Hi all,
I attached a patch that solve this problem. I will send a PR as soon
as possible.
Instructions:
Patch the follow files:
/usr/src/sbin/ipfw/ipfw2.c (patch is ipfw2.c.diff)
/usr/src/sbin/ipfw/ipfw2.h (patch is ipfw2.h.diff)
/usr/src/sbin/ipfw/ipv6.c (patch is ipv6.c.diff)
This patch was tested on FreeBSD 8 Beta 2 AMD64 and official FreeBSD 8
BETA 2 Sources.
Let me know any suggestion or problem.
Regards
Raffaele
On Jul 22, 2009, at 5:12 PM, Willem Jan Withagen wrote:
Reply below, and an also reorganised the yours...
raffaele.delore...@libero.it wrote:
Hi,
Running 7.2 I tried to insert
this into my IPFW rules
# ipfw add allow udp from any to 2001:xxx:3::
113,2001:xxxx:3::116 \
dst-port 10001-10100 keep-state
ipfw: bad netmask
``xxxx:3::113''
also:
# ipfw add allow udp from any to trixbox.ip6 dst-port
10001-10100 keep-state
ipfw: hostname ``trixbox.ip6'' unknown
Exit 68
# host
trixbox.ip6
trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
So it
looks like what is in the manual is overly optimistic:
----
addr6-list:
ip6-addr[,addr6-list]
ip6-addr:
A host or subnet
specified one of the following ways:
numeric-ip | hostname
Matches a single IPv6 address as allowed by
inet_pton(3)
or a hostname. Hostnames are resolved at the
time the
rule is added to the firewall list.
addr/masklen
Matches all IPv6 addresses with base addr
(specified as
allowed by inet_pton or a hostname) and
mask width of
masklen bits.
No support
for sets of IPv6 addresses is provided because IPv6
addresses
are typically random past the initial prefix.
----
Anybody else ran into
this?
Or should I file this as a PR.
> Hi all,
> You has found a parser bug.
> When the protocol is "ipv6" and you are a
> comma separated ipv6 addresses, the parser work fine because the
"add_srcip6"
> function is called and recognize all addresses.
> When the protocol is "!=ipv6"
> (like TCP,UDP,ICMP6) the "add_src" fuction is called and it cause
troubles
> because the "inet_pton()" fails and erroneously is called the
"add_srcip"
> function (see the code below).
>
> (from "ipfw2.c")
> add_src(ipfw_insn *cmd, char
> *av, u_char proto)
> {
> struct in6_addr a;
> char *host, *ch;
> ipfw_insn *ret =
> NULL;
>
> if ((host = strdup(av)) == NULL)
> return NULL;
> if ((ch = strrchr
> (host, '/')) != NULL)
> *ch = '\0';
>
> if (proto == IPPROTO_IPV6 || strcmp(av,
> "me6") == 0 ||
> inet_pton(AF_INET6, host, &a))
> ret = add_srcip6(cmd, av);
>
> /* XXX: should check for IPv4, not !IPv6 */
> if (ret == NULL && (proto ==
> IPPROTO_IP || strcmp(av, "me") == 0 ||
> !inet_pton(AF_INET6, host, &a)))
>
> ret = add_srcip(cmd, av);
> if (ret == NULL && strcmp(av, "any") != 0)
> ret =
> cmd;
>
> free(host);
> return ret;
> }
>
> I think that possibles solutions are the
> follows:
>
> 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
> avoid parser confusions, and check about this protocol inside the
"add_src"
> fuction (easy to implement).
> 2) Check the comma separated ip/ipv6 addresses
> inside the "add_src" function (a little too hard to implement).
>
> I appreciate
> suggestions from the community experts about this problem.
I would prefer not to make seperate tcp6 and udp6 items, since what
i would like to do is things like:
hostlist="a.b.c.d,A:B:C:D::F"
and then in the firewall something like
ipfw add allow tcp from any to ${hostlist} dst-port 80 setup
and if tcp now goes into tcp and tcp6 I need to double my rules etc.
Which raises one other point:
using a FQDN with more A and AAAA records also just inserts the
first reply in the list.
Now I don't use FQDN since most of the time in the Firewall DNS
is not quite up yet.
--WjW
_______________________________________________
freebsd-i...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-
unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
