[Bug 217292] ipfw lookup on fields other than IP source and destination address doesn't work for IPv6

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217292

            Bug ID: 217292
           Summary: ipfw lookup on fields other than IP source and
                    destination address doesn't work for IPv6
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: crest at bultmann.eu

The ipfw lookup action allows ipfw to match the specified field in a packet
against a table. I wanted to use this to dynamically allow/deny TCP and UDP
ports without changing the ruleset itself.

A reduced version of the ipfw script looks like this:

    # Create the table
    ipfw table tcp_open create type number algo number:array

    # Apply existing state
    ipfw add check-state

    # Establish new state
    ipfw add allow tcp from any to any lookup dst-port tcp_open keep-state
setup

    # Open port 22/tcp
    ipfw table tcp_open add 22

This works as expected for IPv4, but the IPv6 code path in
sys/netpfil/ipfw/ip_fw2.c:1517 can't deal with anything other than lookups on
the source/destination IPv6 address yet neither does the ipfw manpage mention
this limitation nor does ipfw refuse to load rules which can match IPv6 packets
against lookup actions on fields other than the IP addresses.

In my ruleset this "just" blocked all incoming IPv6 connections, but in other
rulesets it could just as easily expose IPv6 services to attackers.

-- 
You are receiving this mail because:
You are the assignee for the bug.