From owner-freebsd-bugs@FreeBSD.ORG  Wed Jun 23 14:30:10 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2A840106566B
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 23 Jun 2010 14:30:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C5FF8FC0A
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 23 Jun 2010 14:30:10 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5NEU9nB016384
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 23 Jun 2010 14:30:09 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5NEU9Ei016378;
	Wed, 23 Jun 2010 14:30:09 GMT (envelope-from gnats)
Resent-Date: Wed, 23 Jun 2010 14:30:09 GMT
Resent-Message-Id: <201006231430.o5NEU9Ei016378@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Stefan `Sec` Zehl <sec@42.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E0B66106566C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 23 Jun 2010 14:29:01 +0000 (UTC) (envelope-from sec@42.org)
Received: from ice.42.org (v6.42.org [IPv6:2001:608:9::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B8468FC22
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 23 Jun 2010 14:29:01 +0000 (UTC)
Received: by ice.42.org (Postfix, from userid 1000)
	id 1214428434; Wed, 23 Jun 2010 16:29:00 +0200 (CEST)
Message-Id: <20100623142900.1214428434@ice.42.org>
Date: Wed, 23 Jun 2010 16:29:00 +0200 (CEST)
From: Stefan `Sec` Zehl <sec@42.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/148091: ipfw ipv6 handling broken.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Stefan `Sec` Zehl <sec@42.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2010 14:30:10 -0000


>Number:         148091
>Category:       kern
>Synopsis:       ipfw ipv6 handling broken.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 23 14:30:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Stefan `Sec` Zehl
>Release:        FreeBSD 8.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD ice 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #13: Thu Jun 10 09:13:34 CEST 2010 root@ice:/usr/obj/usr/src/sys/ICE amd64


	
>Description:

ipfw recently changed the meaning of "ME" to also match ipv6 addresses.
This is not only a POLA violation but breaks ipv6 when queues are involved.

I have the following rule in effect:

| 03010 queue 1 tcp from me 40000-40099,20,80 to any // Bandwidth: max 5 per-IP

with an corresponding pipe/queue setup:

| ipfw pipe 1 config bw 5KByte/s noerror
| ipfw queue 1 config mask dst-ip 0xffffffff pipe 1

This rule now matches ipv6 traffic, but apparently the queue code
can't handle ipv6:

Without ipfw:
| telnet -6 MY.IP 80

tcpdump shows a (correct) RST 
16:18:08.526171 IP6 2001::srchost.57434 > 2001::dsthost.80: Flags [S], seq 1763366169, win 5760, options [mss 1440,sackOK,TS val 5910142 ecr 0,nop,wscale 7], length 0
16:18:08.526249 IP6 2001::dsthost.80 > 2001::srchost.57434: Flags [R.], seq 0, ack 1763366170, win 0, length 0

With that rule above, a broken packet is created.
The tcpdump looks like this:

16:18:25.328411 IP6 2001::srchost.57435 > 2001::dsthost.80: Flags [S], seq 1383793472, win 5760, options [mss 1440,sackOK,TS val 5914343 ecr 0,nop,wscale 7], length 0
16:18:25.328485 IP6 2001::dsthost > 2001::srchost: ip-proto-64 20


Additionally I found no obvious way to restrict the rule back to TCP/v4 only --
There is a "me6" keyword, but no "me4" keyword. Obvious attempts like
"ipv4 tcp from me ..." or
"tcp from ipv4 me ..." or similar don't work either.

	
>How-To-Repeat:
	
>Fix:

One or more of the following options:

a) Revert the change to "ME" back to ipv4 as to not violate POLA. 
b) Fix "queue" in ipfw as to not break when fed ipv6 packets.
c) Add a way to filter for v4/tcp
d) Add a BIG warning somewhere.
>Release-Note:
>Audit-Trail:
>Unformatted: