Date: Fri, 18 Aug 2000 22:48:05 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: freebsd-security@freefall.freebsd.org Cc: Luigi Rizzo <luigi@info.iet.unipi.it> Subject: Re: [avalon@COOMBS.ANU.EDU.AU: Ip packet filtering with bridging on freebsd] (fwd) Message-ID: <200008182048.WAA09758@info.iet.unipi.it>
next in thread | raw e-mail | index | archive | help
I was informed by a few people of a thread on alleged problems with
ipfw+bridging, so i think i should say a few things on the subject.
Darren was complaining that net/bridge.c was missing some sanity
checks on packets before passing them to ip_fw_chk(). I looked at
his proposed fix on -security archives (i am not subscribed to the
list, this is why i did not react).
I am not sure which version of FreeBSD Darren refers to -- the
missing checks were there when i committed the code to 3.x and 4.x
-- only thing, they are|were located in /sys/netinet/ip_fw.c,
function ip_fw_chk() near this section of code:
if (pip) { /* normal ip packet */
ip = *pip;
offset = (ip->ip_off & IP_OFFMASK);
} else { /* bridged or non-ip packet */
struct ether_header *eh = mtod(*m, struct ether_header *);
switch (ntohs(eh->ether_type)) {
case ETHERTYPE_IP :
...
and the checks are here, doing all things which are in
Darren's proposed patch.
So i think RELENG_3 and RELENG_4_0_RELEASE are safe from this point
of view.
This part of the code got in fact nuked in rev 1.134 of ip_fw.c
when Archie Cobbs did his changes to ether_input(); but with a
subsequent change to net/bridge.c on June 2th Archie also removed
ipfw support for bridged packets.
So we lost some functionality in RELENG_4, 4.1 and CURRENT (including
some problems with bridging of multicast traffic), but i do not
believe that we lost safety.
Remember, RELENG_3 is still safe and good for doing ipfw filtering
on bridged packets (modulo other bugs that i am unaware of), and
so is the floppy image that you can get from my dummynet page.
Speaking of Archie's changes to ether_input():
I did like the idea of putting common parts from the drivers into
ether_input(). I disagreed (by email both to the list and to
Archie) on the way this was done (e.g. without testing that bridging
still worked as before, and eventually removing some functionality);
but being idle like i was has never been a good excuse for stopping
progress in FreeBSD so in a sense i think Archie did the right
thing and whatever was lost in the process may be fixed in the
future should someone have a strong need.
Hope this clarifies things -- sorry for not reacting earlier but
i am not subscribing to -security (so please Cc me) and did not know
it was such a big deal.
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008182048.WAA09758>