Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Dec 2009 00:45:23 +0900
From:      Hajimu UMEMOTO <ume@freebsd.org>
To:        David Horn <dhorn2000@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Unified rc.firewall ipfw me/me6 issue
Message-ID:  <yged42c4770.wl%ume@mahoroba.org>
In-Reply-To: <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com>
References:  <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <ygek4wmyp3j.wl%ume@mahoroba.org> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII

Hi,

>>>>> On Fri, 18 Dec 2009 09:12:48 -0500
>>>>> David Horn <dhorn2000@gmail.com> said:

dhorn2000> The updated patch works, but doing a check for [ $ipv6_available -eq 0 ]
dhorn2000> might be more appropriate than checking "net6" or "inet6" variables in these
dhorn2000> no INET6 cases since neither net6 or inet6 variables are involved in these
dhorn2000> statements.

Thank you for testing.
It is intentional.  If firewall_client_net_ipv6 is not set, the IPv6
rules are not meaningful for the client type, and if
firewall_simple_inet_ipv6 is not set, the IPv6 rules are not
meaningful for the simple type.

dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
dhorn2000> rc.firewall flow.

Here is my proposed patch.  With this patch, 'me' matches to both IPv4
and IPv6, and 'me4' is added for matching to only IPv4.

Sincerely,

--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/x-patch; type=patch; charset=US-ASCII
Content-Disposition: attachment; filename="ipfw-me-unify.diff"
Content-Transfer-Encoding: 7bit

Index: sbin/ipfw/ipfw2.c
===================================================================
--- sbin/ipfw/ipfw2.c	(revision 200668)
+++ sbin/ipfw/ipfw2.c	(working copy)
@@ -768,6 +768,10 @@
 		printf("me");
 		return;
 	}
+	if (cmd->o.opcode == O_IP4_SRC_ME || cmd->o.opcode == O_IP4_DST_ME) {
+		printf("me4");
+		return;
+	}
 	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
 	    cmd->o.opcode == O_IP_DST_LOOKUP) {
 		printf("table(%u", ((ipfw_insn *)cmd)->arg1);
@@ -1187,6 +1191,7 @@
 		case O_IP_SRC_LOOKUP:
 		case O_IP_SRC_MASK:
 		case O_IP_SRC_ME:
+		case O_IP4_SRC_ME:
 		case O_IP_SRC_SET:
 			show_prerequisites(&flags, HAVE_PROTO, 0);
 			if (!(flags & HAVE_SRCIP))
@@ -1202,6 +1207,7 @@
 		case O_IP_DST_LOOKUP:
 		case O_IP_DST_MASK:
 		case O_IP_DST_ME:
+		case O_IP4_DST_ME:
 		case O_IP_DST_SET:
 			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
 			if (!(flags & HAVE_DSTIP))
@@ -1972,6 +1978,12 @@
 		return;
 	}
 
+	if (strcmp(av, "me4") == 0) {
+		cmd->o.opcode = O_IP4_DST_ME;
+		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
+		return;
+	}
+
 	if (strncmp(av, "table(", 6) == 0) {
 		char *p = strchr(av + 6, ',');
 
@@ -2478,6 +2490,8 @@
 		cmd->opcode = O_IP_SRC_SET;
 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
 		cmd->opcode = O_IP_SRC_LOOKUP;
+	else if (cmd->opcode == O_IP4_DST_ME)			/* me4 */
+		cmd->opcode = O_IP4_SRC_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
 		cmd->opcode = O_IP_SRC_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
@@ -2495,6 +2509,8 @@
 		;
 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
 		;
+	else if (cmd->opcode == O_IP4_DST_ME)			/* me4 */
+		;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
 		cmd->opcode = O_IP_DST_ME;
 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
@@ -2534,7 +2550,7 @@
 		ret = add_srcip6(cmd, av);
 	/* XXX: should check for IPv4, not !IPv6 */
 	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
-	    !inet_pton(AF_INET6, host, &a)))
+	    strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
 		ret = add_srcip(cmd, av);
 	if (ret == NULL && strcmp(av, "any") != 0)
 		ret = cmd;
@@ -2560,7 +2576,7 @@
 		ret = add_dstip6(cmd, av);
 	/* XXX: should check for IPv4, not !IPv6 */
 	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
-	    !inet_pton(AF_INET6, host, &a)))
+	    strcmp(av, "me4") == 0 || !inet_pton(AF_INET6, host, &a)))
 		ret = add_dstip(cmd, av);
 	if (ret == NULL && strcmp(av, "any") != 0)
 		ret = cmd;
Index: sys/netinet/ip_fw.h
===================================================================
--- sys/netinet/ip_fw.h	(revision 200668)
+++ sys/netinet/ip_fw.h	(working copy)
@@ -166,6 +166,8 @@
 	O_ALTQ,			/* u32 = altq classif. qid	*/
 	O_DIVERTED,		/* arg1=bitmap (1:loop, 2:out)	*/
 	O_TCPDATALEN,		/* arg1 = tcp data len		*/
+	O_IP4_SRC_ME,		/* none				*/
+	O_IP4_DST_ME,		/* none				*/
 	O_IP6_SRC,		/* address without mask		*/
 	O_IP6_SRC_ME,		/* my addresses			*/
 	O_IP6_SRC_MASK,		/* address with the mask	*/
Index: sys/netinet/ipfw/ip_fw2.c
===================================================================
--- sys/netinet/ipfw/ip_fw2.c	(revision 200668)
+++ sys/netinet/ipfw/ip_fw2.c	(working copy)
@@ -1444,12 +1444,22 @@
 				break;
 
 			case O_IP_SRC_ME:
+			case O_IP4_SRC_ME:
 				if (is_ipv4) {
 					struct ifnet *tif;
 
 					INADDR_TO_IFP(src_ip, tif);
 					match = (tif != NULL);
+					break;
 				}
+				if (cmd->opcode == O_IP4_SRC_ME)
+					break;
+				/* FALLTHROUGH */
+#ifdef INET6
+			case O_IP6_SRC_ME:
+				match = is_ipv6 &&
+				    search_ip6_addr_net(&args->f_id.src_ip6);
+#endif
 				break;
 
 			case O_IP_DST_SET:
@@ -1477,12 +1487,22 @@
 				break;
 
 			case O_IP_DST_ME:
+			case O_IP4_DST_ME:
 				if (is_ipv4) {
 					struct ifnet *tif;
 
 					INADDR_TO_IFP(dst_ip, tif);
 					match = (tif != NULL);
+					break;
 				}
+				if (cmd->opcode == O_IP4_DST_ME)
+					break;
+				/* FALLTHROUGH */
+#ifdef INET6
+			case O_IP6_DST_ME:
+				match = is_ipv6 &&
+				    search_ip6_addr_net(&args->f_id.dst_ip6);
+#endif
 				break;
 
 			case O_IP_SRCPORT:
@@ -1750,14 +1770,6 @@
 				}
 				break;
 
-			case O_IP6_SRC_ME:
-				match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
-				break;
-
-			case O_IP6_DST_ME:
-				match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
-				break;
-
 			case O_FLOW6ID:
 				match = is_ipv6 &&
 				    flow6id_match(args->f_id.flow_id6,
Index: sys/netinet/ipfw/ip_fw_sockopt.c
===================================================================
--- sys/netinet/ipfw/ip_fw_sockopt.c	(revision 200668)
+++ sys/netinet/ipfw/ip_fw_sockopt.c	(working copy)
@@ -536,6 +536,8 @@
 		case O_VERSRCREACH:
 		case O_ANTISPOOF:
 		case O_IPSEC:
+		case O_IP4_SRC_ME:
+		case O_IP4_DST_ME:
 #ifdef INET6
 		case O_IP6_SRC_ME:
 		case O_IP6_DST_ME:

--Multipart_Sat_Dec_19_00:45:23_2009-1
Content-Type: text/plain; charset=US-ASCII


--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

--Multipart_Sat_Dec_19_00:45:23_2009-1--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yged42c4770.wl%ume>