svn commit: r358858 - head/sbin/ipfw

O. Hartmann ohartmann at walstatt.org
Wed Mar 11 10:33:40 UTC 2020 

On Wed, 11 Mar 2020 08:10:13 +0000
Alexander V. Chernikov <melifaro at freebsd.org> wrote:

> 11.03.2020, 07:14, "O. Hartmann" <o.hartmann at walstatt.org>:
> > On Tue, 10 Mar 2020 20:30:21 +0000 (UTC)
> > "Alexander V. Chernikov" <melifaro at FreeBSD.org> wrote:
> >  
> >>  Author: melifaro
> >>  Date: Tue Mar 10 20:30:21 2020
> >>  New Revision: 358858
> >>  URL: https://svnweb.freebsd.org/changeset/base/358858
> >>
> >>  Log:
> >>    Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst().
> >>
> >>    Submitted by: Neel Chauhan <neel AT neelc DOT org>
> >>    MFC after: 2 weeks
> >>    Differential Revision: https://reviews.freebsd.org/D21812
> >>
> >>  Modified:
> >>    head/sbin/ipfw/ipfw2.c
> >>
> >>  Modified: head/sbin/ipfw/ipfw2.c
> >>  ==============================================================================
> >>  --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857)
> >>  +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858)
> >>  @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto,
> >> int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
> >>               inet_pton(AF_INET6, host, &a) == 1)
> >>                   ret = add_srcip6(cmd, av, cblen, tstate);
> >>  - /* XXX: should check for IPv4, not !IPv6 */
> >>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
> >>  - inet_pton(AF_INET6, host, &a) != 1))
> >>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
> >>  + inet_pton(AF_INET, host, &a) == 1)
> >>                   ret = add_srcip(cmd, av, cblen, tstate);
> >>  - if (ret == NULL && strcmp(av, "any") != 0)
> >>  + else if (ret == NULL && strcmp(av, "any") != 0)
> >>                   ret = cmd;
> >>
> >>           return ret;
> >>  @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto,
> >> int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
> >>               inet_pton(AF_INET6, host, &a) == 1)
> >>                   ret = add_dstip6(cmd, av, cblen, tstate);
> >>  - /* XXX: should check for IPv4, not !IPv6 */
> >>  - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
> >>  - inet_pton(AF_INET6, host, &a) != 1))
> >>  + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
> >>  + inet_pton(AF_INET, host, &a) == 1)
> >>                   ret = add_dstip(cmd, av, cblen, tstate);
> >>  - if (ret == NULL && strcmp(av, "any") != 0)
> >>  + else if (ret == NULL && strcmp(av, "any") != 0)
> >>                   ret = cmd;
> >>
> >>           return ret;
> >>  _______________________________________________
> >>  svn-src-head at freebsd.org mailing list
> >>  https://lists.freebsd.org/mailman/listinfo/svn-src-head
> >>  To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"  
> >
> > This seems to trigger some issues in CURRENT's ipfw script handling rules.
> > On all CURRENT boxes running  
> >>  FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the
> >> boxes  
> >
> > aren't accessible via net due to errors occuring when loading ipfw rules:  
> Whoops.
> Terribly sorry for breaking your setup. Reverted in r358871.

It is not a specific setup of mine, since we use the standard supplied by
FreeBSD, just filling some variables.

So, in theory, the patch should have broken much more setups if people use
FreeBSD's ipfw.

Thanks for reverting.

> >
> > [/etc/rc.conf]
> > firewall_type="WORKSTATION"
> > firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on
> > which this host
> >                                 # offers services for "workstation"
> > firewall. firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of
> > IPs which have access to
> >                                 # $firewall_myservices for "workstation"
> >                                 # firewall.
> > firewall_trusted="" # List of IPs which have full access to this
> >                                 # host for "workstation" firewall.
> >
> > [...]
> > # service ipfw restart
> > Flushed all rules.
> > 00100 allow ip from any to any via lo0
> > 00200 deny ip from any to 127.0.0.0/8
> > 00300 deny ip from 127.0.0.0/8 to any
> > 00400 deny ip from any to ::1
> > 00500 deny ip from ::1 to any
> > 00600 allow ipv6-icmp from :: to ff02::/16
> > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 00000 check-state :default
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > ipfw: bad destination address any
> > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
> > ipfw: bad source address any
> > ipfw: bad source address any
> > 01100 allow udp from fe80::/10 to me 546 in
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > ipfw: bad source address any
> > [...]
> >
> > The problem also occur if set
> >
> > firewall_allowservices="any"
> >
> > in /etc/rc.conf

More information about the svn-src-head mailing list