From owner-freebsd-net  Thu Jan  9 13:51:17 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2D83037B401; Thu,  9 Jan 2003 13:51:16 -0800 (PST)
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by mx1.FreeBSD.org (Postfix) with SMTP
	id DAF7D43ED8; Thu,  9 Jan 2003 13:51:14 -0800 (PST)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa25831@salmon>; 9 Jan 2003 21:51:13 +0000 (GMT)
To: freebsd-net@freebsd.org
Cc: ume@freebsd.org
Subject: ip6fw suggestion
X-Request-Do: 
Date: Thu, 09 Jan 2003 21:51:13 +0000
From: David Malone <dwmalone@maths.tcd.ie>
Message-ID:  <200301092151.aa25831@salmon.maths.tcd.ie>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I just got caught by a subtle problem with ip6fw. You can legally
say:
	allow icmp from any to any

and ip6fw doesn't complain, but this allows IPv4 ICMP in IPv6
packets, which is pretty meaningless. This seems to be because ip6fw
uses getprotobyname to convert names into numbers. Of course, what
I intended to say was:

	allow ipv6-icmp from any to any

I think it might be worth adding a warning to ip6fw if someone gives
the protocol as "icmp". If someone really wants to let ICMPv4 through
ip6fw, they could always give the numerical version of the protocol
instead.

The patch below would make giving icmp an error, but it might just
be better to syslog something?

	David.

Index: ip6fw.c
===================================================================
RCS file: /FreeBSD/FreeBSD-CVS/src/sbin/ip6fw/ip6fw.c,v
retrieving revision 1.1.2.8
diff -u -r1.1.2.8 ip6fw.c
--- ip6fw.c     28 Aug 2002 05:32:03 -0000      1.1.2.8
+++ ip6fw.c     9 Jan 2003 21:49:54 -0000
@@ -959,6 +959,8 @@
                rule.fw_prot = proto; av++; ac--;
        } else if (!strncmp(*av,"all",strlen(*av))) {
                rule.fw_prot = IPPROTO_IPV6; av++; ac--;
+       } else if (!strncmp(*av,"icmp",strlen(*av))) {
+               show_usage("allowing ipv4 icmp does not make sense.");
        } else if ((pe = getprotobyname(*av)) != NULL) {
                rule.fw_prot = pe->p_proto; av++; ac--;
        } else {


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message