Bug 222705
| Summary: | ipfw "proto udp" parsing problem | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Jason Mader <jasonmader> | ||||||||
| Component: | bin | Assignee: | Andrey V. Elsukov <ae> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Only Me | CC: | ae, emaste | ||||||||
| Priority: | --- | ||||||||||
| Version: | 11.1-RELEASE | ||||||||||
| Hardware: | amd64 | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jason Mader
2017-09-30 21:02:05 UTC
There's another problem on this rule, "unreach6 port" is generating an Address unreachable response, ICMPv6 (1,3) instead of Port unreachable, ICMPv6 (1,4). It can be worked around with "unreach6 4" But then the rule is displayed as, "unreach needfrag". if the rule is, unreach needfrag log ip from any to me udp dst-port 33434-33449 in where "ip" instead of "ip6" then, IPv4 will receive a need to fragment response, and IPv6 will receive port closed. Created attachment 187264 [details] Proposed patch for unreach opcode This patch adds mapping of IPv4 unreach codes into IPv6 codes that is also used in NAT64. The only difference, that "unreach proto" is not converted into "paramater problem", because unreach6 opcode must send ICMPv6 destination unreachable message. I'm unable to reproduce the problem described in comment #1. This patch should only affect the case, when you have "unreach port" and IPv6 packet is matched by rule. Fixed in r328326 and r328968. Reopen, since was fixed only one part of bug report. Created attachment 191775 [details]
Proposed patch
I reworked opcode parsing, can you test this patch with your rules?
Comment on attachment 191775 [details]
Proposed patch
The patch still have problems, I'll update it a bit later.
Created attachment 191779 [details]
Proposed patch
A commit references this bug: Author: ae Date: Wed Mar 28 12:44:29 UTC 2018 New revision: 331668 URL: https://svnweb.freebsd.org/changeset/base/331668 Log: Rework ipfw rules parsing and printing code. Introduce show_state structure to keep information about printed opcodes. Split show_static_rule() function into several smaller functions. Make parsing and printing opcodes into several passes. Each printed opcode is marked in show_state structure and will be skipped in next passes. Now show_static_rule() function is simple, it just prints each part of rule separately: action, modifiers, proto, src and dst addresses, options. The main goal of this change is avoiding occurrence of wrong result of `ifpw show` command, that can not be parsed by ipfw(8). Also now it is possible to make some simple static optimizations by reordering of opcodes in the rule. PR: 222705 Discussed with: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC Changes: head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sbin/ipfw/main.c A commit references this bug: Author: ae Date: Wed Apr 11 10:24:47 UTC 2018 New revision: 332400 URL: https://svnweb.freebsd.org/changeset/base/332400 Log: MFC r331668: Rework ipfw rules parsing and printing code. Introduce show_state structure to keep information about printed opcodes. Split show_static_rule() function into several smaller functions. Make parsing and printing opcodes into several passes. Each printed opcode is marked in show_state structure and will be skipped in next passes. Now show_static_rule() function is simple, it just prints each part of rule separately: action, modifiers, proto, src and dst addresses, options. The main goal of this change is avoiding occurrence of wrong result of `ifpw show` command, that can not be parsed by ipfw(8). Also now it is possible to make some simple static optimizations by reordering of opcodes in the rule. PR: 222705 Changes: _U stable/11/ stable/11/sbin/ipfw/ipfw2.c stable/11/sbin/ipfw/ipfw2.h stable/11/sbin/ipfw/main.c Fixed in head/ and stable/11. Thanks! |
