kern/85826: [patch] Unknown opcode panic when ipfw is compiled without INET6

Fredrik Lindberg fli at shapeshifter.se
Wed Sep 7 03:30:14 PDT 2005 

>Number:         85826
>Category:       kern
>Synopsis:       [patch] Unknown opcode panic when ipfw is compiled without INET6
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 07 10:30:13 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Fredrik Lindberg
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD biocandy.shapeshifter.se 7.0-CURRENT FreeBSD 7.0-CURRENT #18: Tue Sep 6 14:03:13 CEST 2005 root at biocandy.shapeshifter.se:/usr/obj/usr/src/sys/BIOCANDY-CURRENT i386


	
>Description:
It's possible to panic your system if ipfw(4) is compiled without INET6.
ipfw(8) still accepts ip6 rules and inserts them into the ruleset.
But since all ip6 code is behind INET6 ipfw_chk() won't recognize the
rule opcode and instead panic with "unknown opcode".

>How-To-Repeat:
> cd sys/modules/ipfw && make
> kldload ./ipfw.ko
> ipfw add allow ip6 from dead:cafe:babe::1 to me
<trigger some network traffic>

panic: -- unknown opcode 73

>Fix:
Return EOPNOTSUPP in check_ipfw_struct if a user tries to insert
ip6 rules to a ipfw(4) module compiled without INET6 support. 

> ipfw add allow ip6 from dead:cafe:babe::1 to me
ipfw: getsockopt(IP_FW_ADD): Operation not supported

--- ip_fw2.c-ip6-20050907.patch begins here ---
Index: ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.110
diff -u -r1.110 ip_fw2.c
--- ip_fw2.c	4 Sep 2005 17:33:40 -0000	1.110
+++ ip_fw2.c	7 Sep 2005 10:00:32 -0000
@@ -3553,6 +3553,22 @@
 			return EINVAL;
 		}
 		DEB(printf("ipfw: opcode %d\n", cmd->opcode);)
+#ifndef INET6
+		switch (cmd->opcode) {
+		case O_IP6_SRC_ME:
+		case O_IP6_DST_ME:
+		case O_IP6_SRC:
+		case O_IP6_DST:
+		case O_IP6:
+		case O_FLOW6ID:
+		case O_IP6_SRC_MASK:
+		case O_IP6_DST_MASK:
+		case O_ICMP6TYPE:
+			return (EOPNOTSUPP);
+		default:
+			break;
+		}
+#endif /* !INET6 */
 		switch (cmd->opcode) {
 		case O_PROBE_STATE:
 		case O_KEEP_STATE:
--- ip_fw2.c-ip6-20050907.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list