Date: Wed, 23 Jun 2010 16:29:00 +0200 (CEST) From: Stefan `Sec` Zehl <sec@42.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/148091: ipfw ipv6 handling broken. Message-ID: <20100623142900.1214428434@ice.42.org> Resent-Message-ID: <201006231430.o5NEU9Ei016378@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 148091 >Category: kern >Synopsis: ipfw ipv6 handling broken. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jun 23 14:30:09 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Stefan `Sec` Zehl >Release: FreeBSD 8.1-PRERELEASE amd64 >Organization: >Environment: System: FreeBSD ice 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #13: Thu Jun 10 09:13:34 CEST 2010 root@ice:/usr/obj/usr/src/sys/ICE amd64 >Description: ipfw recently changed the meaning of "ME" to also match ipv6 addresses. This is not only a POLA violation but breaks ipv6 when queues are involved. I have the following rule in effect: | 03010 queue 1 tcp from me 40000-40099,20,80 to any // Bandwidth: max 5 per-IP with an corresponding pipe/queue setup: | ipfw pipe 1 config bw 5KByte/s noerror | ipfw queue 1 config mask dst-ip 0xffffffff pipe 1 This rule now matches ipv6 traffic, but apparently the queue code can't handle ipv6: Without ipfw: | telnet -6 MY.IP 80 tcpdump shows a (correct) RST 16:18:08.526171 IP6 2001::srchost.57434 > 2001::dsthost.80: Flags [S], seq 1763366169, win 5760, options [mss 1440,sackOK,TS val 5910142 ecr 0,nop,wscale 7], length 0 16:18:08.526249 IP6 2001::dsthost.80 > 2001::srchost.57434: Flags [R.], seq 0, ack 1763366170, win 0, length 0 With that rule above, a broken packet is created. The tcpdump looks like this: 16:18:25.328411 IP6 2001::srchost.57435 > 2001::dsthost.80: Flags [S], seq 1383793472, win 5760, options [mss 1440,sackOK,TS val 5914343 ecr 0,nop,wscale 7], length 0 16:18:25.328485 IP6 2001::dsthost > 2001::srchost: ip-proto-64 20 Additionally I found no obvious way to restrict the rule back to TCP/v4 only -- There is a "me6" keyword, but no "me4" keyword. Obvious attempts like "ipv4 tcp from me ..." or "tcp from ipv4 me ..." or similar don't work either. >How-To-Repeat: >Fix: One or more of the following options: a) Revert the change to "ME" back to ipv4 as to not violate POLA. b) Fix "queue" in ipfw as to not break when fed ipv6 packets. c) Add a way to filter for v4/tcp d) Add a BIG warning somewhere. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100623142900.1214428434>