Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets
The following reply was made to PR kern/128260; it has been noted by GNATS.
From: Dan Lukes
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets
Date: Mon, 06 Sep 2010 12:08:48 +0200
The 8.1-RELEASE partially corrects such problem.
But for DIVERT (not the TEE) there are still issues.
For non-tee case, the header is still unconditionally considered to be
(struct ip). The
ip->ip_off & (IP_MF | IP_OFFMASK)
may be unintentionally true (for a IPv6 packet), then ip_reass will be
called with IPv6 packet, which is not apropriate.
We still need to check the IP version:
- if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) {
+ if (ip->ip_v == 4 && !tee && ntohs(ip->ip_off) & (IP_MF |
IP_OFFMASK)) {
Dan
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Current problem reports assigned to freebsd-ipfw@FreeBSD.org
Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o ke
Default router changes unexpectedly when dummynet enabled
Hi, When I enable dummynet rules, default router changes unexpectedly. If the pipe & queue rules not exists, there is no problem. I tried all FreeBSD 7.1, 7.2, 7.3, 8.1-STABLE-201008 releases ( both i386 and amd64 ). All this FreeBSD versions are affected. I inspected logs if someone logged in or changed route (with route -n monitor command). When the default route changed, there isnt any messages at the "route -n monitor" command output. I think there can be a buffer overflow in dummynet code. This problem repeats once per 10 minute. I wrote a shell script which monitors the default router. I saw that sometimes netstat -rn shows that default router is changed as 10.0.16.251 or 10.6.10.240 etc. which are client IP addresses but routing still routes to right router 193.X.Y.Z . After a while, routing really fails. You can access tcpdump capture file from: http://193.255.128.30/~ryland/flowdata_10_0_16_251 This file captured while the default router changes. Tcpdump capture, belongs to the IP Address which shown in default router (10.0.16.251) the tcpdump command: tcpdump -w /home/flowdata_10_0_16_251 -ni bce0.116 host 10.0.16.251 dummynet rules are: 3 pipe 3 tcp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any dst-port 8000,80,22,25,88,110,443,1720,1863,1521,3389,4489 via em0 // Upload 3 pipe 3 udp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any dst-port 53 via em0 // Upload 3 pipe 4 tcp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any via em0 // Upload 3 pipe 4 udp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any via em0 // Upload LOTS OF NAT RULES HERE (in kernel nat) 6 pipe 1 tcp from any 8000,80,22,25,88,110,443,1720,1863,1521,3389,4489 to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 6 pipe 1 udp from any 53 to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 6 pipe 2 tcp from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 6 pipe 2 udp from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download /sbin/ipfw pipe 1 config bw 8192Kbit/s mask dst-ip 0x /sbin/ipfw pipe 3 config bw 1024Kbit/s mask src-ip 0x /sbin/ipfw pipe 2 config bw 4096Kbit/s mask dst-ip 0x /sbin/ipfw pipe 4 config bw 1024Kbit/s mask src-ip 0x sysctl vars: net.inet.ip.dummynet.hash_size=256 ( also tried with 8192 ) net.inet.ip.dummynet.pipe_slot_limit=500 net.inet.ip.dummynet.io_fast=1 Some Information about network: System has 3 NICS as WAN, LAN, DMZ. There are VLANs on WAN and LAN interfaces Throuput between 20Mbps and 100Mbps. Any ideas? Regards, Ozkan KIRIK Mersin University @ Turkey ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
