Date: Wed, 22 Feb 2017 12:03:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217292] ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Message-ID: <bug-217292-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217292 Bug ID: 217292 Summary: ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: crest@bultmann.eu The ipfw lookup action allows ipfw to match the specified field in a packet against a table. I wanted to use this to dynamically allow/deny TCP and UDP ports without changing the ruleset itself. A reduced version of the ipfw script looks like this: # Create the table ipfw table tcp_open create type number algo number:array # Apply existing state ipfw add check-state # Establish new state ipfw add allow tcp from any to any lookup dst-port tcp_open keep-state setup # Open port 22/tcp ipfw table tcp_open add 22 This works as expected for IPv4, but the IPv6 code path in sys/netpfil/ipfw/ip_fw2.c:1517 can't deal with anything other than lookups on the source/destination IPv6 address yet neither does the ipfw manpage mention this limitation nor does ipfw refuse to load rules which can match IPv6 packets against lookup actions on fields other than the IP addresses. In my ruleset this "just" blocked all incoming IPv6 connections, but in other rulesets it could just as easily expose IPv6 services to attackers. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217292-8>