Date: Wed, 15 Jan 2003 23:47:47 +0100 (CET) From: "Simon L.Nielsen" <simon@nitro.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/47120: [patch] Sanity check in ipfw(8) Message-ID: <20030115224747.806A710BF87@arthur.nitro.dk>
next in thread | raw e-mail | index | archive | help
>Number: 47120
>Category: bin
>Synopsis: [patch] Sanity check in ipfw(8)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 15 14:50:01 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Simon L. Nielsen
>Release: FreeBSD 5.0-CURRENT
>Organization:
>Environment:
FreeBSD ford.nitro.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #2: Fri Dec 27 13:32:24 CET 2002 root@ford.nitro.dk:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The ipfw(8) userland program does not check if the user tries to make
certain types of self contradictory rules. E.g. the following rule is
allowed by ipfw2 :
# sysctl kern.osrelease
kern.osrelease: 5.0-CURRENT
# ipfw add allow udp from any to any setup
01000 allow udp from any to any setup
The kernel firewall code correctly requires TCP packets when matching
the setup keyword so the rule can never match anything.
The includes patch only allow the correct protocol (e.g. TCP for
'setup') but sometimes protocol 'any/ip' might make the rule
"work". In my opinion this still does not really make mutch sense and
should not be allowed. ipfw1 (/ipfw in FreeBSD 4) does not allow these
types of rules :
# sysctl kern.osrelease
kern.osrelease: 4.7-RELEASE-p2
# ipfw add allow udp from any to any setup
ipfw: unknown argument ``setup''
# ipfw add allow ip from any to any setup
ipfw: unknown argument ``setup''
>How-To-Repeat:
>Fix:
This patch makes the ipfw userland program do a bit more sanity-check on
the input rules for protocol specific options.
--- ipfw2-inputcheck.patch begins here ---
Index: ipfw2.c
===================================================================
RCS file: /home/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -d -r1.21 ipfw2.c
--- ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21
+++ ipfw2.c 15 Jan 2003 21:08:20 -0000
@@ -2908,6 +2909,8 @@
break;
case TOK_ICMPTYPES:
+ if(proto != IPPROTO_ICMP)
+ errx(EX_USAGE, "icmptypes only valid for icmp");
NEED1("icmptypes requires list of types");
fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
av++; ac--;
@@ -2993,15 +2996,21 @@
break;
case TOK_ESTAB:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "established only valid for tcp");
fill_cmd(cmd, O_ESTAB, 0, 0);
break;
case TOK_SETUP:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "setup only valid for tcp");
fill_cmd(cmd, O_TCPFLAGS, 0,
(TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
break;
case TOK_TCPOPTS:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "tcpoptions only valid for tcp");
NEED1("missing argument for tcpoptions");
fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
ac--; av++;
@@ -3009,6 +3018,8 @@
case TOK_TCPSEQ:
case TOK_TCPACK:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "tcpseq/tcpack only valid for tcp");
NEED1("tcpseq/tcpack requires argument");
cmd->len = F_INSN_SIZE(ipfw_insn_u32);
cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
@@ -3017,6 +3028,8 @@
break;
case TOK_TCPWIN:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "tcpwin only valid for tcp");
NEED1("tcpwin requires length");
fill_cmd(cmd, O_TCPWIN, 0,
htons(strtoul(*av, NULL, 0)));
@@ -3024,6 +3037,8 @@
break;
case TOK_TCPFLAGS:
+ if(proto != IPPROTO_TCP)
+ errx(EX_USAGE, "tcpflags only valid for tcp");
NEED1("missing argument for tcpflags");
cmd->opcode = O_TCPFLAGS;
fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
--- ipfw2-inputcheck.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030115224747.806A710BF87>