Date: Mon, 27 Jul 2009 19:02:09 +0200 From: Raffaele De Lorenzo <raffaele.delorenzo@libero.it> To: Willem Jan Withagen <wjw@digiware.nl> Cc: freebsd-ipfw@freebsd.org, net@freebsd.org Subject: Re: R: IPv6 and ipfw Message-ID: <11956F97-0C87-456F-A769-70BEDBA351BE@libero.it> In-Reply-To: <4A672C79.3000006@digiware.nl> References: <3164304.442981248256119643.JavaMail.defaultUser@defaultHost> <4A672C79.3000006@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-18--176010067 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi all, I attached a patch that solve this problem. I will send a PR as soon as possible. Instructions: Patch the follow files: /usr/src/sbin/ipfw/ipfw2.c (patch is ipfw2.c.diff) /usr/src/sbin/ipfw/ipfw2.h (patch is ipfw2.h.diff) /usr/src/sbin/ipfw/ipv6.c (patch is ipv6.c.diff) This patch was tested on FreeBSD 8 Beta 2 AMD64 and official FreeBSD 8 BETA 2 Sources. Let me know any suggestion or problem. Regards Raffaele On Jul 22, 2009, at 5:12 PM, Willem Jan Withagen wrote: > Reply below, and an also reorganised the yours... > raffaele.delorenzo@libero.it wrote: >>> Hi, >>> >>> Running 7.2 I tried to insert >> this into my IPFW rules >>> # ipfw add allow udp from any to 2001:xxx:3:: --Apple-Mail-18--176010067 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit >> 113,2001:xxxx:3::116 \ >>> dst-port 10001-10100 keep-state >>> ipfw: bad netmask >> ``xxxx:3::113'' >>> also: >>> # ipfw add allow udp from any to trixbox.ip6 dst-port >> 10001-10100 keep-state >>> ipfw: hostname ``trixbox.ip6'' unknown >>> Exit 68 >>> # host >> trixbox.ip6 >>> trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116 >>> >>> So it >> looks like what is in the manual is overly optimistic: >>> ---- >>> addr6-list: >> ip6-addr[,addr6-list] >>> ip6-addr: >>> A host or subnet >> specified one of the following ways: >>> numeric-ip | hostname >>> Matches a single IPv6 address as allowed by >>> inet_pton(3) >>> or a hostname. Hostnames are resolved at the >>> time the >>> rule is added to the firewall list. >>> >>> >> addr/masklen >>> Matches all IPv6 addresses with base addr >> (specified as >>> allowed by inet_pton or a hostname) and >> mask width of >>> masklen bits. >>> >>> No support >> for sets of IPv6 addresses is provided because IPv6 >>> addresses >> are typically random past the initial prefix. >>> ---- >>> >>> Anybody else ran into >> this? >>> Or should I file this as a PR. > > > Hi all, > > You has found a parser bug. > > When the protocol is "ipv6" and you are a > > comma separated ipv6 addresses, the parser work fine because the > "add_srcip6" > > function is called and recognize all addresses. > > When the protocol is "!=ipv6" > > (like TCP,UDP,ICMP6) the "add_src" fuction is called and it cause > troubles > > because the "inet_pton()" fails and erroneously is called the > "add_srcip" > > function (see the code below). > > > > (from "ipfw2.c") > > add_src(ipfw_insn *cmd, char > > *av, u_char proto) > > { > > struct in6_addr a; > > char *host, *ch; > > ipfw_insn *ret = > > NULL; > > > > if ((host = strdup(av)) == NULL) > > return NULL; > > if ((ch = strrchr > > (host, '/')) != NULL) > > *ch = '\0'; > > > > if (proto == IPPROTO_IPV6 || strcmp(av, > > "me6") == 0 || > > inet_pton(AF_INET6, host, &a)) > > ret = add_srcip6(cmd, av); > > > > /* XXX: should check for IPv4, not !IPv6 */ > > if (ret == NULL && (proto == > > IPPROTO_IP || strcmp(av, "me") == 0 || > > !inet_pton(AF_INET6, host, &a))) > > > > ret = add_srcip(cmd, av); > > if (ret == NULL && strcmp(av, "any") != 0) > > ret = > > cmd; > > > > free(host); > > return ret; > > } > > > > I think that possibles solutions are the > > follows: > > > > 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to > > avoid parser confusions, and check about this protocol inside the > "add_src" > > fuction (easy to implement). > > 2) Check the comma separated ip/ipv6 addresses > > inside the "add_src" function (a little too hard to implement). > > > > I appreciate > > suggestions from the community experts about this problem. > > I would prefer not to make seperate tcp6 and udp6 items, since what > i would like to do is things like: > > hostlist="a.b.c.d,A:B:C:D::F" > > and then in the firewall something like > ipfw add allow tcp from any to ${hostlist} dst-port 80 setup > > and if tcp now goes into tcp and tcp6 I need to double my rules etc. > > Which raises one other point: > using a FQDN with more A and AAAA records also just inserts the > first reply in the list. > Now I don't use FQDN since most of the time in the Firewall DNS > is not quite up yet. > > --WjW > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" --Apple-Mail-18--176010067--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11956F97-0C87-456F-A769-70BEDBA351BE>