Bug 220640 - [ipfw][patch] ipfw drops GRE over IPv6 packets
Summary: [ipfw][patch] ipfw drops GRE over IPv6 packets
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 9.3-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: Philip Paeps
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-07-11 16:23 UTC by Kun Xie
Modified: 2017-08-01 13:42 UTC (History)
2 users (show)

See Also:
philip: mfc-stable11+
philip: mfc-stable10+
philip: mfc-stable9+

Attachments
Add IPPROTO_GRE to IPv6 protocol case list in ipfw_chk() (399 bytes, patch)
2017-07-11 16:23 UTC, Kun Xie 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kun Xie 2017-07-11 16:23:50 UTC 
Created attachment 184263 [details]
Add IPPROTO_GRE to IPv6 protocol case list in ipfw_chk()

FreeBSD supports GRE over IPv6 tunnel, but if ipfw module is loaded, 
ipfw_chk() searches the extension headers of IPv6 to get upper layer protocols.

There are a lot of protocols, but GRE is not one of them, so the GRE packets will be dropped if the sysctl 'net.inet6.ip6.fw.deny_unknown_exthdrs' is enabled, and unfortunately this option is set to 1 by default.

Our working environment is 9.3-STABLE, but we checked FreeBSD 11-RELEASE and FreeBSD-current and they share the same problem.

Attached patch simply adds IPPROTO_GRE to IPv6 protocol case list in ipfw_chk() and pulls up the mbuf. With patch applied, GRE over IPv6 tunnel can work with ipfw module enabled.
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-07-13 09:02:19 UTC 
A commit references this bug:

Author: philip
Date: Thu Jul 13 09:01:22 UTC 2017
New revision: 320941
URL: https://svnweb.freebsd.org/changeset/base/320941

Log:
  Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>
  MFC after:	1 week

Changes:
  head/sys/netpfil/ipfw/ip_fw2.c
Comment 2 Philip Paeps freebsd_committer freebsd_triage 2017-07-13 09:07:56 UTC 
I've committed this to HEAD with minor changes (struct gre_h was renamed to struct grehdr in r274246).  I'll merge to 11-STABLE, 10-STABLE and 9-STABLE next week.
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-07-31 19:48:43 UTC 
A commit references this bug:

Author: philip
Date: Mon Jul 31 19:48:29 UTC 2017
New revision: 321811
URL: https://svnweb.freebsd.org/changeset/base/321811

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/11/
  stable/11/sys/netpfil/ipfw/ip_fw2.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-08-01 13:16:28 UTC 
A commit references this bug:

Author: philip
Date: Tue Aug  1 13:15:30 UTC 2017
New revision: 321873
URL: https://svnweb.freebsd.org/changeset/base/321873

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:           220640
  Submitted by: Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/10/
  stable/10/sys/netpfil/ipfw/ip_fw2.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-08-01 13:40:48 UTC 
A commit references this bug:

Author: philip
Date: Tue Aug  1 13:40:38 UTC 2017
New revision: 321874
URL: https://svnweb.freebsd.org/changeset/base/321874

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/9/sys/
_U  stable/9/sys/netpfil/
  stable/9/sys/netpfil/ipfw/ip_fw2.c