svn commit: r358858 - head/sbin/ipfw

Alexander V. Chernikov melifaro at freebsd.org
Wed Mar 11 08:10:25 UTC 2020 

11.03.2020, 07:14, "O. Hartmann" <o.hartmann at walstatt.org>:
> On Tue, 10 Mar 2020 20:30:21 +0000 (UTC)
> "Alexander V. Chernikov" <melifaro at FreeBSD.org> wrote:
>
>>  Author: melifaro
>>  Date: Tue Mar 10 20:30:21 2020
>>  New Revision: 358858
>>  URL: https://svnweb.freebsd.org/changeset/base/358858
>>
>>  Log:
>>    Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst().
>>
>>    Submitted by: Neel Chauhan <neel AT neelc DOT org>
>>    MFC after: 2 weeks
>>    Differential Revision: https://reviews.freebsd.org/D21812
>>
>>  Modified:
>>    head/sbin/ipfw/ipfw2.c
>>
>>  Modified: head/sbin/ipfw/ipfw2.c
>>  ==============================================================================
>>  --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857)
>>  +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858)
>>  @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb
>>           if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
>>               inet_pton(AF_INET6, host, &a) == 1)
>>                   ret = add_srcip6(cmd, av, cblen, tstate);
>>  - /* XXX: should check for IPv4, not !IPv6 */
>>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
>>  - inet_pton(AF_INET6, host, &a) != 1))
>>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
>>  + inet_pton(AF_INET, host, &a) == 1)
>>                   ret = add_srcip(cmd, av, cblen, tstate);
>>  - if (ret == NULL && strcmp(av, "any") != 0)
>>  + else if (ret == NULL && strcmp(av, "any") != 0)
>>                   ret = cmd;
>>
>>           return ret;
>>  @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb
>>           if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
>>               inet_pton(AF_INET6, host, &a) == 1)
>>                   ret = add_dstip6(cmd, av, cblen, tstate);
>>  - /* XXX: should check for IPv4, not !IPv6 */
>>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
>>  - inet_pton(AF_INET6, host, &a) != 1))
>>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
>>  + inet_pton(AF_INET, host, &a) == 1)
>>                   ret = add_dstip(cmd, av, cblen, tstate);
>>  - if (ret == NULL && strcmp(av, "any") != 0)
>>  + else if (ret == NULL && strcmp(av, "any") != 0)
>>                   ret = cmd;
>>
>>           return ret;
>>  _______________________________________________
>>  svn-src-head at freebsd.org mailing list
>>  https://lists.freebsd.org/mailman/listinfo/svn-src-head
>>  To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
>
> This seems to trigger some issues in CURRENT's ipfw script handling rules. On
> all CURRENT boxes running
>>  FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the boxes
>
> aren't accessible via net due to errors occuring when loading ipfw rules:
Whoops.
Terribly sorry for breaking your setup. Reverted in r358871.
>
> [/etc/rc.conf]
> firewall_type="WORKSTATION"
> firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on
> which this host
>                                 # offers services for "workstation" firewall.
> firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of
> IPs which have access to
>                                 # $firewall_myservices for "workstation"
>                                 # firewall.
> firewall_trusted="" # List of IPs which have full access to this
>                                 # host for "workstation" firewall.
>
> [...]
> # service ipfw restart
> Flushed all rules.
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from any to ::1
> 00500 deny ip from ::1 to any
> 00600 allow ipv6-icmp from :: to ff02::/16
> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> ipfw: bad source address any
> ipfw: bad source address any
> 00000 check-state :default
> ipfw: bad destination address any
> ipfw: bad destination address any
> ipfw: bad destination address any
> ipfw: bad destination address any
> ipfw: bad destination address any
> 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
> ipfw: bad source address any
> ipfw: bad source address any
> 01100 allow udp from fe80::/10 to me 546 in
> ipfw: bad source address any
> ipfw: bad source address any
> ipfw: bad source address any
> ipfw: bad source address any
> [...]
>
> The problem also occur if set
>
> firewall_allowservices="any"
>
> in /etc/rc.conf

More information about the svn-src-head mailing list