http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-October/004918.html (I'm running FreeBSD 9.0-RELEASE). My second idea was to simply allow all fragments, and let the TCP stack figure it out. I used the following ruleset: ipfw add 1020 count log ipv6 from any to me recv tun0 frag ipfw add 1030 deny log ipv6 from any to me recv tun0 Unfortunately, this still fails. Below is output of tcpdump and the ipfw log. As you can see rule 1020 is never matched. Did I make a mistake in the above settings? Why is rule 1020 never matched? Is there a bug report available for the reassambly bug, so I can track it? If not, where can I report it (presuming it is a bug of course)? Is there another way to handle/allowing IPv6 fragments with ipfw (other than 'allow ipv6 from any to any')? I briefly tinkered with the possibility to let ipfw also reply with a ICMPv6:2.0 (Packet Too Big) upon receiving a fragment, but (a) I haven't figured how to do that and (b) I rather follow the principle 'be liberal what you accept'. Any help is highly appreciated! Regards, Freek Dijkstra - 16:24:03.352680 IP6 2001:610:767:a3e6::1.51846 > 2001:500:2c::254.53: 54564% [1au] AAAA? ns-ext.isc.org. (43) 16:24:03.381763 IP6 2001:500:2c::254 > 2001:610:767:a3e6::1: frag (1448|198) 16:24:03: ipfw: 1030 Deny UDP [2001:500:2c::254] [2001:610:767:a3e6::1] in via tun0 (frag 02233bd1:158@11584) - 16:24:03.520675 IP6 2001:500:71::30 > 2001:610:767:a3e6::1: frag (0|1232) 53 > 63213: 55996*- 2/5/13 AAAA 2001:4f8:0:2::13, RRSIG (1224) 16:24:03.521271 IP6 2001:500:71::30 > 2001:610:767:a3e6::1: frag (1232|414) 16:24:03: ipfw: 1030 Deny UDP [2001:500:71::30] [2001:610:767:a3e6::1] in via tun0 (frag 0aff76e2:374@9856) - 16:25:52.678106 IP6 2001:610:767:a3e6::1.46950 > 2001:4f8:0:2::19.53: 23941% [1au] AAAA? lists.isc.org. (42) 16:25:52.852379 IP6 2001:4f8:0:2::19 > 2001:610:767:a3e6::1: frag (1232|413) 16:25:52.853875 IP6 2001:4f8:0:2::19 > 2001:610:767:a3e6::1: frag (0|1232) 53 > 46950: 23941*- 2/5/13 AAAA 2001:4f8:0:2::23, RRSIG (1224) 16:25:52: ipfw: 1030 Deny UDP [2001:4f8:0:2::19] [2001:610:767:a3e6::1] in via tun0 (frag 088c183c:373@9856) 16:25:53.055634 IP6 2001:610:767:a3e6::1.43975 > 2001:4f8:0:2::19.53: 4754% [1au] AAAA? lists.isc.org. (42) 16:25:53.232676 IP6 2001:4f8:0:2::19.53 > 2001:610:767:a3e6::1.43975: 4754*- 2/5/10 AAAA 2001:4f8:0:2::23, RRSIG (1136) 16:26:52.829419 IP6 2001:610:767:a3e6::1 > 2001:4f8:0:2::19: ICMP6, time exceeded in-transit (reassembly), length 1240 - From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 9 21:44:03 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29ABC106564A for ; Thu, 9 Feb 2012 21:44:03 +0000 (UTC) (envelope-from public@macfreek.nl) Received: from aphrodite.kinkhorst.nl (aphrodite.kinkhorst.nl [IPv6:2001:888:214f::f4]) by mx1.freebsd.org (Postfix) with ESMTP id BC17E8FC0A for ; Thu, 9 Feb 2012 21:44:02 +0000 (UTC) Received: from lampje.macfreek.nl (unknown [145.99.1.68]) by aphrodite.kinkhorst.nl (Postfix) with ESMTPSA id 5C7971760B7 for ; Thu, 9 Feb 2012 22:44:01 +0100 (CET) Message-ID: <4F343E1E.3010702@macfreek.nl> Date: Thu, 09 Feb 2012 22:43:58 +0100 From: Freek Dijkstra User-Agent: Postbox 2.1.4 (Macintosh/20110308) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F342D87.5060208@macfreek.nl> In-Reply-To: <4F342D87.5060208@macfreek.nl> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: IPv6 fragments X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 21:44:03 -0000 I wrote: > I'm having trouble configuring ipfw to handle fragmented IPv6 packets. [...] > My second idea was to simply allow all fragments, and let the TCP stack > figure it out. I used the following ruleset: > ipfw add 1020 count log ipv6 from any to me recv tun0 frag > ipfw add 1030 deny log ipv6 from any to me recv tun0 > > Unfortunately, this still fails. Below is output of tcpdump and the ipfw > log. As you can see rule 1020 is never matched. > > Why is rule 1020 never matched? Oh bugger, it seems the problem was between keyboard and chair. I tested this on a production machine, and moved some rule numbers. Forgot that I had a skipto rule somewhere and did not update that rule number... Anyway, I'm still interested to hear how others handle fragmented IPv6 traffic (off-topic: any pointers to why it is fragmented are appreciated too). In particular, I'm still interested in these answers: > Is there a bug report available for the reassambly bug, so I can track it? > If not, where can I report it (presuming it is a bug of course)? Regards, Freek Dijkstra