kern/115293: ip6_fw doesn't count base IPv6 header in byte
statistics
Pekka Savola
pekkas at netcore.fi
Wed Aug 8 00:00:06 PDT 2007
>Number: 115293
>Category: kern
>Synopsis: ip6_fw doesn't count base IPv6 header in byte statistics
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 08 07:00:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Pekka Savola
>Release: 6.2-STABLE
>Organization:
>Environment:
FreeBSD sixpack.funet.fi 6.2-STABLE FreeBSD 6.2-STABLE #10: Tue Aug 7 10:59:15 EEST 2007 root at sixpack.funet.fi:/usr/obj/usr/src/sys/SIXPACK i386
>Description:
I noticed that in contrast to IPv4, 'ip6fw -ta l' output doesn't seem to include the base IPv6 header in byte statistics as evidenced by the following stats line:
00004 38913 0 Wed Aug 8 09:46:00 2007 deny ipv6 from 2001::/32 to fe80::/10
Digging around, this seems to be a problem in netinet6/ip6_fw.c:
/* Update statistics */
f->fw_pcnt += 1;
f->fw_bcnt += ntohs(ip6->ip6_plen)
. but "ip6_plen" only includes the length of the next header. This is incorrect in two ways: 1) it doesn't include the base header itself, and 2) if there are multiple next headers (chained extension headers), this will only list the length of the first one.
Looking at IPv4 code, the latter should probably be something like (not tested):
f->fw_bcnt += (*m)->m_pkthdr.len;
. which should fix both the problems above.
>How-To-Repeat:
Create an ip6fw rule (e.g. TCP RST reject rule is good) with with it's easy to create just one hit. Run tcpdump and check the byte counter.
>Fix:
Probably replace fw_bcnt with m_pkthdr.len.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list