From jylefort@brutele.be  Tue Nov  8 14:42:55 2005
Return-Path: <jylefort@brutele.be>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8AD2116A4D1
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Nov 2005 14:42:55 +0000 (GMT)
	(envelope-from jylefort@brutele.be)
Received: from 212.68.244.220.brutele.be (212.68.244.220.brutele.be [212.68.244.220])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 01EE443D45
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Nov 2005 14:42:54 +0000 (GMT)
	(envelope-from jylefort@brutele.be)
Received: from jsite.lefort.net (jsite.lefort.net [192.168.1.2])
	by gateway.lefort.net (Postfix) with ESMTP id 1BF1E552E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Nov 2005 15:42:53 +0100 (CET)
Received: by jsite.lefort.net (Postfix, from userid 1000)
	id C35C4C14F; Tue,  8 Nov 2005 15:42:52 +0100 (CET)
Message-Id: <20051108144252.C35C4C14F@jsite.lefort.net>
Date: Tue,  8 Nov 2005 15:42:52 +0100 (CET)
From: Jean-Yves Lefort <jylefort@FreeBSD.org>
Reply-To: Jean-Yves Lefort <jylefort@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw stateful firewalling broken with IPv6
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         88664
>Category:       kern
>Synopsis:       [ipfw] ipfw stateful firewalling broken with IPv6
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mlaier
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 08 14:50:13 GMT 2005
>Closed-Date:    Sun May 14 23:46:31 GMT 2006
>Last-Modified:  Sun May 14 23:46:31 GMT 2006
>Originator:     Jean-Yves Lefort
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD jsite.lefort.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Mon Nov 7 19:32:08 CET 2005 jylefort@jsite.lefort.net:/usr/obj/usr/src/sys/JSITE i386
>Description:
# ipfw list
00100 allow ip4 from any to any proto esp src-ip 192.168.1.1 dst-ip 192.168.1.2 in
00200 allow ip4 from any to any proto esp src-ip 192.168.1.2 dst-ip 192.168.1.1 out
00300 allow ip6 from any to any proto ipv6-icmp
00400 allow ip6 from any to any proto tcp src-ip6 me6 out setup keep-state
00500 allow ip6 from any to any proto udp src-ip6 me6 out keep-state
00600 deny log logamount 36000 ip from any to any
65535 deny ip from any to any
# telnet www.sixxs.net 80
Trying 2001:838:1:1:210:dcff:fe20:7c7c...
^C
# tail /var/log/security | grep 2001:
Nov  8 15:39:57 jsite kernel: ipfw: 600 Deny TCP [2001:0838:0001:0001:0210:dcff:fe20:7c7c]:80 [2001:0838:0339::0002]:58128 in via ed0
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Nov 8 17:20:48 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 

From: Joost Bekkers <joost@jodocus.org>
To: bug-followup@FreeBSD.org, jylefort@FreeBSD.org
Cc:  
Subject: Re: kern/88664: [ipfw] ipfw stateful firewalling broken with IPv6
Date: Thu, 11 May 2006 18:58:46 +0200

 The included patch fixes the problem, well for me anyway.
 
 Can somebody check if this is 'the right thing' (tm) ?
 
 
 --- ip_fw2.c-6.1R	Thu May 11 18:02:22 2006
 +++ ip_fw2.c	Thu May 11 17:59:34 2006
 @@ -671,17 +671,21 @@
  static __inline int
  hash_packet6(struct ipfw_flow_id *id)
  {
  	u_int32_t i;
  	i = (id->dst_ip6.__u6_addr.__u6_addr32[0]) ^
  	    (id->dst_ip6.__u6_addr.__u6_addr32[1]) ^
  	    (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^
  	    (id->dst_ip6.__u6_addr.__u6_addr32[3]) ^
 -	    (id->dst_port) ^ (id->src_port) ^ (id->flow_id6);
 +	    (id->src_ip6.__u6_addr.__u6_addr32[0]) ^
 +	    (id->src_ip6.__u6_addr.__u6_addr32[1]) ^
 +	    (id->src_ip6.__u6_addr.__u6_addr32[2]) ^
 +	    (id->src_ip6.__u6_addr.__u6_addr32[3]) ^
 +	    (id->dst_port) ^ (id->src_port);
  	return i;
  }
  
  static int
  is_icmp6_query(int icmp6_type)
  {
  	if ((icmp6_type <= ICMP6_MAXTYPE) &&
  	    (icmp6_type == ICMP6_ECHO_REQUEST ||
 
 -- 
 greetz Joost
 joost@jodocus.org
Responsible-Changed-From-To: freebsd-ipfw->mlaier 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Sat May 13 15:48:14 UTC 2006 
Responsible-Changed-Why:  
I'll look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 
State-Changed-From-To: open->feedback 
State-Changed-By: mlaier 
State-Changed-When: Sun May 14 04:29:52 UTC 2006 
State-Changed-Why:  
Can somebody please try this and/or the above patch and report back.  The 
real problem here seems to be the inclusion of the flow_id6. 

Index: ip_fw2.c 
=================================================================== 
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v 
retrieving revision 1.130 
diff -u -r1.130 ip_fw2.c 
--- ip_fw2.c	12 May 2006 20:39:23 -0000	1.130 
+++ ip_fw2.c	14 May 2006 04:21:01 -0000 
@@ -641,11 +641,11 @@ 
hash_packet6(struct ipfw_flow_id *id) 
{ 
u_int32_t i; 
-	i = (id->dst_ip6.__u6_addr.__u6_addr32[0]) ^ 
-	    (id->dst_ip6.__u6_addr.__u6_addr32[1]) ^ 
-	    (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ 
+	i = (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ 
(id->dst_ip6.__u6_addr.__u6_addr32[3]) ^ 
-	    (id->dst_port) ^ (id->src_port) ^ (id->flow_id6); 
+	    (id->src_ip6.__u6_addr.__u6_addr32[2]) ^ 
+	    (id->src_ip6.__u6_addr.__u6_addr32[3]) ^ 
+	    (id->dst_port) ^ (id->src_port); 
return i; 
} 


http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 
State-Changed-From-To: feedback->closed 
State-Changed-By: mlaier 
State-Changed-When: Sun May 14 23:45:45 UTC 2006 
State-Changed-Why:  
Fixed in ip_fw2.c rev. 1.131.  Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 
>Unformatted:
