bin/91245: [patch] ipfw(8) sometimes treat ipv6 input as ipv4
Fredrik Lindberg
fli at shapeshifter.se
Mon Jan 2 16:30:11 PST 2006
>Number: 91245
>Category: bin
>Synopsis: [patch] ipfw(8) sometimes treat ipv6 input as ipv4
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 03 00:30:08 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Fredrik Lindberg
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD genesis.int.shapeshifter.se 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Tue Dec 6 22:01:51 CET 2005 root at genesis.int.shapeshifter.se:/usr/obj/usr/src/sys/GENESIS i386
>Description:
ipfw(8) fails to parse ipv6 input when given a netmask or list of
ipv6 addresses. The input is then treated as ipv4 internally by ipfw(8).
>How-To-Repeat:
>Fix:
This occurs in add_src()/add_dst(). Because the ipfw commands which
triggers this never explicitly states that it is ipv6 (allow tcp from),
proto will never be set to IPPROTO_IPV6/IPPROTO_IP and the code will
resort to the inet_pton() check, which is fine with a single
ipv6-address but not with a netmask or a list.
This is the easiest possible fix. Treat input as ipv6 if there are
atleast two colon signs `:' in it.
Another solution might be to extract the recognition logic from
the fill_ip/fill_ip6 routines for use in add_src/add_dst, but
that would require alot more work.
--- ipfw2.c-20060102.patch begins here ---
Index: ipfw2.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.80
diff -u -r1.80 ipfw2.c
--- ipfw2.c 29 Nov 2005 15:25:09 -0000 1.80
+++ ipfw2.c 2 Jan 2006 20:22:14 -0000
@@ -3703,7 +3703,8 @@
struct in6_addr a;
if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
- inet_pton(AF_INET6, av, &a))
+ inet_pton(AF_INET6, av, &a) ||
+ strchr(av, ':') != strrchr(av, ':'))
return add_srcip6(cmd, av);
/* XXX: should check for IPv4, not !IPv6 */
if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
@@ -3721,7 +3722,8 @@
struct in6_addr a;
if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
- inet_pton(AF_INET6, av, &a))
+ inet_pton(AF_INET6, av, &a) ||
+ strchr(av, ':') != strrchr(av, ':'))
return add_dstip6(cmd, av);
/* XXX: should check for IPv4, not !IPv6 */
if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
--- ipfw2.c-20060102.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
>ipfw add allow tcp from 03f1::234:123:0342/24 to me
ipfw: hostname ``03f1'' unknown
>ipfw add allow tcp from 1234::234:123:1,03f1::234:123:2 to me
ipfw: bad netmask ``:234:123:1,03f1::234:123:2''
More information about the freebsd-bugs
mailing list