Bug 240650 - ipfw(8): Check for IPv4 in add_src() and add_dat, don't assume !IPv6 is IPv4
Summary: ipfw(8): Check for IPv4 in add_src() and add_dat, don't assume !IPv6 is IPv4
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ipfw mailing list
URL: https://reviews.freebsd.org/D24025
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-09-17 19:16 UTC by Neel Chauhan
Modified: 2020-03-11 15:35 UTC (History)
2 users (show)

See Also:
ohartmann: maintainer-feedback+


Attachments
Patch (Revision 1) (664 bytes, patch)
2019-09-17 19:16 UTC, Neel Chauhan
no flags Details | Diff
Patch (Revision 2) (694 bytes, patch)
2019-09-17 19:17 UTC, Neel Chauhan
no flags Details | Diff
Patch (Revision 3) (1.20 KB, patch)
2019-09-17 19:31 UTC, Neel Chauhan
no flags Details | Diff
Patch to fix the IPFW "any" identifier (732 bytes, patch)
2020-03-11 15:32 UTC, Neel Chauhan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neel Chauhan 2019-09-17 19:16:14 UTC
Created attachment 207582 [details]
Patch (Revision 1)
Comment 1 Neel Chauhan 2019-09-17 19:17:55 UTC
Created attachment 207583 [details]
Patch (Revision 2)

Do the diff from the base /usr/src, not /usr/src/sbin/ipfw
Comment 2 Neel Chauhan 2019-09-17 19:31:01 UTC
Created attachment 207584 [details]
Patch (Revision 3)

This also covers add_dat
Comment 3 Neel Chauhan 2019-09-26 22:08:13 UTC
https://reviews.freebsd.org/D21812
Comment 4 Neel Chauhan 2020-03-11 04:45:21 UTC
Already committed as of r358858.
Comment 5 O. Hartmann 2020-03-11 08:25:22 UTC
This patch has been applied to CURRENT as r358858.

It breaks any rc script on CURRENT > r358858 running IPFW  with "from any to... " or "from me to ...":

[...] (dual stack, IPv6 and IPv4 in use)

/etc/rc.conf:
[...]
firewall_type="WORKSTATION"
firewall_myservices="22/tcp"
firewall_allowservices="" OR firewall_allowservices="any"
[...]

results in bricked systems:

[...]
 service ipfw restart
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw: bad source address any
ipfw: bad source address any
00000 check-state :default
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
ipfw: bad destination address any
01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
ipfw: bad source address any
ipfw: bad source address any
01100 allow udp from fe80::/10 to me 546 in
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
ipfw: bad source address any
[...]

I think since this is mostly standard rc.conf stuff, the problem can easily being reproduced.
Comment 6 Neel Chauhan 2020-03-11 15:15:30 UTC
Reopening, some people have issues with my patch.
Comment 7 Neel Chauhan 2020-03-11 15:21:58 UTC
This patch works for me:

root@tiny:/home/neel # ipfw add 2000 deny all from me to any 22
02000 deny ip from me to any 22
root@tiny:/home/neel # telnet neelc.org 22
Trying 66.42.69.219...
telnet: connect to address 66.42.69.219: Permission denied
Trying 2001:19f0:8001:fed:5400:2ff:fe73:c622...
telnet: connect to address 2001:19f0:8001:fed:5400:2ff:fe73:c622: No route to host
telnet: Unable to connect to remote host
root@tiny:/home/neel # ipfw del 2000 
ipfw: DEPRECATED: 'del' matched 'delete' as a sub-string
root@tiny:/home/neel # telnet neelc.org 22
Trying 66.42.69.219...
Connected to neelc.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.8 FreeBSD-20180909
^]
telnet> quit
Connection closed.
root@tiny:/home/neel #

Can you give me an example of your ipfw script?
Comment 8 Neel Chauhan 2020-03-11 15:26:35 UTC
Oh, I forgot to recompile IPFW, I see what the issue is.
Comment 9 Neel Chauhan 2020-03-11 15:32:03 UTC
Created attachment 212336 [details]
Patch to fix the IPFW "any" identifier

Try this patch, this should fix the "any" identifier.
Comment 10 Neel Chauhan 2020-03-11 15:35:45 UTC
Phabricator URL: https://reviews.freebsd.org/D24025