Date: Wed, 11 Mar 2020 08:10:13 +0000 From: Alexander V. Chernikov <melifaro@freebsd.org> To: O. Hartmann <o.hartmann@walstatt.org> Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r358858 - head/sbin/ipfw Message-ID: <7819601583914172@iva8-5e86d95f65ab.qloud-c.yandex.net> In-Reply-To: <20200311081346.0e78d715@freyja> References: <202003102030.02AKUL0q031391@repo.freebsd.org> <20200311081346.0e78d715@freyja>
next in thread | previous in thread | raw e-mail | index | archive | help
11.03.2020, 07:14, "O. Hartmann" <o.hartmann@walstatt.org>: > On Tue, 10 Mar 2020 20:30:21 +0000 (UTC) > "Alexander V. Chernikov" <melifaro@FreeBSD.org> wrote: > >> Author: melifaro >> Date: Tue Mar 10 20:30:21 2020 >> New Revision: 358858 >> URL: https://svnweb.freebsd.org/changeset/base/358858 >> >> Log: >> Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). >> >> Submitted by: Neel Chauhan <neel AT neelc DOT org> >> MFC after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D21812 >> >> Modified: >> head/sbin/ipfw/ipfw2.c >> >> Modified: head/sbin/ipfw/ipfw2.c >> ============================================================================== >> --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) >> +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) >> @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb >> if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >> inet_pton(AF_INET6, host, &a) == 1) >> ret = add_srcip6(cmd, av, cblen, tstate); >> - /* XXX: should check for IPv4, not !IPv6 */ >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> - inet_pton(AF_INET6, host, &a) != 1)) >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> + inet_pton(AF_INET, host, &a) == 1) >> ret = add_srcip(cmd, av, cblen, tstate); >> - if (ret == NULL && strcmp(av, "any") != 0) >> + else if (ret == NULL && strcmp(av, "any") != 0) >> ret = cmd; >> >> return ret; >> @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb >> if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >> inet_pton(AF_INET6, host, &a) == 1) >> ret = add_dstip6(cmd, av, cblen, tstate); >> - /* XXX: should check for IPv4, not !IPv6 */ >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> - inet_pton(AF_INET6, host, &a) != 1)) >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> + inet_pton(AF_INET, host, &a) == 1) >> ret = add_dstip(cmd, av, cblen, tstate); >> - if (ret == NULL && strcmp(av, "any") != 0) >> + else if (ret == NULL && strcmp(av, "any") != 0) >> ret = cmd; >> >> return ret; >> _______________________________________________ >> svn-src-head@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-head >> To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" > > This seems to trigger some issues in CURRENT's ipfw script handling rules. On > all CURRENT boxes running >> FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the boxes > > aren't accessible via net due to errors occuring when loading ipfw rules: Whoops. Terribly sorry for breaking your setup. Reverted in r358871. > > [/etc/rc.conf] > firewall_type="WORKSTATION" > firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on > which this host > # offers services for "workstation" firewall. > firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of > IPs which have access to > # $firewall_myservices for "workstation" > # firewall. > firewall_trusted="" # List of IPs which have full access to this > # host for "workstation" firewall. > > [...] > # service ipfw restart > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > ipfw: bad source address any > ipfw: bad source address any > 00000 check-state :default > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out > ipfw: bad source address any > ipfw: bad source address any > 01100 allow udp from fe80::/10 to me 546 in > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > [...] > > The problem also occur if set > > firewall_allowservices="any" > > in /etc/rc.conf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7819601583914172>