kern/148091: ipfw ipv6 handling broken.
Stefan `Sec` Zehl
sec at 42.org
Wed Jun 23 14:30:10 UTC 2010
>Number: 148091
>Category: kern
>Synopsis: ipfw ipv6 handling broken.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 23 14:30:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Stefan `Sec` Zehl
>Release: FreeBSD 8.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD ice 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #13: Thu Jun 10 09:13:34 CEST 2010 root at ice:/usr/obj/usr/src/sys/ICE amd64
>Description:
ipfw recently changed the meaning of "ME" to also match ipv6 addresses.
This is not only a POLA violation but breaks ipv6 when queues are involved.
I have the following rule in effect:
| 03010 queue 1 tcp from me 40000-40099,20,80 to any // Bandwidth: max 5 per-IP
with an corresponding pipe/queue setup:
| ipfw pipe 1 config bw 5KByte/s noerror
| ipfw queue 1 config mask dst-ip 0xffffffff pipe 1
This rule now matches ipv6 traffic, but apparently the queue code
can't handle ipv6:
Without ipfw:
| telnet -6 MY.IP 80
tcpdump shows a (correct) RST
16:18:08.526171 IP6 2001::srchost.57434 > 2001::dsthost.80: Flags [S], seq 1763366169, win 5760, options [mss 1440,sackOK,TS val 5910142 ecr 0,nop,wscale 7], length 0
16:18:08.526249 IP6 2001::dsthost.80 > 2001::srchost.57434: Flags [R.], seq 0, ack 1763366170, win 0, length 0
With that rule above, a broken packet is created.
The tcpdump looks like this:
16:18:25.328411 IP6 2001::srchost.57435 > 2001::dsthost.80: Flags [S], seq 1383793472, win 5760, options [mss 1440,sackOK,TS val 5914343 ecr 0,nop,wscale 7], length 0
16:18:25.328485 IP6 2001::dsthost > 2001::srchost: ip-proto-64 20
Additionally I found no obvious way to restrict the rule back to TCP/v4 only --
There is a "me6" keyword, but no "me4" keyword. Obvious attempts like
"ipv4 tcp from me ..." or
"tcp from ipv4 me ..." or similar don't work either.
>How-To-Repeat:
>Fix:
One or more of the following options:
a) Revert the change to "ME" back to ipv4 as to not violate POLA.
b) Fix "queue" in ipfw as to not break when fed ipv6 packets.
c) Add a way to filter for v4/tcp
d) Add a BIG warning somewhere.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list