[Bug 220640] [ipfw][patch] ipfw drops GRE over IPv6 packets

Tue Jul 11 16:23:50 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220640

            Bug ID: 220640
           Summary: [ipfw][patch] ipfw drops GRE over IPv6 packets
           Product: Base System
           Version: 9.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: kxie at xiplink.com
          Keywords: patch

Created attachment 184263
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=184263&action=edit
Add IPPROTO_GRE to IPv6 protocol case list in ipfw_chk()

FreeBSD supports GRE over IPv6 tunnel, but if ipfw module is loaded, 
ipfw_chk() searches the extension headers of IPv6 to get upper layer protocols.

There are a lot of protocols, but GRE is not one of them, so the GRE packets
will be dropped if the sysctl 'net.inet6.ip6.fw.deny_unknown_exthdrs' is
enabled, and unfortunately this option is set to 1 by default.

Our working environment is 9.3-STABLE, but we checked FreeBSD 11-RELEASE and
FreeBSD-current and they share the same problem.

Attached patch simply adds IPPROTO_GRE to IPv6 protocol case list in ipfw_chk()
and pulls up the mbuf. With patch applied, GRE over IPv6 tunnel can work with
ipfw module enabled.

-- 
You are receiving this mail because:
You are the assignee for the bug.