From gael.roualland@dial.oleane.com  Wed Nov 23 21:41:53 2005
Return-Path: <gael.roualland@dial.oleane.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 12BF516A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 23 Nov 2005 21:41:53 +0000 (GMT)
	(envelope-from gael.roualland@dial.oleane.com)
Received: from tom.weedns.com (gre92-1-81-57-176-124.fbx.proxad.net [81.57.176.124])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 118C843D67
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 23 Nov 2005 21:41:51 +0000 (GMT)
	(envelope-from gael.roualland@dial.oleane.com)
Received: from jerry.priv (localhost [127.0.0.1])
	by tom.weedns.com (8.13.1/8.13.1) with ESMTP id jANLh7LW022903
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 23 Nov 2005 22:43:07 +0100 (CET)
Received: (from gael@localhost)
	by jerry.priv (8.13.1/8.13.1/Submit) id jANLh7x3022902;
	Wed, 23 Nov 2005 22:43:07 +0100 (CET)
Message-Id: <200511232143.jANLh7x3022902@jerry.priv>
Date: Wed, 23 Nov 2005 22:43:07 +0100 (CET)
From: Gael Roualland <gael.roualland@dial.oleane.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         89472
>Category:       kern
>Synopsis:       [ipfw] ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 23 21:50:15 GMT 2005
>Closed-Date:    Tue Dec 06 02:53:07 GMT 2005
>Last-Modified:  Tue Dec 06 02:53:07 GMT 2005
>Originator:     Gael Roualland <gael.roualland@dial.oleane.com>
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD jerry.priv 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Sat Nov 19 20:48:17 CET 2005 gael@jerry:/home/cvsup/obj/home/cvsup/src/sys/JERRY i386
>Description:
	Before ipfw2 knows about IPv6, it was possible to filter IPv6 
        traffic which was tunneled in IPv4 by doing something as

            ipfw add allow ipv6 from a.b.c.d to me
  
        where a.b.c.d was the tunnel end.

        Now that ipfw2 does ipv6, such a line is interpreted as being
        an IPv6 rule, and is rejected since the specified IP address
        is not an IPv6.

        The alternate syntax 'allow ip from a.b.c.d to me proto ipv6' 
        is accepted by ipfw, but does not work in the kernel since the
        first proto test (IPv4) does not match the extracted protocol 
        of the packet (IPv6)
>How-To-Repeat:
        ipfw add allow ipv6 from a.b.c.d to me 
>Fix:
        Workaround : change the "ipv6" protocol to "all", and trust
        the end of the tunnel...

        The real fix would IMHO to add a different test for the inner protocol
        carried by a packet in addition to the protocol packet itself.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Nov 23 22:41:56 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89472 

Adding to audit trail from misfiled PR kern/89590:

Date: Sun, 27 Nov 2005 01:50:30 +0900
From: Hajimu UMEMOTO <ume@freebsd.org>
 
 `allow ip from a.b.c.d to me proto 41' should work for you.  Don't
 forget a reverse rule:
 
 	allow ip from me to a.b.c.d proto 41

Adding to audit trail from misfiled PR kern/89591:

Date: Sat, 26 Nov 2005 18:13:47 +0100
From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
 > 
 > `allow ip from a.b.c.d to me proto 41' should work for you. 
 
 Hum, I didn't notice the "ipv6" string was handled a bit differently
 than the numeric proto number in ipfw.
 
 It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw
 list/show reports the rule as "allow ip from a.b.c.d to me" and it does
 filter it that way, opening a lot more than just protocol 41...
 
 -- 
 Gal Roualland -+- gael.roualland@dial.oleane.com

From: Hajimu UMEMOTO <ume@freebsd.org>
To: Gael Roualland <gael.roualland@dial.oleane.com>
Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
Date: Sun, 27 Nov 2005 05:19:01 +0900

 Hi,
 
 >>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET)
 >>>>> Gael Roualland <gael.roualland@dial.oleane.com> said:
 
 gael>  Hum, I didn't notice the "ipv6" string was handled a bit differently
 gael>  than the numeric proto number in ipfw.
 
 gael>  It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw
 gael>  list/show reports the rule as "allow ip from a.b.c.d to me" and it does
 gael>  filter it that way, opening a lot more than just protocol 41...
 
 Umm, 41 is treated as ipv6, internally.  With following patch,
 
 	allow ip from a.b.c.d to me proto 41
 
 should work for workaround.  However, it is still incomplete, and
 `ipfw show' shows
 
 	allow ip from any to any proto ipv6
 
 Apart from this limitation, it seems working to me here.
 
 Index: sbin/ipfw/ipfw2.c
 diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c
 --- sbin/ipfw/ipfw2.c.orig	Sat Aug 20 17:36:57 2005
 +++ sbin/ipfw/ipfw2.c	Sun Nov 27 04:18:43 2005
 @@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
  		*proto = pe->p_proto;
  	else
  		return NULL;
 -	if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
 +	if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 &&
 +	    strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0)
  		fill_cmd(cmd, O_PROTO, 0, *proto);
  
  	return cmd;
 
 
 Sincerely,
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/

From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
To: Hajimu UMEMOTO <ume@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 
 6.0-RELEASE
Date: Sun, 27 Nov 2005 02:15:05 +0100

 Hajimu UMEMOTO a crit :
 > gael>  It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw
 > gael>  list/show reports the rule as "allow ip from a.b.c.d to me" and it does
 > gael>  filter it that way, opening a lot more than just protocol 41...
 > 
 > Umm, 41 is treated as ipv6, internally.  With following patch,
 > 
 >         allow ip from a.b.c.d to me proto 41
 > 
 > should work for workaround.  However, it is still incomplete, and
 > `ipfw show' shows
 > 
 >         allow ip from any to any proto ipv6
 > 
 > Apart from this limitation, it seems working to me here.
 
 I applied the patch, and 'show' was fine (except for ipv6 instead of
 41), but it did break my other rules.. Looks like "allow ip from any to
 any" doesn't match anything anymore...
 
 Gal.
 
 -- 
 Gal Roualland -+- gael.roualland@dial.oleane.com

From: Hajimu UMEMOTO <ume@freebsd.org>
To: =?ISO-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
Date: Sun, 27 Nov 2005 14:06:17 +0900

 Hi,
 
 >>>>> On Sun, 27 Nov 2005 02:15:05 +0100
 >>>>> Ga=EBl Roualland <gael.roualland@dial.oleane.com> said:
 
 gael> I applied the patch, and 'show' was fine (except for ipv6 instead of
 gael> 41), but it did break my other rules.. Looks like "allow ip from any =
 to
 gael> any" doesn't match anything anymore...
 
 Oops, please try this patch instead.
 
 Index: sbin/ipfw/ipfw2.c
 diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c
 --- sbin/ipfw/ipfw2.c.orig	Sat Aug 20 17:36:57 2005
 +++ sbin/ipfw/ipfw2.c	Sun Nov 27 13:19:40 2005
 @@ -3596,7 +3596,7 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
 =20
  	*proto =3D IPPROTO_IP;
 =20
 -	if (_substrcmp(av, "all") =3D=3D 0)
 +	if (_substrcmp(av, "all") =3D=3D 0 || strcmp(av, "ip") =3D=3D 0)
  		; /* do not set O_IP4 nor O_IP6 */
  	else if (strcmp(av, "ipv4") =3D=3D 0 || strcmp(av, "ip4") =3D=3D 0)
  		/* explicit "just IPv4" rule */
 @@ -3606,13 +3606,12 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
  		*proto =3D IPPROTO_IPV6;
  		fill_cmd(cmd, O_IP6, 0, 0);
  	} else if ((*proto =3D atoi(av)) > 0)
 -		; /* all done! */
 -	else if ((pe =3D getprotobyname(av)) !=3D NULL)
 +		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	else if ((pe =3D getprotobyname(av)) !=3D NULL) {
  		*proto =3D pe->p_proto;
 -	else
 -		return NULL;
 -	if (*proto !=3D IPPROTO_IP && *proto !=3D IPPROTO_IPV6)
  		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else
 +		return NULL;
 =20
  	return cmd;
  }
 
 
 Sincerely,
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/

From: Hajimu UMEMOTO <ume@freebsd.org>
To: gael.roualland@dial.oleane.com
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4	on 6.0-RELEASE
Date: Sun, 27 Nov 2005 14:20:37 +0900

 Hi,
 
 >>>>> On Sun, 27 Nov 2005 05:10:15 GMT
 >>>>> Hajimu UMEMOTO <ume@freebsd.org> said:
 
 ume>  Oops, please try this patch instead.
 
 Umm, the patch was encoded by quoted-printable wrongly.  So, I've
 resend it.
 
 Index: sbin/ipfw/ipfw2.c
 diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c
 --- sbin/ipfw/ipfw2.c.orig	Sat Aug 20 17:36:57 2005
 +++ sbin/ipfw/ipfw2.c	Sun Nov 27 13:19:40 2005
 @@ -3596,7 +3596,7 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
  
  	*proto = IPPROTO_IP;
  
 -	if (_substrcmp(av, "all") == 0)
 +	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
  		; /* do not set O_IP4 nor O_IP6 */
  	else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
  		/* explicit "just IPv4" rule */
 @@ -3606,13 +3606,12 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
  		*proto = IPPROTO_IPV6;
  		fill_cmd(cmd, O_IP6, 0, 0);
  	} else if ((*proto = atoi(av)) > 0)
 -		; /* all done! */
 -	else if ((pe = getprotobyname(av)) != NULL)
 +		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	else if ((pe = getprotobyname(av)) != NULL) {
  		*proto = pe->p_proto;
 -	else
 -		return NULL;
 -	if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
  		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else
 +		return NULL;
  
  	return cmd;
  }
 
 
 Sincerely,
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/

From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
To: Hajimu UMEMOTO <ume@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 
 6.0-RELEASE
Date: Sun, 27 Nov 2005 22:27:40 +0100

 This is a multi-part message in MIME format.
 --------------A3E74D29D65F52E3591BAEAD
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 
 Hajimu UMEMOTO a crit :
 > 
 > Hi,
 > 
 > >>>>> On Sun, 27 Nov 2005 02:15:05 +0100
 > >>>>> Gal Roualland <gael.roualland@dial.oleane.com> said:
 > 
 > gael> I applied the patch, and 'show' was fine (except for ipv6 instead of
 > gael> 41), but it did break my other rules.. Looks like "allow ip from any to
 > gael> any" doesn't match anything anymore...
 > 
 > Oops, please try this patch instead.
 
 It seems to work fine with this patch so far (fyi, none of the patches
 you sent applied as-is, so I applied it by manually). Thanks.
 
 Regarding the fact that ip6/ipv6 (and ip4/ipv4) cannot be used in the
 proto construction, I added a parameter to add_proto to distinguish
 between the main rule proto and potential "proto options". The patch is
 attached.
 
 Gal.
 
 -- 
 Gal Roualland -+- gael.roualland@dial.oleane.com
 --------------A3E74D29D65F52E3591BAEAD
 Content-Type: text/plain; charset=us-ascii;
  name="ipfw2.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ipfw2.patch"
 
 --- src/sbin/ipfw/ipfw2.c.orig	Sun Nov 27 22:25:33 2005
 +++ src/sbin/ipfw/ipfw2.c	Sun Nov 27 22:24:14 2005
 @@ -3590,29 +3590,33 @@ add_mactype(ipfw_insn *cmd, int ac, char
  }
  
  static ipfw_insn *
 -add_proto(ipfw_insn *cmd, char *av, u_char *proto)
 +add_proto(ipfw_insn *cmd, char *av, u_char *proto, int ismain)
  {
  	struct protoent *pe;
  
  	*proto = IPPROTO_IP;
  
 -	if (_substrcmp(av, "all") == 0)
 +	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
  		; /* do not set O_IP4 nor O_IP6 */
  	else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
 -		/* explicit "just IPv4" rule */
 -		fill_cmd(cmd, O_IP4, 0, 0);
 +		if (ismain)  /* explicit "just IPv4" rule */
 +			fill_cmd(cmd, O_IP4, 0, 0);
 +		else 
 +			fill_cmd(cmd, O_PROTO, 0, *proto);
  	else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
  		/* explicit "just IPv6" rule */
  		*proto = IPPROTO_IPV6;
 -		fill_cmd(cmd, O_IP6, 0, 0);
 -	} else if ((*proto = atoi(av)) > 0)
 -		; /* all done! */
 -	else if ((pe = getprotobyname(av)) != NULL)
 +		if (ismain)
 +			fill_cmd(cmd, O_IP6, 0, 0);
 +		else
 +			fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else if ((*proto = atoi(av)) > 0) 
 +		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	else if ((pe = getprotobyname(av)) != NULL) {
  		*proto = pe->p_proto;
 -	else
 -		return NULL;
 -	if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
  		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else
 +		return NULL;
  
  	return cmd;
  }
 @@ -4056,7 +4060,7 @@ add(int ac, char *av[])
      OR_START(get_proto);
  	NOT_BLOCK;
  	NEED1("missing protocol");
 -	if (add_proto(cmd, *av, &proto)) {
 +	if (add_proto(cmd, *av, &proto, 1)) {
  		av++; ac--;
  		if (F_LEN(cmd) != 0) {
  			prev = cmd;
 @@ -4451,7 +4455,7 @@ read_options:
  
  		case TOK_PROTO:
  			NEED1("missing protocol");
 -			if (add_proto(cmd, *av, &proto)) {
 +			if (add_proto(cmd, *av, &proto, 0)) {
  				ac--; av++;
  			} else
  				errx(EX_DATAERR, "invalid protocol ``%s''",
 
 --------------A3E74D29D65F52E3591BAEAD--
 
State-Changed-From-To: open->patched 
State-Changed-By: ume 
State-Changed-When: Tue Nov 29 15:35:43 GMT 2005 
State-Changed-Why:  
I've just committed the fix into HEAD but silghtly different way. 
Thank you for reporting it. 


Responsible-Changed-From-To: freebsd-ipfw->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Tue Nov 29 15:35:43 GMT 2005 
Responsible-Changed-Why:  
Because, I committed it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89472 
State-Changed-From-To: patched->closed 
State-Changed-By: ume 
State-Changed-When: Tue Dec 6 02:52:13 GMT 2005 
State-Changed-Why:  
I've just MFC'ed it into RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89472 
>Unformatted:
