From nobody@FreeBSD.org  Sat May 21 13:58:15 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 01AC5106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 May 2011 13:58:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id E650F8FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 May 2011 13:58:14 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4LDwEDa035687
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 May 2011 13:58:14 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p4LDwE1c035686;
	Sat, 21 May 2011 13:58:14 GMT
	(envelope-from nobody)
Message-Id: <201105211358.p4LDwE1c035686@red.freebsd.org>
Date: Sat, 21 May 2011 13:58:14 GMT
From: Jan Bramkamp <crest@tzi.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw + dummynet corrupts ipv6 packets
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         157239
>Category:       kern
>Synopsis:       [ipfw] [dummynet] ipfw + dummynet corrupts ipv6 packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 21 14:00:21 UTC 2011
>Closed-Date:    Wed Jul 06 05:49:36 UTC 2011
>Last-Modified:  Wed Jul  6 05:50:07 UTC 2011
>Originator:     Jan Bramkamp
>Release:        8.2-RELEASE
>Organization:
>Environment:
FreeBSD test7.crest.dn42 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Setting two boxes up as described 'how to repeat' results in all IPv6 packets matching rule 100 leaving corrupted with invalid IPv6 option headers (header type = 64 or 255).
>How-To-Repeat:
# Reproduce 8.2-RELEASE amd64
# on both boxes /etc/rc.conf
# ipv6_enable="YES"
# ipv6_gateway_enable="YES"
# box1 <--ethernet--> box2

# box1:
ifconfig em0 inet6 fc00::1

# box2:
ifconfig re0 inet6 fc00::2

# box1:
ping6 fc00::2 # works, tcpdump shows icmp6 traffic

# box1:
ping6 fc00::2 # works, tcpdump shows icmp6 traffic

# box1:
kldload ipfw && kldload dummynet
ipfw pipe 1 config
ipfw add 100 pipe 1 ip6 from fc00::/64 to fc00::/64 out via em0 
ipfw add 200 allow ip from any to any 

# box2:
ping6 fc00::2 # broken

# box1:
ping6 fc00::1 # broken

# box1:
sysctl net.inet.ip.fw.one_pass=0
sysctl net.inet6.ip6.fw.deny_unknown_exthdrs=0 # packets leave corrupted

>Fix:
unknown

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat May 21 22:51:30 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157239 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Jan Bramkamp <crest@tzi.de>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/157239: ipfw + dummynet corrupts ipv6 packets
Date: Fri, 27 May 2011 17:41:54 +0400

   I can't reproduce this problem on 9-CURRENT. The rule packet
 counter on pipe is increasing, ping6 works fine.
 
   Can I shift the PR state to "patched"?
 
 -- 
 Totus tuus, Glebius.

From: Manuel Kasper <mk@neon1.net>
To: bug-followup@FreeBSD.org
Cc: crest@tzi.de
Subject: Re: kern/157239: [ipfw] [dummynet] ipfw + dummynet corrupts ipv6 packets
Date: Sat, 4 Jun 2011 14:37:56 +0200

 --Apple-Mail-18-318878430
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=us-ascii
 
 I've been able to reproduce this on a FreeBSD 9.0-CURRENT snapshot dated =
 May 12 as well, but the behavior is a bit different compared to 8.2 with =
 respect to direction and one_pass setting:
 
 FreeBSD 8.2:
 - dummynet on input,  one_pass=3D0: OK
 - dummynet on input,  one_pass=3D1: broken
 - dummynet on output, one_pass=3D0: broken
 - dummynet on output, one_pass=3D1: broken
 
 FreeBSD 9:
 - dummynet on input,  one_pass=3D0: OK
 - dummynet on input,  one_pass=3D1: broken
 - dummynet on output, one_pass=3D0: broken
 - dummynet on output, one_pass=3D1: OK
 
 Also, I believe I've found the cause: ipfw/dummynet code uses =
 SET_HOST_IPLEN on IPv6 packets in two instances, thus inadvertently =
 swapping the next header and hop limit fields in the IPv6 header, =
 causing the "Unknown Extension Header" warnings and dropped packets (or =
 bad packets appearing on the wire if =
 net.inet6.ip6.fw.deny_unknown_exthdrs=3D0).
 
 A patch against 8.2-RELEASE that fixes this issue for me is attached - =
 Jan, could you please verify if this fixes the issue for you too?
 
 - Manuel
 
 --Apple-Mail-18-318878430
 Content-Disposition: attachment;
 	filename=dummynet_v6.patch
 Content-Type: application/octet-stream;
 	name="dummynet_v6.patch"
 Content-Transfer-Encoding: 7bit
 
 --- sys/netinet/ipfw/ip_dn_io.c.orig	2010-12-28 13:18:46.000000000 +0100
 +++ sys/netinet/ipfw/ip_dn_io.c	2011-06-04 14:35:45.305439000 +0200
 @@ -610,7 +610,6 @@
  			break;
  
  		case DIR_OUT | PROTO_IPV6:
 -			SET_HOST_IPLEN(mtod(m, struct ip *));
  			ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
  			break;
  #endif
 --- sys/netinet/ipfw/ip_fw_pfil.c.orig	2010-12-21 18:09:25.000000000 +0100
 +++ sys/netinet/ipfw/ip_fw_pfil.c	2011-06-04 14:35:45.305439000 +0200
 @@ -127,7 +127,8 @@
  		args.rule = *((struct ipfw_rule_ref *)(tag+1));
  		m_tag_delete(*m0, tag);
  		if (args.rule.info & IPFW_ONEPASS) {
 -			SET_HOST_IPLEN(mtod(*m0, struct ip *));
 +			if (mtod(*m0, struct ip *)->ip_v == 4)
 +				SET_HOST_IPLEN(mtod(*m0, struct ip *));
  			return 0;
  		}
  	}
 
 --Apple-Mail-18-318878430--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157239: commit references a PR
Date: Tue, 21 Jun 2011 06:06:56 +0000 (UTC)

 Author: ae
 Date: Tue Jun 21 06:06:47 2011
 New Revision: 223358
 URL: http://svn.freebsd.org/changeset/base/223358
 
 Log:
   Do not use SET_HOST_IPLEN() macro for IPv6 packets.
   
   PR:		kern/157239
   MFC after:	2 weeks
 
 Modified:
   head/sys/netinet/ipfw/ip_dn_io.c
   head/sys/netinet/ipfw/ip_fw_pfil.c
 
 Modified: head/sys/netinet/ipfw/ip_dn_io.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_dn_io.c	Tue Jun 21 05:27:49 2011	(r223357)
 +++ head/sys/netinet/ipfw/ip_dn_io.c	Tue Jun 21 06:06:47 2011	(r223358)
 @@ -668,7 +668,6 @@ dummynet_send(struct mbuf *m)
  			break;
  
  		case DIR_OUT | PROTO_IPV6:
 -			SET_HOST_IPLEN(mtod(m, struct ip *));
  			ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
  			break;
  #endif
 
 Modified: head/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Jun 21 05:27:49 2011	(r223357)
 +++ head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Jun 21 06:06:47 2011	(r223358)
 @@ -127,8 +127,9 @@ again:
  		args.rule = *((struct ipfw_rule_ref *)(tag+1));
  		m_tag_delete(*m0, tag);
  		if (args.rule.info & IPFW_ONEPASS) {
 -			SET_HOST_IPLEN(mtod(*m0, struct ip *));
 -			return 0;
 +			if (mtod(*m0, struct ip *)->ip_v == 4)
 +				SET_HOST_IPLEN(mtod(*m0, struct ip *));
 +			return (0);
  		}
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: ae 
State-Changed-When: Tue Jun 21 06:16:26 UTC 2011 
State-Changed-Why:  
Commited to head/. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157239 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Wed Jul 6 05:49:09 UTC 2011 
State-Changed-Why:  
Merged to stable/8. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157239 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157239: commit references a PR
Date: Wed,  6 Jul 2011 05:43:13 +0000 (UTC)

 Author: ae
 Date: Wed Jul  6 05:42:52 2011
 New Revision: 223817
 URL: http://svn.freebsd.org/changeset/base/223817
 
 Log:
   MFC r223358:
     Do not use SET_HOST_IPLEN() macro for IPv6 packets.
   
     PR:		kern/157239
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_dn_io.c
   stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_dn_io.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_dn_io.c	Wed Jul  6 05:40:22 2011	(r223816)
 +++ stable/8/sys/netinet/ipfw/ip_dn_io.c	Wed Jul  6 05:42:52 2011	(r223817)
 @@ -664,7 +664,6 @@ dummynet_send(struct mbuf *m)
  			break;
  
  		case DIR_OUT | PROTO_IPV6:
 -			SET_HOST_IPLEN(mtod(m, struct ip *));
  			ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
  			break;
  #endif
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Wed Jul  6 05:40:22 2011	(r223816)
 +++ stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Wed Jul  6 05:42:52 2011	(r223817)
 @@ -127,8 +127,9 @@ again:
  		args.rule = *((struct ipfw_rule_ref *)(tag+1));
  		m_tag_delete(*m0, tag);
  		if (args.rule.info & IPFW_ONEPASS) {
 -			SET_HOST_IPLEN(mtod(*m0, struct ip *));
 -			return 0;
 +			if (mtod(*m0, struct ip *)->ip_v == 4)
 +				SET_HOST_IPLEN(mtod(*m0, struct ip *));
 +			return (0);
  		}
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
