Make sbin/ipfw on RELENG_14 compatible to ipfw kernel module on RELENG_15+
Needs ReviewPublic
Actions

Authored by lytboris_gmail.com on Sun, Jan 18, 10:31 AM.

Details

Reviewers

ae
melifaro
glebius
jhb

Summary

As for now there is no compatibility layer for a changed KABI of ipfw kernel module after D46183 was merged. This leads to inability to upgrade a remote server running ipfw as RELENG_15 kernel does not accept commands from an old ipfw binary.

Instead of making a kernel-side compatibility layer that is hard to debug and maintain, we can import sbin/ipfw from RELENG_15 as a new binary sbin/ipfw15 into RELENG_14. Once new binary is there,
original sbin/ipfw can detect new KABI and run the new binary instead.

A trivial and naive patch for sbin/ipfw is attached. Header-only modified copy of sbin/ipfw from RELENG_15 is attached to the diff as well.

Test Plan

Install RELENG_14 on a VM and put a kernel from RELENG_15 into it.
Build and install both sbin/ipfw15 and sbin/ipfw from sources
Try to add/remove rules, etc

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

lytboris_gmail.com created this revision.Sun, Jan 18, 10:31 AM

Herald added subscribers: ziaee, donner, imp. · View Herald TranscriptSun, Jan 18, 10:31 AM

lytboris_gmail.com requested review of this revision.Sun, Jan 18, 10:31 AM

glebius added inline comments.Mon, Jan 19, 6:45 PM

sbin/ipfw/main.c
694	What's the point of using __FreeBSD_version here? It will be substituted by pre-processor at compilation time. We do not expect this code to be ever compiled outside of stable/14 and its descendants.
702
704	I can't imagine any exploitable use here, except a stupid admin who has "." in their PATH. However, just for the safety I would suggest two things: Add two static strings "/sbin/ipfw15" and "/sbin/dnctl15", so that you don't need to use malloc and snprintf. use `execv(g_co.prog == cmdline_prog_ipfw ? ipfw15_string : dnctl15_string, av)` instead of `execvp`.