Re: svn commit: r358858 - head/sbin/ipfw
On Wed, 11 Mar 2020 08:10:13 + Alexander V. Chernikov wrote: > 11.03.2020, 07:14, "O. Hartmann" : > > On Tue, 10 Mar 2020 20:30:21 + (UTC) > > "Alexander V. Chernikov" wrote: > > > >> Author: melifaro > >> Date: Tue Mar 10 20:30:21 2020 > >> New Revision: 358858 > >> URL: https://svnweb.freebsd.org/changeset/base/358858 > >> > >> Log: > >> Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). > >> > >> Submitted by: Neel Chauhan > >> MFC after: 2 weeks > >> Differential Revision: https://reviews.freebsd.org/D21812 > >> > >> Modified: > >> head/sbin/ipfw/ipfw2.c > >> > >> Modified: head/sbin/ipfw/ipfw2.c > >> > >> == > >> --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) > >> +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) > >> @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, > >> int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > >> inet_pton(AF_INET6, host, ) == 1) > >> ret = add_srcip6(cmd, av, cblen, tstate); > >> - /* XXX: should check for IPv4, not !IPv6 */ > >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > >> - inet_pton(AF_INET6, host, ) != 1)) > >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > >> + inet_pton(AF_INET, host, ) == 1) > >> ret = add_srcip(cmd, av, cblen, tstate); > >> - if (ret == NULL && strcmp(av, "any") != 0) > >> + else if (ret == NULL && strcmp(av, "any") != 0) > >> ret = cmd; > >> > >> return ret; > >> @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, > >> int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > >> inet_pton(AF_INET6, host, ) == 1) > >> ret = add_dstip6(cmd, av, cblen, tstate); > >> - /* XXX: should check for IPv4, not !IPv6 */ > >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > >> - inet_pton(AF_INET6, host, ) != 1)) > >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > >> + inet_pton(AF_INET, host, ) == 1) > >> ret = add_dstip(cmd, av, cblen, tstate); > >> - if (ret == NULL && strcmp(av, "any") != 0) > >> + else if (ret == NULL && strcmp(av, "any") != 0) > >> ret = cmd; > >> > >> return ret; > >> ___ > >> svn-src-h...@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/svn-src-head > >> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" > > > > This seems to trigger some issues in CURRENT's ipfw script handling rules. > > On all CURRENT boxes running > >> FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the > >> boxes > > > > aren't accessible via net due to errors occuring when loading ipfw rules: > Whoops. > Terribly sorry for breaking your setup. Reverted in r358871. It is not a specific setup of mine, since we use the standard supplied by FreeBSD, just filling some variables. So, in theory, the patch should have broken much more setups if people use FreeBSD's ipfw. Thanks for reverting. > > > > [/etc/rc.conf] > > firewall_type="WORKSTATION" > > firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on > > which this host > > # offers services for "workstation" > > firewall. firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of > > IPs which have access to > > # $firewall_myservices for "workstation" > > # firewall. > > firewall_trusted="" # List of IPs which have full access to this > > # host for "workstation" firewall. > > > > [...] > > # service ipfw restart > > Flushed all rules. > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > ipfw: bad source address any > > ipfw: bad source address any > > 0 check-state :default > > ipfw: bad destination address any > > ipfw: bad destination address any > > ipfw: bad destination address any > > ipfw: bad destination address any > > ipfw: bad destination address any > > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out > > ipfw: bad source address any > > ipfw: bad source address any > > 01100 allow udp from fe80::/10 to me 546 in > > ipfw: bad source address any > > ipfw: bad source address any > > ipfw: bad source address any > > ipfw: bad source address any > > [...] > > > > The problem also occur if set > > > > firewall_allowservices="any" > > > > in /etc/rc.conf
Re: svn commit: r358858 - head/sbin/ipfw
11.03.2020, 07:14, "O. Hartmann" : > On Tue, 10 Mar 2020 20:30:21 + (UTC) > "Alexander V. Chernikov" wrote: > >> Author: melifaro >> Date: Tue Mar 10 20:30:21 2020 >> New Revision: 358858 >> URL: https://svnweb.freebsd.org/changeset/base/358858 >> >> Log: >> Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). >> >> Submitted by: Neel Chauhan >> MFC after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D21812 >> >> Modified: >> head/sbin/ipfw/ipfw2.c >> >> Modified: head/sbin/ipfw/ipfw2.c >> >> == >> --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) >> +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) >> @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int >> cb >> if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >> inet_pton(AF_INET6, host, ) == 1) >> ret = add_srcip6(cmd, av, cblen, tstate); >> - /* XXX: should check for IPv4, not !IPv6 */ >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> - inet_pton(AF_INET6, host, ) != 1)) >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> + inet_pton(AF_INET, host, ) == 1) >> ret = add_srcip(cmd, av, cblen, tstate); >> - if (ret == NULL && strcmp(av, "any") != 0) >> + else if (ret == NULL && strcmp(av, "any") != 0) >> ret = cmd; >> >> return ret; >> @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int >> cb >> if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || >> inet_pton(AF_INET6, host, ) == 1) >> ret = add_dstip6(cmd, av, cblen, tstate); >> - /* XXX: should check for IPv4, not !IPv6 */ >> - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> - inet_pton(AF_INET6, host, ) != 1)) >> + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || >> + inet_pton(AF_INET, host, ) == 1) >> ret = add_dstip(cmd, av, cblen, tstate); >> - if (ret == NULL && strcmp(av, "any") != 0) >> + else if (ret == NULL && strcmp(av, "any") != 0) >> ret = cmd; >> >> return ret; >> ___ >> svn-src-h...@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/svn-src-head >> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" > > This seems to trigger some issues in CURRENT's ipfw script handling rules. On > all CURRENT boxes running >> FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the >> boxes > > aren't accessible via net due to errors occuring when loading ipfw rules: Whoops. Terribly sorry for breaking your setup. Reverted in r358871. > > [/etc/rc.conf] > firewall_type="WORKSTATION" > firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on > which this host > # offers services for "workstation" firewall. > firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of > IPs which have access to > # $firewall_myservices for "workstation" > # firewall. > firewall_trusted="" # List of IPs which have full access to this > # host for "workstation" firewall. > > [...] > # service ipfw restart > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > ipfw: bad source address any > ipfw: bad source address any > 0 check-state :default > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > ipfw: bad destination address any > 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out > ipfw: bad source address any > ipfw: bad source address any > 01100 allow udp from fe80::/10 to me 546 in > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > ipfw: bad source address any > [...] > > The problem also occur if set > > firewall_allowservices="any" > > in /etc/rc.conf ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r358858 - head/sbin/ipfw
On Tue, 10 Mar 2020 20:30:21 + (UTC) "Alexander V. Chernikov" wrote: > Author: melifaro > Date: Tue Mar 10 20:30:21 2020 > New Revision: 358858 > URL: https://svnweb.freebsd.org/changeset/base/358858 > > Log: > Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). > > Submitted by: Neel Chauhan > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D21812 > > Modified: > head/sbin/ipfw/ipfw2.c > > Modified: head/sbin/ipfw/ipfw2.c > == > --- head/sbin/ipfw/ipfw2.cTue Mar 10 20:25:36 2020(r358857) > +++ head/sbin/ipfw/ipfw2.cTue Mar 10 20:30:21 2020(r358858) > @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb > if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > inet_pton(AF_INET6, host, ) == 1) > ret = add_srcip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > - inet_pton(AF_INET6, host, ) != 1)) > + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > + inet_pton(AF_INET, host, ) == 1) > ret = add_srcip(cmd, av, cblen, tstate); > - if (ret == NULL && strcmp(av, "any") != 0) > + else if (ret == NULL && strcmp(av, "any") != 0) > ret = cmd; > > return ret; > @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb > if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > inet_pton(AF_INET6, host, ) == 1) > ret = add_dstip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > - inet_pton(AF_INET6, host, ) != 1)) > + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > + inet_pton(AF_INET, host, ) == 1) > ret = add_dstip(cmd, av, cblen, tstate); > - if (ret == NULL && strcmp(av, "any") != 0) > + else if (ret == NULL && strcmp(av, "any") != 0) > ret = cmd; > > return ret; > ___ > svn-src-h...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" This seems to trigger some issues in CURRENT's ipfw script handling rules. On all CURRENT boxes running > FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the boxes aren't accessible via net due to errors occuring when loading ipfw rules: [/etc/rc.conf] firewall_type="WORKSTATION" firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on which this host # offers services for "workstation" firewall. firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. firewall_trusted="" # List of IPs which have full access to this # host for "workstation" firewall. [...] # service ipfw restart Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 ipfw: bad source address any ipfw: bad source address any 0 check-state :default ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out ipfw: bad source address any ipfw: bad source address any 01100 allow udp from fe80::/10 to me 546 in ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any [...] The problem also occur if set firewall_allowservices="any" in /etc/rc.conf ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r358858 - head/sbin/ipfw
Author: melifaro Date: Tue Mar 10 20:30:21 2020 New Revision: 358858 URL: https://svnweb.freebsd.org/changeset/base/358858 Log: Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). Submitted by: Neel Chauhan MFC after:2 weeks Differential Revision:https://reviews.freebsd.org/D21812 Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020(r358857) +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020(r358858) @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || inet_pton(AF_INET6, host, ) == 1) ret = add_srcip6(cmd, av, cblen, tstate); - /* XXX: should check for IPv4, not !IPv6 */ - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || - inet_pton(AF_INET6, host, ) != 1)) + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || + inet_pton(AF_INET, host, ) == 1) ret = add_srcip(cmd, av, cblen, tstate); - if (ret == NULL && strcmp(av, "any") != 0) + else if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; return ret; @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || inet_pton(AF_INET6, host, ) == 1) ret = add_dstip6(cmd, av, cblen, tstate); - /* XXX: should check for IPv4, not !IPv6 */ - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || - inet_pton(AF_INET6, host, ) != 1)) + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || + inet_pton(AF_INET, host, ) == 1) ret = add_dstip(cmd, av, cblen, tstate); - if (ret == NULL && strcmp(av, "any") != 0) + else if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; return ret; ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"