From owner-svn-src-head@freebsd.org Wed Mar 11 07:14:03 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C0D512563A9; Wed, 11 Mar 2020 07:14:03 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48cjqs4TYvz4SRj; Wed, 11 Mar 2020 07:14:01 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1583910838; bh=AJz/CF7fvK+smSRHyMfjW/sY4BEvcvYNNloj464SjDE=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References; b=K+oPS937kx39dr9qB2DlTBjPNwljWJIXBfPm0+lzvE9dcCMVInUiILXnF8xP4Kfbc 3EXqB3vBh1q/7rK239NBPFw3QNnDwocaSiHi+NXjR/Qcp1DAhyipXHiE29SOBe0XD2 XZXi1CYsJs3UZOxlqPQ3HhuGoLduPMiClXbrQZoM= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from freyja ([79.192.162.249]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MUosN-1iluFj0vlR-00QkTC; Wed, 11 Mar 2020 08:13:58 +0100 Date: Wed, 11 Mar 2020 08:13:51 +0100 From: "O. Hartmann" To: "Alexander V. Chernikov" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r358858 - head/sbin/ipfw Message-ID: <20200311081346.0e78d715@freyja> In-Reply-To: <202003102030.02AKUL0q031391@repo.freebsd.org> References: <202003102030.02AKUL0q031391@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:icEvsQQ7dEV8ixH0fkHPD4PuMRPJVPdmCcf5AoA56b4Qckk0Brs 9TPgkE4J+3HE42UIMQwIgTwcL9F/t08sEyKnGXkZbTJgxKWpuoPTGGE5hjeQHHVbArwKz80 hd3lxljlGgJWJkFMonI6uzIrcCEXoVTZA7MOG2VGpEjVhqMMTNhOtoeyXOcD0H9HcQvYP2Y NjUt1EKJNT9R6iUqFEfKA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:gBcqfmMv/xE=:Vx5cTAWffBKbYL3AcypQZI kgEYSzZ0hsqN19VDGRi77MCkX5IrEGK60gR0jZl04GJbRTk0ny9/JEKMzNL+X1uSnqRmEefrM h1CUOLiQ4mbKhNyFU5O5XyL1gWCbnw3RwQmyh5wgFKqcpMjTtJj2DHnyYrLoUOiW8DMOZaZzO j3OSfQ6q7LLbJgtOHWG/fklJpo2NC3OrjaB4jINV6WKVz3zc+/NPzIBN0qDhQRYHEvAW+63la VxPOZ1gWCRv7iorXRpuLYI90QcB3pY5Y0tn2ZDjiviKMUFHv86v102u6SXZa7V535HgwTMUMp beHWuPb+Ke+tBG2RBTQevlX3RtCEJzeGYTkPIEHalKaR+MlrNK8A/jVPV/HVgfthgrMoZFQ8H lNAEUPFaTHlYnhfI4vBFpB5wxClUfyGyUmmvZlbMLd3vxUkmv6oOBQzTPrFc+VWwMiaUbtywe LtHBURdryBdEtG4pdcv1bb8/uYqlX0l8SDn7MYCS3fb5mscZA3y2J+bDgfxD8pGzkNR55at+g lLRpVMehUH+7enCVNgdSirg9NF8q40zzeHlOC5wpqRm5bvwLphd0gFvBTmsdTlU7j84zHM6QW M2/e7GDuJprtOuacW2XPFVeDu2gmdGYfu7bnl6pCwu1J4Ncut1BxFrSzf1rZ3jPySu0Zdyx05 QfAvfJt5mtoiALw+JlzTJ2iIQwabQDPb72ktBqYo2sxIMyY0otJ5kgqeXNjEkd6ooF/GlU7w8 aiyLOklfMMTrHKikHNA186SoBbhKucPLisAzfBOxT7zXboUweD2bao/QldVGAYqTjqXbLEndP EUw9ud7xJVaqtKu9U8Wh/2/iPjEdWlJdYXEDq5CwxS7Gfqf6h6qK6P0Tl6nZVCumZc2uiwcAo SdWMLQ2+eJu0DcQwXuFHGJvj+WBM39xaUQsaOrtd1EY2iZ4iqWckJ5iHFibOUWopZ3IoE7p+W E7Rd2UJdHQEpti5/UB1grDp2o6s85DMWynykbvNnjWON2Bzx36yes/UYX2vHX0WFiCTAd2ffP jEIRnTrl9sV17sstOy6Idg+NHc3JAvyo1Ya7Wpu+EXF0jvJuU23lbOv/TJVNOJZmwj0KxZoIu JLi2Od7rC7KQS0cglwglqniYEqcJW9YpOtgHJ1ry7ywkJiDdNpiQ/nySAM7swnPRRbRIFwX0h DhKhu085kFIUjWqDusYrCMPlpTDpdf23FcekGoSE7RNWjx1/A024KtlSquhAPc/A/I/IDvm4N 3bkou5cnNMur0a97v X-Rspamd-Queue-Id: 48cjqs4TYvz4SRj X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=K+oPS937; dmarc=none; spf=none (mx1.freebsd.org: domain of o.hartmann@walstatt.org has no SPF policy when checking 212.227.15.15) smtp.mailfrom=o.hartmann@walstatt.org X-Spamd-Result: default: False [-3.07 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; RECEIVED_SPAMHAUS_PBL(0.00)[249.162.192.79.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[walstatt.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-1.18)[ip: (-6.92), ipnet: 212.227.0.0/16(-1.12), asn: 8560(2.17), country: DE(-0.02)]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_MEDIUM(-0.99)[-0.990,0]; R_SPF_NA(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[15.15.227.212.list.dnswl.org : 127.0.3.1]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2020 07:14:03 -0000 On Tue, 10 Mar 2020 20:30:21 +0000 (UTC) "Alexander V. Chernikov" wrote: > Author: melifaro > Date: Tue Mar 10 20:30:21 2020 > New Revision: 358858 > URL: https://svnweb.freebsd.org/changeset/base/358858 > > Log: > Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). > > Submitted by: Neel Chauhan > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D21812 > > Modified: > head/sbin/ipfw/ipfw2.c > > Modified: head/sbin/ipfw/ipfw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) > +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) > @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, = int cb > if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 || > inet_pton(AF_INET6, host, &a) =3D=3D 1) > ret =3D add_srcip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, "me") = =3D=3D 0 || > - inet_pton(AF_INET6, host, &a) !=3D 1)) > + else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 || > + inet_pton(AF_INET, host, &a) =3D=3D 1) > ret =3D add_srcip(cmd, av, cblen, tstate); > - if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > + else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > ret =3D cmd; > > return ret; > @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, = int cb > if (proto =3D=3D IPPROTO_IPV6 || strcmp(av, "me6") =3D=3D 0 || > inet_pton(AF_INET6, host, &a) =3D=3D 1) > ret =3D add_dstip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret =3D=3D NULL && (proto =3D=3D IPPROTO_IP || strcmp(av, "me") = =3D=3D 0 || > - inet_pton(AF_INET6, host, &a) !=3D 1)) > + else if (proto =3D=3D IPPROTO_IP || strcmp(av, "me") =3D=3D 0 || > + inet_pton(AF_INET, host, &a) =3D=3D 1) > ret =3D add_dstip(cmd, av, cblen, tstate); > - if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > + else if (ret =3D=3D NULL && strcmp(av, "any") !=3D 0) > ret =3D cmd; > > return ret; > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" This seems to trigger some issues in CURRENT's ipfw script handling rules= . On all CURRENT boxes running > FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the= boxes aren't accessible via net due to errors occuring when loading ipfw rules: [/etc/rc.conf] firewall_type=3D"WORKSTATION" firewall_myservices=3D"22/tcp 80/tcp 443/tcp" # List of TCP ports= on which this host # offers services for "workstation" firewa= ll. firewall_allowservices=3D"192.168.0.0/24 fd11:43:2::/64" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. firewall_trusted=3D"" # List of IPs which have full access to = this # host for "workstation" firewall. [...] # service ipfw restart Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 ipfw: bad source address any ipfw: bad source address any 00000 check-state :default ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out ipfw: bad source address any ipfw: bad source address any 01100 allow udp from fe80::/10 to me 546 in ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any [...] The problem also occur if set firewall_allowservices=3D"any" in /etc/rc.conf