On Tue, 10 Mar 2020 20:30:21 +0000 (UTC) "Alexander V. Chernikov" <melif...@freebsd.org> wrote:
> Author: melifaro > Date: Tue Mar 10 20:30:21 2020 > New Revision: 358858 > URL: https://svnweb.freebsd.org/changeset/base/358858 > > Log: > Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). > > Submitted by: Neel Chauhan <neel AT neelc DOT org> > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D21812 > > Modified: > head/sbin/ipfw/ipfw2.c > > Modified: head/sbin/ipfw/ipfw2.c > ============================================================================== > --- head/sbin/ipfw/ipfw2.c Tue Mar 10 20:25:36 2020 (r358857) > +++ head/sbin/ipfw/ipfw2.c Tue Mar 10 20:30:21 2020 (r358858) > @@ -3717,11 +3717,10 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb > if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > inet_pton(AF_INET6, host, &a) == 1) > ret = add_srcip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > - inet_pton(AF_INET6, host, &a) != 1)) > + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > + inet_pton(AF_INET, host, &a) == 1) > ret = add_srcip(cmd, av, cblen, tstate); > - if (ret == NULL && strcmp(av, "any") != 0) > + else if (ret == NULL && strcmp(av, "any") != 0) > ret = cmd; > > return ret; > @@ -3748,11 +3747,10 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb > if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || > inet_pton(AF_INET6, host, &a) == 1) > ret = add_dstip6(cmd, av, cblen, tstate); > - /* XXX: should check for IPv4, not !IPv6 */ > - if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > - inet_pton(AF_INET6, host, &a) != 1)) > + else if (proto == IPPROTO_IP || strcmp(av, "me") == 0 || > + inet_pton(AF_INET, host, &a) == 1) > ret = add_dstip(cmd, av, cblen, tstate); > - if (ret == NULL && strcmp(av, "any") != 0) > + else if (ret == NULL && strcmp(av, "any") != 0) > ret = cmd; > > return ret; > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" This seems to trigger some issues in CURRENT's ipfw script handling rules. On all CURRENT boxes running > FreeBSD 13.0-CURRENT #0 r358851: Tue Mar 10 21:17:39 CET 2020 amd64, the boxes aren't accessible via net due to errors occuring when loading ipfw rules: [/etc/rc.conf] firewall_type="WORKSTATION" firewall_myservices="22/tcp 80/tcp 443/tcp" # List of TCP ports on which this host # offers services for "workstation" firewall. firewall_allowservices="192.168.0.0/24 fd11:43:2::/64" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. firewall_trusted="" # List of IPs which have full access to this # host for "workstation" firewall. [...] # service ipfw restart Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 ipfw: bad source address any ipfw: bad source address any 00000 check-state :default ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out ipfw: bad source address any ipfw: bad source address any 01100 allow udp from fe80::/10 to me 546 in ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any [...] The problem also occur if set firewall_allowservices="any" in /etc/rc.conf _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
