Date: Wed, 22 Feb 2017 12:03:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217292] ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Message-ID: <bug-217292-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217292 Bug ID: 217292 Summary: ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: crest@bultmann.eu The ipfw lookup action allows ipfw to match the specified field in a packet against a table. I wanted to use this to dynamically allow/deny TCP and UDP ports without changing the ruleset itself. A reduced version of the ipfw script looks like this: # Create the table ipfw table tcp_open create type number algo number:array # Apply existing state ipfw add check-state # Establish new state ipfw add allow tcp from any to any lookup dst-port tcp_open keep-state setup # Open port 22/tcp ipfw table tcp_open add 22 This works as expected for IPv4, but the IPv6 code path in sys/netpfil/ipfw/ip_fw2.c:1517 can't deal with anything other than lookups = on the source/destination IPv6 address yet neither does the ipfw manpage menti= on this limitation nor does ipfw refuse to load rules which can match IPv6 pac= kets against lookup actions on fields other than the IP addresses. In my ruleset this "just" blocked all incoming IPv6 connections, but in oth= er rulesets it could just as easily expose IPv6 services to attackers. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217292-8>