Date: Sat, 19 Dec 2009 00:45:23 +0900 From: Hajimu UMEMOTO <ume@freebsd.org> To: David Horn <dhorn2000@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <yged42c4770.wl%ume@mahoroba.org> In-Reply-To: <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <ygek4wmyp3j.wl%ume@mahoroba.org> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII
Hi,
>>>>> On Fri, 18 Dec 2009 09:12:48 -0500
>>>>> David Horn <dhorn2000@gmail.com> said:
dhorn2000> The updated patch works, but doing a check for [ $ipv6_available -eq 0 ]
dhorn2000> might be more appropriate than checking "net6" or "inet6" variables in these
dhorn2000> no INET6 cases since neither net6 or inet6 variables are involved in these
dhorn2000> statements.
Thank you for testing.
It is intentional. If firewall_client_net_ipv6 is not set, the IPv6
rules are not meaningful for the client type, and if
firewall_simple_inet_ipv6 is not set, the IPv6 rules are not
meaningful for the simple type.
dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
dhorn2000> rc.firewall flow.
Here is my proposed patch. With this patch, 'me' matches to both IPv4
and IPv6, and 'me4' is added for matching to only IPv4.
Sincerely,
--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/x-patch; type=patch; charset=US-ASCII
Content-Disposition: attachment; filename="ipfw-me-unify.diff"
Content-Transfer-Encoding: 7bit
Index: sbin/ipfw/ipfw2.c
===================================================================
--- sbin/ipfw/ipfw2.c (revision 200668)
+++ sbin/ipfw/ipfw2.c (working copy)
@@ -768,6 +768,10 @@
printf("me");
return;
}
+ if (cmd->o.opcode == O_IP4_SRC_ME || cmd->o.opcode == O_IP4_DST_ME) {
+ printf("me4");
+ return;
+ }
if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
cmd->o.opcode == O_IP_DST_LOOKUP) {
printf("table(%u", ((ipfw_insn *)cmd)->arg1);
@@ -1187,6 +1191,7 @@
case O_IP_SRC_LOOKUP:
case O_IP_SRC_MASK:
case O_IP_SRC_ME:
+ case O_IP4_SRC_ME:
case O_IP_SRC_SET:
show_prerequisites(&flags, HAVE_PROTO, 0);
if (!(flags & HAVE_SRCIP))
@@ -1202,6 +1207,7 @@
case O_IP_DST_LOOKUP:
case O_IP_DST_MASK:
case O_IP_DST_ME:
+ case O_IP4_DST_ME:
case O_IP_DST_SET:
show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
if (!(flags & HAVE_DSTIP))
@@ -1972,6 +1978,12 @@
return;
}
+ if (strcmp(av, "me4") == 0) {
+ cmd->o.opcode = O_IP4_DST_ME;
+ cmd->o.len |= F_INSN_SIZE(ipfw_insn);
+ return;
+ }
+
if (strncmp(av, "table(", 6) == 0) {
char *p = strchr(av + 6, ',');
@@ -2478,6 +2490,8 @@
cmd->opcode = O_IP_SRC_SET;
else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
cmd->opcode = O_IP_SRC_LOOKUP;
+ else if (cmd->opcode == O_IP4_DST_ME) /* me4 */
+ cmd->opcode = O_IP4_SRC_ME;
else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
cmd->opcode = O_IP_SRC_ME;
else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
@@ -2495,6 +2509,8 @@
;
else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
;
+ else if (cmd->opcode == O_IP4_DST_ME) /* me4 */
+ ;
else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
cmd->opcode = O_IP_DST_ME;
else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
@@ -2534,7 +2550,7 @@
ret = add_srcip6(cmd, av);
/* XXX: should check for IPv4, not !IPv6 */
if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
- !inet_pton(AF_INET6, host, &a)))
+ strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
ret = add_srcip(cmd, av);
if (ret == NULL && strcmp(av, "any") != 0)
ret = cmd;
@@ -2560,7 +2576,7 @@
ret = add_dstip6(cmd, av);
/* XXX: should check for IPv4, not !IPv6 */
if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
- !inet_pton(AF_INET6, host, &a)))
+ strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
ret = add_dstip(cmd, av);
if (ret == NULL && strcmp(av, "any") != 0)
ret = cmd;
Index: sys/netinet/ip_fw.h
===================================================================
--- sys/netinet/ip_fw.h (revision 200668)
+++ sys/netinet/ip_fw.h (working copy)
@@ -166,6 +166,8 @@
O_ALTQ, /* u32 = altq classif. qid */
O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */
O_TCPDATALEN, /* arg1 = tcp data len */
+ O_IP4_SRC_ME, /* none */
+ O_IP4_DST_ME, /* none */
O_IP6_SRC, /* address without mask */
O_IP6_SRC_ME, /* my addresses */
O_IP6_SRC_MASK, /* address with the mask */
Index: sys/netinet/ipfw/ip_fw2.c
===================================================================
--- sys/netinet/ipfw/ip_fw2.c (revision 200668)
+++ sys/netinet/ipfw/ip_fw2.c (working copy)
@@ -1444,12 +1444,22 @@
break;
case O_IP_SRC_ME:
+ case O_IP4_SRC_ME:
if (is_ipv4) {
struct ifnet *tif;
INADDR_TO_IFP(src_ip, tif);
match = (tif != NULL);
+ break;
}
+ if (cmd->opcode == O_IP4_SRC_ME)
+ break;
+ /* FALLTHROUGH */
+#ifdef INET6
+ case O_IP6_SRC_ME:
+ match = is_ipv6 &&
+ search_ip6_addr_net(&args->f_id.src_ip6);
+#endif
break;
case O_IP_DST_SET:
@@ -1477,12 +1487,22 @@
break;
case O_IP_DST_ME:
+ case O_IP4_DST_ME:
if (is_ipv4) {
struct ifnet *tif;
INADDR_TO_IFP(dst_ip, tif);
match = (tif != NULL);
+ break;
}
+ if (cmd->opcode == O_IP4_DST_ME)
+ break;
+ /* FALLTHROUGH */
+#ifdef INET6
+ case O_IP6_DST_ME:
+ match = is_ipv6 &&
+ search_ip6_addr_net(&args->f_id.dst_ip6);
+#endif
break;
case O_IP_SRCPORT:
@@ -1750,14 +1770,6 @@
}
break;
- case O_IP6_SRC_ME:
- match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
- break;
-
- case O_IP6_DST_ME:
- match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
- break;
-
case O_FLOW6ID:
match = is_ipv6 &&
flow6id_match(args->f_id.flow_id6,
Index: sys/netinet/ipfw/ip_fw_sockopt.c
===================================================================
--- sys/netinet/ipfw/ip_fw_sockopt.c (revision 200668)
+++ sys/netinet/ipfw/ip_fw_sockopt.c (working copy)
@@ -536,6 +536,8 @@
case O_VERSRCREACH:
case O_ANTISPOOF:
case O_IPSEC:
+ case O_IP4_SRC_ME:
+ case O_IP4_DST_ME:
#ifdef INET6
case O_IP6_SRC_ME:
case O_IP6_DST_ME:
--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
--Multipart_Sat_Dec_19_00:45:23_2009-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yged42c4770.wl%ume>