[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPF filtering of encapsulated IPv6 packets?

To: carl@bl.echidna.id.au
Subject: Re: IPF filtering of encapsulated IPv6 packets?
From: Darren Reed <avalon@cairo.anu.edu.au>
Date: Sun, 2 Sep 2001 13:02:47 +1000 (Australia/NSW)
Cc: pete@research.netsol.com, misc@openbsd.org

In some mail from carl@bl.echidna.id.au, sie said:
> 
> > From: Darren Reed <avalon@cairo.anu.edu.au>
> > 
> > In some mail from Pete Toscano, sie said:
> > > 
> > > Hello,
> > > 
> > > I sent this to the ipv6@openbsd list yesterday, but seeing how low the
> > > traffic is, I'm guessing that it's nearly dead.  I hope it's not too
> > > inappropriate for me to report on this list.
> > > 
> > > I have a IPv6-in-IPv4 tunnel to the 6Bone.  My side of the tunnel is an
> > > OpenBSD (2.9-stable) box.  This tunnel is gif0.  I have another tunnel
> > > for internal network use (gif1) and a directly attached IPv6 network
> > > (off xl0, the tunnels are off dc0).
> > > 
> > > My problem is exactly the same as Rob Mooney's from 2001.03.09
> > > (http://www.sigmasoft.com/~openbsd/archive/openbsd-ipv6/200103/msg00000.html)
> > > -- I can filter IPv4 just fine, but I cannot filter on IPv6 content.  If
> > > I put IPv6 filters (ipf -6) on dc0, then they just get ignored.
> > > Tcpdump-ing on the gif interfaces just shows outgoing traffic.  Heck,
> > > even blocking all IPv6 traffic out of xl0 gets ignored:
> > > 
> > > [root@foo6 12:09:25 /root]# ipfstat -6ho
> > > 0 block out log from any to any
> > > 0 block out on xl0 from any to any
> > > 
> > > My IPv4 filters allow ICMP protocol 0x29 (41) in, but I cannot figure
> > > out how to filter any IPv6.
> > > 
> > > Would someone please help me?  Getting filtering up is necessary for
> > > this project and I _really_ want to keep using OpenBSD.
> > 
> > It would appear that OpenBSD (2.9) has never had and still does not have
> > the ability to filter IPv6 packets, despite IPFilter being capable.
> 
> Incorrect, athough it seems to require a recompile.
> 
> http://oversteer.bl.echidna.id.au/IPv6/openbsd-firewall.html
> 
> Carl

I followed this up with Carl offline and he asked me to reply.
Although his rules loaded, and could be displayed using "ipfstat -6io",
they were not being hit/matched by any packets, much to his surprise.

The patches below _might_ help - I haven't tested them.

Darren

*** ip6_input.c.orig	Sun Sep  2 12:51:02 2001
--- ip6_input.c	Sun Sep  2 12:58:29 2001
***************
*** 130,135 ****
--- 130,138 ----
  #ifdef PULLDOWN_TEST
  static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int));
  #endif
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
  
  /*
   * IP6 initialization: fill in IP6 protocol switch table.
***************
*** 274,279 ****
--- 277,302 ----
  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  		goto bad;
  	}
+ 
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ 	/*
+ 	 * Check if we want to allow this packet to be processed.
+ 	 * Consider it to be bad if not.
+ 	 */
+ 	if (fr_checkp != NULL) {
+ 		struct mbuf *m0 = m;
+ 
+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 				 0, &m0)) {
+ 			return;
+ 		}
+ 		m = m0;
+ 		if (m == 0) {  /* in case of 'fastroute' */
+ 			return;
+ 		}
+ 		ip = mtod(m, struct ip *);
+ 	}
+ #endif
  
  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
  
*** ip6_output.c.orig	Sun Sep  2 12:51:21 2001
--- ip6_output.c	Sun Sep  2 12:57:27 2001
***************
*** 113,118 ****
--- 113,122 ----
  	struct mbuf *ip6e_dest2;
  };
  
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+ 
  static int ip6_pcbopts __P((struct ip6_pktopts **, struct mbuf *,
  			    struct socket *));
  static int ip6_setmoptions __P((int, struct ip6_moptions **, struct mbuf *));
***************
*** 910,915 ****
--- 914,938 ----
  		m->m_pkthdr.rcvif = NULL;
  	}
  
+ 
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)     
+ 	/* 
+ 	 * looks like most checking has been done now...do a filter check
+ 	 */
+ 	if (fr_checkp != NULL) {
+ 		struct mbuf *m1 = m;
+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) {
+ 			error = EHOSTUNREACH;
+ 			goto done;
+ 		}
+ 		m = m1;
+ 		if (m1 == 0) { /* in case of 'fastroute' */
+ 			error = 0;
+ 			goto done;
+ 		}
+ 		ip6 = mtod(m, struct ip6_hdr *);
+ 	}
+ #endif
  	/*
  	 * Send the packet to the outgoing interface.
  	 * If necessary, do IPv6 fragmentation before sending.

References:
- Re: IPF filtering of encapsulated IPv6 packets?
  - From: carl@bl.echidna.id.au

Prev by Date: How to upgrade 2.8 > 2.9
Next by Date: Re: atapi/eide hard driver error message
Prev by thread: Re: IPF filtering of encapsulated IPv6 packets?
Next by thread: IPv6, 2.9 and IPF
Index(es):
- Date
- Thread