https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217292
Bug ID: 217292
Summary: ipfw lookup on fields other than IP source and
destination address doesn't work for IPv6
Product: Base System
Version: 11.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
The ipfw lookup action allows ipfw to match the specified field in a packet
against a table. I wanted to use this to dynamically allow/deny TCP and UDP
ports without changing the ruleset itself.
A reduced version of the ipfw script looks like this:
# Create the table
ipfw table tcp_open create type number algo number:array
# Apply existing state
ipfw add check-state
# Establish new state
ipfw add allow tcp from any to any lookup dst-port tcp_open keep-state
setup
# Open port 22/tcp
ipfw table tcp_open add 22
This works as expected for IPv4, but the IPv6 code path in
sys/netpfil/ipfw/ip_fw2.c:1517 can't deal with anything other than lookups on
the source/destination IPv6 address yet neither does the ipfw manpage mention
this limitation nor does ipfw refuse to load rules which can match IPv6 packets
against lookup actions on fields other than the IP addresses.
In my ruleset this "just" blocked all incoming IPv6 connections, but in other
rulesets it could just as easily expose IPv6 services to attackers.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
