From simon@arthur.nitro.dk  Wed Jan 15 14:47:51 2003
Return-Path: <simon@arthur.nitro.dk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B2A937B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Jan 2003 14:47:51 -0800 (PST)
Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7F48943F43
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Jan 2003 14:47:50 -0800 (PST)
	(envelope-from simon@arthur.nitro.dk)
Received: by arthur.nitro.dk (Postfix, from userid 1000)
	id 806A710BF87; Wed, 15 Jan 2003 23:47:47 +0100 (CET)
Message-Id: <20030115224747.806A710BF87@arthur.nitro.dk>
Date: Wed, 15 Jan 2003 23:47:47 +0100 (CET)
From: Simon L.Nielsen <simon@nitro.dk>
Reply-To: Simon L.Nielsen <simon@nitro.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] Sanity check in ipfw(8)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         47120
>Category:       bin
>Synopsis:       [patch] Sanity check in ipfw(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trhodes
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 15 14:50:01 PST 2003
>Closed-Date:    Tue Jun 10 12:58:21 PDT 2003
>Last-Modified:  Tue Jun 10 12:58:21 PDT 2003
>Originator:     Simon L. Nielsen
>Release:        FreeBSD 5.0-CURRENT
>Organization:
>Environment:
FreeBSD ford.nitro.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #2: Fri Dec 27 13:32:24 CET 2002     root@ford.nitro.dk:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The ipfw(8) userland program does not check if the user tries to make
certain types of self contradictory rules. E.g. the following rule is
allowed by ipfw2 :

# sysctl kern.osrelease
kern.osrelease: 5.0-CURRENT
# ipfw add allow udp from any to any setup
01000 allow udp from any to any setup

The kernel firewall code correctly requires TCP packets when matching
the setup keyword so the rule can never match anything.

The includes patch only allow the correct protocol (e.g. TCP for
'setup') but sometimes protocol 'any/ip' might make the rule
"work". In my opinion this still does not really make mutch sense and
should not be allowed. ipfw1 (/ipfw in FreeBSD 4) does not allow these
types of rules :

# sysctl kern.osrelease
kern.osrelease: 4.7-RELEASE-p2
# ipfw add allow udp from any to any setup
ipfw: unknown argument ``setup''
# ipfw add allow ip from any to any setup
ipfw: unknown argument ``setup''

>How-To-Repeat:
>Fix:
This patch makes the ipfw userland program do a bit more sanity-check on
the input rules for protocol specific options.

--- ipfw2-inputcheck.patch begins here ---
Index: ipfw2.c
===================================================================
RCS file: /home/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.21
diff -u -d -r1.21 ipfw2.c
--- ipfw2.c	12 Jan 2003 03:31:10 -0000	1.21
+++ ipfw2.c	15 Jan 2003 21:08:20 -0000
@@ -2908,6 +2909,8 @@
 			break;
 
 		case TOK_ICMPTYPES:
+			if(proto != IPPROTO_ICMP)
+				errx(EX_USAGE, "icmptypes only valid for icmp");
 			NEED1("icmptypes requires list of types");
 			fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
 			av++; ac--;
@@ -2993,15 +2996,21 @@
 			break;
 
 		case TOK_ESTAB:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "established only valid for tcp");
 			fill_cmd(cmd, O_ESTAB, 0, 0);
 			break;
 
 		case TOK_SETUP:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "setup only valid for tcp");
 			fill_cmd(cmd, O_TCPFLAGS, 0,
 				(TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
 			break;
 
 		case TOK_TCPOPTS:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "tcpoptions only valid for tcp");
 			NEED1("missing argument for tcpoptions");
 			fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
 			ac--; av++;
@@ -3009,6 +3018,8 @@
 
 		case TOK_TCPSEQ:
 		case TOK_TCPACK:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "tcpseq/tcpack only valid for tcp");
 			NEED1("tcpseq/tcpack requires argument");
 			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
 			cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
@@ -3017,6 +3028,8 @@
 			break;
 
 		case TOK_TCPWIN:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "tcpwin only valid for tcp");
 			NEED1("tcpwin requires length");
 			fill_cmd(cmd, O_TCPWIN, 0,
 			    htons(strtoul(*av, NULL, 0)));
@@ -3024,6 +3037,8 @@
 			break;
 
 		case TOK_TCPFLAGS:
+			if(proto != IPPROTO_TCP)
+				errx(EX_USAGE, "tcpflags only valid for tcp");
 			NEED1("missing argument for tcpflags");
 			cmd->opcode = O_TCPFLAGS;
 			fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
--- ipfw2-inputcheck.patch ends here ---


>Release-Note:
>Audit-Trail:

From: "Simon L. Nielsen" <simon@nitro.dk>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/47120: [patch] Sanity check in ipfw(8)
Date: Tue, 21 Jan 2003 01:24:21 +0100

 --qOrJKOH36bD5yhNe
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 
 Hello
 
 I justed noticed that the above patch is not enough.. It fails if there are
 multple protocols :-/
 
 [root@arthur:ipfw] ipfw add 10000 count { tcp or udp } from any to any setup
 ipfw: setup only valid for tcp
 [root@arthur:ipfw] ipfw add 10000 count { udp or tcp } from any to any setup
 10000 count { udp or tcp } from any to any setup
 
 I will make make a new patch that handles multiple protocols...
 
 --=20
 Simon L. Nielsen
 
 --qOrJKOH36bD5yhNe
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iD8DBQE+LJM08kocFXgPTRwRApcUAJ0fYd59hwOepU19/0upz+Fz0Y3XBgCeNzkx
 EPN4BytuMzdvwMqtXeyQtXE=
 =ggVu
 -----END PGP SIGNATURE-----
 
 --qOrJKOH36bD5yhNe--
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: johan 
Responsible-Changed-When: Mon Feb 3 12:43:37 PST 2003 
Responsible-Changed-Why:  
Over to ipfw maintainer group. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47120 

From: "Simon L. Nielsen" <simon@nitro.dk>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/47120: [patch] Sanity check in ipfw(8)
Date: Fri, 9 May 2003 11:22:17 +0200

 --azLHFNyN32YCQGCU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Hello
 
 This PR can be closed since it is only a half bandaid and there is still
 a million other ways to shot oneself in the foot by doing "stupid"
 things with ipfw.
 
 This was discussed with Luigi Rizzo on the freebsd-ipfw mailing list (in
 janurary AFAIR) - I just forgot about the PR again.
 
 --=20
 Simon L. Nielsen
 
 --azLHFNyN32YCQGCU
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iD8DBQE+u3NI8kocFXgPTRwRAoi7AKCUWj+onefi+7WfRWXMH9x6MCfCPwCgr/Q+
 ZymHBpZO5ZxZoYEtBbZ0S7I=
 =DM2A
 -----END PGP SIGNATURE-----
 
 --azLHFNyN32YCQGCU--
State-Changed-From-To: open->closed 
State-Changed-By: trhodes 
State-Changed-When: Tue Jun 10 12:53:05 PDT 2003 
State-Changed-Why:  
Submitter requests the closing of this PR as outlined in the audit 
trail. 


Responsible-Changed-From-To: ipfw->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Tue Jun 10 12:53:05 PDT 2003 
Responsible-Changed-Why:  
Over to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47120 
>Unformatted:
