From owner-freebsd-ipfw@FreeBSD.ORG  Sat Aug 26 09:00:52 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@hub.freebsd.org
Delivered-To: freebsd-ipfw@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 31FF416A4DA
	for <freebsd-ipfw@hub.freebsd.org>;
	Sat, 26 Aug 2006 09:00:52 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38E6D43D70
	for <freebsd-ipfw@hub.freebsd.org>;
	Sat, 26 Aug 2006 09:00:43 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7Q90hNp006358
	for <freebsd-ipfw@freefall.freebsd.org>; Sat, 26 Aug 2006 09:00:43 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7Q90h9j006357;
	Sat, 26 Aug 2006 09:00:43 GMT (envelope-from gnats)
Date: Sat, 26 Aug 2006 09:00:43 GMT
Message-Id: <200608260900.k7Q90h9j006357@freefall.freebsd.org>
To: freebsd-ipfw@FreeBSD.org
From: "Stephen E. Halpin" <seh-10lzx4@mail.quadrizen.com>
Cc: 
Subject: Re: bin/102422: ipfw & kernel problems where firewall rules aren't
	interpreted correctly
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Stephen E. Halpin" <seh-10lzx4@mail.quadrizen.com>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2006 09:00:52 -0000

The following reply was made to PR bin/102422; it has been noted by GNATS.

From: "Stephen E. Halpin" <seh-10lzx4@mail.quadrizen.com>
To: Andrey V. Elsukov <bu7cher@yandex.ru>
Cc: bug-followup@FreeBSD.org,
 Oleg Bulyzhin <oleg@FreeBSD.org>,
 Gleb Smirnoff <glebius@FreeBSD.org>,
 Luigi Rizzo <rizzo@icir.org>
Subject: Re: bin/102422: ipfw & kernel problems where firewall rules aren't interpreted correctly
Date: Sat, 26 Aug 2006 05:01:39 -0400

 Sorry for taking so long to get back to you.  The changes look good.   
 I've tested the changes for ip_fw2.c for both source and destination  
 processing, and it worked fine.  I still have a question about PR  
 91245, as when I went to the following page:
 
      http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/
 
 and it looks like the last version of ipfw2.c is 1.96 on the MAIN  
 branch, and the changes in PR 91245 are not there.  It would be  
 awesome if all three fixes could make it into the 6.2 release!
 
 -Steve
 
 
 On Aug 24, 2006, at 6:09 AM, Andrey V. Elsukov wrote:
 
 > Stephen Halpin wrote:
 > > The rule is accepted with icmp6types 1,2,32,33,34,...94,95,128,129.
 > > The problem is the data structure in
 > > /usr/src/sbin/ipfw/ipfw2.c:fill_icmp6types() is not properly
 > > initialized.
 >
 > Yes, you are right. A data buffer is previously zeroed, but
 > fill_ip6() function can modified some data while parsing ipv6
 > destination addresses. Quick fix is simple:
 >
 > --- ipfw2.c     23 Aug 2006 14:29:18 -0000      1.96
 > +++ ipfw2.c     24 Aug 2006 09:08:06 -0000
 > @@ -1206,7 +1206,7 @@
 >  {
 >         uint8_t type;
 >
 > -       cmd->d[0] = 0;
 > +       bzero(cmd, sizeof(*cmd));
 >         while (*av) {
 >             if (*av == ',')
 >                 av++;
 >
 >
 > But i think that here can be another similar issues.
 >
 > > addressed with bug number 91245, which the query interface won't
 > > bring up for anything.  I was able to find it using the global
 > > Google.  I found a set of diffs at:
 >
 > PR 91245 was closed.
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=91245
 >
 > > Problem 3:
 > >
 > > ipfw add allow ip6 from any to 2000::/16,2002::/16
 >
 > Can you try the attached patch?
 >
 > -- 
 > WBR, Andrey V. Elsukov
 > Index: ip_fw2.c
 > ===================================================================
 > RCS file: /mnt/cvs/ncvs/src/sys/netinet/ip_fw2.c,v
 > retrieving revision 1.144
 > diff -u -r1.144 ip_fw2.c
 > --- ip_fw2.c	18 Aug 2006 22:36:04 -0000	1.144
 > +++ ip_fw2.c	24 Aug 2006 09:55:38 -0000
 > @@ -2869,22 +2869,20 @@
 >  				    &((ipfw_insn_ip6 *)cmd)->addr6);
 >  				break;
 >  			case O_IP6_SRC_MASK:
 > -				if (is_ipv6) {
 > -					ipfw_insn_ip6 *te = (ipfw_insn_ip6 *)cmd;
 > -					struct in6_addr p = args->f_id.src_ip6;
 > -
 > -					APPLY_MASK(&p, &te->mask6);
 > -					match = IN6_ARE_ADDR_EQUAL(&te->addr6, &p);
 > -				}
 > -				break;
 > -
 >  			case O_IP6_DST_MASK:
 >  				if (is_ipv6) {
 > -					ipfw_insn_ip6 *te = (ipfw_insn_ip6 *)cmd;
 > -					struct in6_addr p = args->f_id.dst_ip6;
 > +					int i = cmdlen - 1;
 > +					struct in6_addr p;
 > +					struct in6_addr *d = &((ipfw_insn_ip6 *)cmd)->addr6;
 >
 > -					APPLY_MASK(&p, &te->mask6);
 > -					match = IN6_ARE_ADDR_EQUAL(&te->addr6, &p);
 > +					for (; !match && i > 0; d += 2,
 > +						i -= F_INSN_SIZE(struct in6_addr) * 2)
 > +					{
 > +						p = (cmd->opcode == O_IP6_SRC_MASK) ?
 > +							args->f_id.src_ip6: args->f_id.dst_ip6;
 > +						APPLY_MASK(&p, &d[1]);
 > +						match = IN6_ARE_ADDR_EQUAL(&d[0], &p);
 > +					}
 >  				}
 >  				break;
 >