Date: Wed, 22 Jul 2009 17:12:57 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: "raffaele.delorenzo@libero.it" <raffaele.delorenzo@libero.it> Cc: freebsd-ipfw@freebsd.org, rizzo@icir.org, net@freebsd.org Subject: Re: R: IPv6 and ipfw Message-ID: <4A672C79.3000006@digiware.nl> In-Reply-To: <3164304.442981248256119643.JavaMail.defaultUser@defaultHost> References: <3164304.442981248256119643.JavaMail.defaultUser@defaultHost>
next in thread | previous in thread | raw e-mail | index | archive | help
Reply below, and an also reorganised the yours...
raffaele.delorenzo@libero.it wrote:
>> Hi,
>>
>> Running 7.2 I tried to insert
> this into my IPFW rules
>> # ipfw add allow udp from any to 2001:xxx:3::
> 113,2001:xxxx:3::116 \
>> dst-port 10001-10100 keep-state
>> ipfw: bad netmask
> ``xxxx:3::113''
>> also:
>> # ipfw add allow udp from any to trixbox.ip6 dst-port
> 10001-10100 keep-state
>> ipfw: hostname ``trixbox.ip6'' unknown
>> Exit 68
>> # host
> trixbox.ip6
>> trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>>
>> So it
> looks like what is in the manual is overly optimistic:
>> ----
>> addr6-list:
> ip6-addr[,addr6-list]
>> ip6-addr:
>> A host or subnet
> specified one of the following ways:
>> numeric-ip | hostname
>
>> Matches a single IPv6 address as allowed by inet_pton(3)
>
>> or a hostname. Hostnames are resolved at the time the
>
>> rule is added to the firewall list.
>>
>>
> addr/masklen
>> Matches all IPv6 addresses with base addr
> (specified as
>> allowed by inet_pton or a hostname) and
> mask width of
>> masklen bits.
>>
>> No support
> for sets of IPv6 addresses is provided because IPv6
>> addresses
> are typically random past the initial prefix.
>> ----
>>
>> Anybody else ran into
> this?
>> Or should I file this as a PR.
> Hi all,
> You has found a parser bug.
> When the protocol is "ipv6" and you are a
> comma separated ipv6 addresses, the parser work fine because the
"add_srcip6"
> function is called and recognize all addresses.
> When the protocol is "!=ipv6"
> (like TCP,UDP,ICMP6) the "add_src" fuction is called and it cause troubles
> because the "inet_pton()" fails and erroneously is called the "add_srcip"
> function (see the code below).
>
> (from "ipfw2.c")
> add_src(ipfw_insn *cmd, char
> *av, u_char proto)
> {
> struct in6_addr a;
> char *host, *ch;
> ipfw_insn *ret =
> NULL;
>
> if ((host = strdup(av)) == NULL)
> return NULL;
> if ((ch = strrchr
> (host, '/')) != NULL)
> *ch = '\0';
>
> if (proto == IPPROTO_IPV6 || strcmp(av,
> "me6") == 0 ||
> inet_pton(AF_INET6, host, &a))
> ret = add_srcip6(cmd, av);
>
> /* XXX: should check for IPv4, not !IPv6 */
> if (ret == NULL && (proto ==
> IPPROTO_IP || strcmp(av, "me") == 0 ||
> !inet_pton(AF_INET6, host, &a)))
>
> ret = add_srcip(cmd, av);
> if (ret == NULL && strcmp(av, "any") != 0)
> ret =
> cmd;
>
> free(host);
> return ret;
> }
>
> I think that possibles solutions are the
> follows:
>
> 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
> avoid parser confusions, and check about this protocol inside the "add_src"
> fuction (easy to implement).
> 2) Check the comma separated ip/ipv6 addresses
> inside the "add_src" function (a little too hard to implement).
>
> I appreciate
> suggestions from the community experts about this problem.
I would prefer not to make seperate tcp6 and udp6 items, since what i would
like to do is things like:
hostlist="a.b.c.d,A:B:C:D::F"
and then in the firewall something like
ipfw add allow tcp from any to ${hostlist} dst-port 80 setup
and if tcp now goes into tcp and tcp6 I need to double my rules etc.
Which raises one other point:
using a FQDN with more A and AAAA records also just inserts the
first reply in the list.
Now I don't use FQDN since most of the time in the Firewall DNS
is not quite up yet.
--WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A672C79.3000006>