R: IPv6 and ipfw

>>> dst-port 10001-10100 keep-state
>>> ipfw: bad netmask
>> ``xxxx:3::113''
>>> also:
>>> # ipfw add allow udp from any to trixbox.ip6 dst-port
>> 10001-10100 keep-state
>>> ipfw: hostname ``trixbox.ip6'' unknown
>>> Exit 68
>>> # host
>> trixbox.ip6
>>> trixbox.ip6.digiware.nl has IPv6 address 2001:4cb8:3::116
>>>
>>> So it
>> looks like what is in the manual is overly optimistic:
>>> ----
>>>     addr6-list:
>> ip6-addr[,addr6-list]
>>>     ip6-addr:
>>>             A host or subnet
>> specified one of the following ways:
>>>             numeric-ip | hostname
>>>                     Matches a single IPv6 address as allowed by  
>>> inet_pton(3)
>>>                     or a hostname.  Hostnames are resolved at the  
>>> time the
>>>                     rule is added to the firewall list.
>>>
>>>
>> addr/masklen
>>>                     Matches all IPv6 addresses with base addr
>> (specified as
>>>                     allowed by inet_pton or a hostname) and
>> mask width of
>>>                     masklen bits.
>>>
>>>             No support
>> for sets of IPv6 addresses is provided because IPv6
>>>             addresses
>> are typically random past the initial prefix.
>>> ----
>>>
>>> Anybody else ran into
>> this?
>>> Or should I file this as a PR.
>
> > Hi all,
> > You has found a parser bug.
> > When the protocol is "ipv6" and you are a
> > comma separated ipv6 addresses, the parser work fine because the  
> "add_srcip6"
> > function is called and recognize all addresses.
> > When the protocol is "!=ipv6"
> > (like TCP,UDP,ICMP6)  the "add_src" fuction is called and it cause  
> troubles
> > because the "inet_pton()" fails and erroneously is called the  
> "add_srcip"
> > function (see the code below).
> >
> > (from "ipfw2.c")
> >  add_src(ipfw_insn *cmd, char
> > *av, u_char proto)
> > {
> > struct in6_addr a;
> > char *host, *ch;
> > ipfw_insn *ret =
> > NULL;
> >
> > if ((host = strdup(av)) == NULL)
> > return NULL;
> > if ((ch = strrchr
> > (host, '/')) != NULL)
> > *ch = '\0';
> >
> > if (proto == IPPROTO_IPV6  || strcmp(av,
> > "me6") == 0 ||
> >    inet_pton(AF_INET6, host, &a))
> > ret = add_srcip6(cmd, av);
> >
> > /* XXX: should check for IPv4, not !IPv6 */
> > if (ret == NULL && (proto ==
> > IPPROTO_IP || strcmp(av, "me") == 0 ||
> >    !inet_pton(AF_INET6, host, &a)))
> >
> > ret = add_srcip(cmd, av);
> > if (ret == NULL && strcmp(av, "any") != 0)
> > ret =
> > cmd;
> >
> > free(host);
> > return ret;
> > }
> >
> > I think that possibles solutions are the
> > follows:
> >
> > 1) Create a new protocols types UPD6,TCP6 only for IPv6 rules to
> > avoid parser confusions, and check about this protocol inside the  
> "add_src"
> > fuction (easy to implement).
> > 2) Check the comma separated ip/ipv6 addresses
> > inside the "add_src" function (a little too hard to implement).
> >
> > I appreciate
> > suggestions from the community experts about this problem.
>
> I would prefer not to make seperate tcp6 and udp6 items, since what  
> i would like to do is things like:
>
> hostlist="a.b.c.d,A:B:C:D::F"
>
> and then in the firewall something like
> ipfw add allow tcp from any to ${hostlist} dst-port 80 setup
>
> and if tcp now goes into tcp and tcp6 I need to double my rules etc.
>
> Which raises one other point:
> using a FQDN with more A and AAAA records also just inserts the
> first reply in the list.
> Now I don't use FQDN since most of the time in the Firewall DNS
> is not quite up yet.
>
> --WjW
> _______________________________________________
> freebsd-ipfw@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-
> unsubscribe@..."