From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 22 10:00:31 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6CAC106566C; Wed, 22 Jul 2009 10:00:31 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: from cp-out3.libero.it (cp-out3.libero.it [212.52.84.103]) by mx1.freebsd.org (Postfix) with ESMTP id 4E5A08FC1A; Wed, 22 Jul 2009 10:00:30 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: from wmail6.libero.it (172.31.0.149) by cp-out3.libero.it (8.5.107) id 4A5F45D500449916; Wed, 22 Jul 2009 11:48:39 +0200 Message-ID: <3164304.442981248256119643.JavaMail.defaultUser@defaultHost> Date: Wed, 22 Jul 2009 11:48:39 +0200 (CEST) From: "raffaele.delorenzo@libero.it" To: , , freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit X-SenderIP: 213.182.95.50 Cc: rizzo@icir.org Subject: R: IPv6 and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "raffaele.delorenzo@libero.it" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2009 10:00:32 -0000 Hi all, You has found a parser bug. When the protocol is "ipv6" and you are a comma separated ipv6 addresses, the parser work fine because the "add_srcip6" function is called and recognize all addresses. When the protocol is "!=ipv6" (like TCP,UDP,ICMP6) the "add_src" fuction is called and it cause troubles because the "inet_pton()" fails and erroneously is called the "add_srcip" function (see the code below). (from "ipfw2.c") add_src(ipfw_insn *cmd, char *av, u_char proto) { struct in6_addr a; char *host, *ch; ipfw_insn *ret = NULL; if ((host = strdup(av)) == NULL) return NULL; if ((ch = strrchr (host, '/')) != NULL) *ch = '\0'; if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || inet_pton(AF_INET6, host, &a)) ret = add_srcip6(cmd, av); /* XXX: should check for IPv4, not !IPv6 */ if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || !inet_pton(AF_INET6, host, &a))) ret = add_srcip(cmd, av); if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; free(host); return ret; } I think that possibles solutions are the follows: 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to avoid parser confusions, and check about this protocol inside the "add_src" fuction (easy to implement). 2) Check the comma separated ip/ipv6 addresses inside the "add_src" function (a little too hard to implement). I appreciate suggestions from the community experts about this problem. Ciao Raffaele >----Messaggio originale---- >Da: wjw@digiware.nl >Data: 22/07/2009 10.20 >A: >Ogg: IPv6 and ipfw > >Hi, > >Running 7.2 I tried to insert this into my IPFW rules > ># ipfw add allow udp from any to 2001:xxx:3:: 113,2001:xxxx:3::116 \ > dst-port 10001-10100 keep-state >ipfw: bad netmask ``xxxx:3::113'' > >also: ># ipfw add allow udp from any to trixbox.ip6 dst-port 10001-10100 keep-state >ipfw: hostname ``trixbox.ip6'' unknown >Exit 68 ># host trixbox.ip6 >trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116 > >So it looks like what is in the manual is overly optimistic: >---- > addr6-list: ip6-addr[,addr6-list] > > ip6-addr: > A host or subnet specified one of the following ways: > > numeric-ip | hostname > Matches a single IPv6 address as allowed by inet_pton(3) > or a hostname. Hostnames are resolved at the time the > rule is added to the firewall list. > > addr/masklen > Matches all IPv6 addresses with base addr (specified as > allowed by inet_pton or a hostname) and mask width of > masklen bits. > > No support for sets of IPv6 addresses is provided because IPv6 > addresses are typically random past the initial prefix. >---- > >Anybody else ran into this? >Or should I file this as a PR. > >--WjW >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >