From owner-freebsd-ipfw@FreeBSD.ORG  Fri Dec 18 15:45:51 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EB9EC106566B
	for <freebsd-ipfw@freebsd.org>; Fri, 18 Dec 2009 15:45:50 +0000 (UTC)
	(envelope-from ume@mahoroba.org)
Received: from asuka.mahoroba.org (ent.mahoroba.org
	[IPv6:2001:2f0:104:8010::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 6104B8FC14
	for <freebsd-ipfw@freebsd.org>; Fri, 18 Dec 2009 15:45:50 +0000 (UTC)
Received: from yuga.mahoroba.org (ume@yuga.mahoroba.org
	[IPv6:2001:2f0:104:8010:21b:d3ff:fe38:5381])
	(user=ume mech=CRAM-MD5 bits=0)
	by asuka.mahoroba.org (8.14.3/8.14.3) with ESMTP/inet6 id
	nBIFjOV8014003
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 19 Dec 2009 00:45:29 +0900 (JST)
	(envelope-from ume@mahoroba.org)
Date: Sat, 19 Dec 2009 00:45:23 +0900
Message-ID: <yged42c4770.wl%ume@mahoroba.org>
From: Hajimu UMEMOTO <ume@freebsd.org>
To: David Horn <dhorn2000@gmail.com>
In-Reply-To: <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com>
References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com>
	<ygek4wmyp3j.wl%ume@mahoroba.org>
	<25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com>
User-Agent: xcite1.58> Wanderlust/2.15.7 (Almost Unreal) SEMI/1.14.6
	(Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.7
	Emacs/23.1 (i386-portbld-freebsd8.0) MULE/6.0 (HANACHIRUSATO)
X-Operating-System: FreeBSD 8.0-STABLE
X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc
X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5  BF5F 04E9 F086 BF90 71FE
Organization: Internet Mutual Aid Society, YOKOHAMA
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: multipart/mixed; boundary="Multipart_Sat_Dec_19_00:45:23_2009-1"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3
	(asuka.mahoroba.org [IPv6:2001:2f0:104:8010::1]);
	Sat, 19 Dec 2009 00:45:29 +0900 (JST)
X-Virus-Scanned: clamav-milter 0.95.3 at asuka.mahoroba.org
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on asuka.mahoroba.org
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Unified rc.firewall ipfw me/me6 issue
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 15:45:51 -0000

--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII

Hi,

>>>>> On Fri, 18 Dec 2009 09:12:48 -0500
>>>>> David Horn <dhorn2000@gmail.com> said:

dhorn2000> The updated patch works, but doing a check for [ $ipv6_available -eq 0 ]
dhorn2000> might be more appropriate than checking "net6" or "inet6" variables in these
dhorn2000> no INET6 cases since neither net6 or inet6 variables are involved in these
dhorn2000> statements.

Thank you for testing.
It is intentional.  If firewall_client_net_ipv6 is not set, the IPv6
rules are not meaningful for the client type, and if
firewall_simple_inet_ipv6 is not set, the IPv6 rules are not
meaningful for the simple type.

dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
dhorn2000> rc.firewall flow.

Here is my proposed patch.  With this patch, 'me' matches to both IPv4
and IPv6, and 'me4' is added for matching to only IPv4.

Sincerely,

--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/x-patch; type=patch; charset=US-ASCII
Content-Disposition: attachment; filename="ipfw-me-unify.diff"
Content-Transfer-Encoding: 7bit

Index: sbin/ipfw/ipfw2.c
===================================================================
--- sbin/ipfw/ipfw2.c	(revision 200668)
+++ sbin/ipfw/ipfw2.c	(working copy)
@@ -768,6 +768,10 @@
 		printf("me");
 		return;
 	}
+	if (cmd->o.opcode == O_IP4_SRC_ME || cmd->o.opcode == O_IP4_DST_ME) {
+		printf("me4");
+		return;
+	}
 	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
 	    cmd->o.opcode == O_IP_DST_LOOKUP) {
 		printf("table(%u", ((ipfw_insn *)cmd)->arg1);
@@ -1187,6 +1191,7 @@
 		case O_IP_SRC_LOOKUP:
 		case O_IP_SRC_MASK:
 		case O_IP_SRC_ME:
+		case O_IP4_SRC_ME:
 		case O_IP_SRC_SET:
 			show_prerequisites(&flags, HAVE_PROTO, 0);
 			if (!(flags & HAVE_SRCIP))
@@ -1202,6 +1207,7 @@
 		case O_IP_DST_LOOKUP:
 		case O_IP_DST_MASK:
 		case O_IP_DST_ME:
+		case O_IP4_DST_ME:
 		case O_IP_DST_SET:
 			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
 			if (!(flags & HAVE_DSTIP))
@@ -1972,6 +1978,12 @@
 		return;
 	}
 
+	if (strcmp(av, "me4") == 0) {
+		cmd->o.opcode = O_IP4_DST_ME;
+		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
+		return;
+	}
+
 	if (strncmp(av, "table(", 6) == 0) {
 		char *p = strchr(av + 6, ',');
 
@@ -2478,6 +2490,8 @@
 		cmd->opcode = O_IP_SRC_SET;
 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
 		cmd->opcode = O_IP_SRC_LOOKUP;
+	else if (cmd->opcode == O_IP4_DST_ME)			/* me4 */
+		cmd->opcode = O_IP4_SRC_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
 		cmd->opcode = O_IP_SRC_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
@@ -2495,6 +2509,8 @@
 		;
 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
 		;
+	else if (cmd->opcode == O_IP4_DST_ME)			/* me4 */
+		;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
 		cmd->opcode = O_IP_DST_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
@@ -2534,7 +2550,7 @@
 		ret = add_srcip6(cmd, av);
 	/* XXX: should check for IPv4, not !IPv6 */
 	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
-	    !inet_pton(AF_INET6, host, &a)))
+	    strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
 		ret = add_srcip(cmd, av);
 	if (ret == NULL && strcmp(av, "any") != 0)
 		ret = cmd;
@@ -2560,7 +2576,7 @@
 		ret = add_dstip6(cmd, av);
 	/* XXX: should check for IPv4, not !IPv6 */
 	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
-	    !inet_pton(AF_INET6, host, &a)))
+	    strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
 		ret = add_dstip(cmd, av);
 	if (ret == NULL && strcmp(av, "any") != 0)
 		ret = cmd;
Index: sys/netinet/ip_fw.h
===================================================================
--- sys/netinet/ip_fw.h	(revision 200668)
+++ sys/netinet/ip_fw.h	(working copy)
@@ -166,6 +166,8 @@
 	O_ALTQ,			/* u32 = altq classif. qid	*/
 	O_DIVERTED,		/* arg1=bitmap (1:loop, 2:out)	*/
 	O_TCPDATALEN,		/* arg1 = tcp data len		*/
+	O_IP4_SRC_ME,		/* none				*/
+	O_IP4_DST_ME,		/* none				*/
 	O_IP6_SRC,		/* address without mask		*/
 	O_IP6_SRC_ME,		/* my addresses			*/
 	O_IP6_SRC_MASK,		/* address with the mask	*/
Index: sys/netinet/ipfw/ip_fw2.c
===================================================================
--- sys/netinet/ipfw/ip_fw2.c	(revision 200668)
+++ sys/netinet/ipfw/ip_fw2.c	(working copy)
@@ -1444,12 +1444,22 @@
 				break;
 
 			case O_IP_SRC_ME:
+			case O_IP4_SRC_ME:
 				if (is_ipv4) {
 					struct ifnet *tif;
 
 					INADDR_TO_IFP(src_ip, tif);
 					match = (tif != NULL);
+					break;
 				}
+				if (cmd->opcode == O_IP4_SRC_ME)
+					break;
+				/* FALLTHROUGH */
+#ifdef INET6
+			case O_IP6_SRC_ME:
+				match = is_ipv6 &&
+				    search_ip6_addr_net(&args->f_id.src_ip6);
+#endif
 				break;
 
 			case O_IP_DST_SET:
@@ -1477,12 +1487,22 @@
 				break;
 
 			case O_IP_DST_ME:
+			case O_IP4_DST_ME:
 				if (is_ipv4) {
 					struct ifnet *tif;
 
 					INADDR_TO_IFP(dst_ip, tif);
 					match = (tif != NULL);
+					break;
 				}
+				if (cmd->opcode == O_IP4_DST_ME)
+					break;
+				/* FALLTHROUGH */
+#ifdef INET6
+			case O_IP6_DST_ME:
+				match = is_ipv6 &&
+				    search_ip6_addr_net(&args->f_id.dst_ip6);
+#endif
 				break;
 
 			case O_IP_SRCPORT:
@@ -1750,14 +1770,6 @@
 				}
 				break;
 
-			case O_IP6_SRC_ME:
-				match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
-				break;
-
-			case O_IP6_DST_ME:
-				match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
-				break;
-
 			case O_FLOW6ID:
 				match = is_ipv6 &&
 				    flow6id_match(args->f_id.flow_id6,
Index: sys/netinet/ipfw/ip_fw_sockopt.c
===================================================================
--- sys/netinet/ipfw/ip_fw_sockopt.c	(revision 200668)
+++ sys/netinet/ipfw/ip_fw_sockopt.c	(working copy)
@@ -536,6 +536,8 @@
 		case O_VERSRCREACH:
 		case O_ANTISPOOF:
 		case O_IPSEC:
+		case O_IP4_SRC_ME:
+		case O_IP4_DST_ME:
 #ifdef INET6
 		case O_IP6_SRC_ME:
 		case O_IP6_DST_ME:

--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII


--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

--Multipart_Sat_Dec_19_00:45:23_2009-1--