Page MenuHomeFreeBSD
Differential D56869

Fix IPv6 flow label match in ipfw
ClosedPublic
Actions

Authored by lytboris_gmail.com on May 7 2026, 4:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jun 4, 11:50 PM
Unknown Object (File)
Thu, Jun 4, 4:56 AM
Unknown Object (File)
Thu, Jun 4, 4:56 AM
Unknown Object (File)
Sun, May 31, 1:11 AM
Unknown Object (File)
Sun, May 31, 1:08 AM
Unknown Object (File)
Sat, May 30, 1:17 AM
Unknown Object (File)
Sat, May 30, 1:11 AM
Unknown Object (File)
Wed, May 27, 4:31 AM
View All 39 Files
Subscribers
ae
donner
glebius
imp
melifaro
pouria
vegeta_tuxpowered.net
ziaee

Details

Reviewers
pouria
Group Reviewers
network
Commits
rG8b10555b6b70: ipfw: fix IPv6 flow label matching
rG3d39eadcdeb3: ipfw: fix IPv6 flow label matching
Summary

Address a number of IPv6 flow label bugs scattered across different parts of ipfw:

  • kernel module: IPV6_FLOWLABEL_MASK is not being applied before comparison in flow6id_match() so flow-id opcode never matches a flow label alone (one need to take protocol version and traffic class into account)
  • kernel module: off-by-one bug leading to out-of-bounds read
  • sbin/ipfw: flow-id opcode allows just ip6 as a proto while ipv6-icmp, tcp, udp should be fine too.
Test Plan

ipv6-flow-id.sh test is provided

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

lytboris_gmail.com created this revision.May 7 2026, 4:23 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, donner and 3 others. · View Herald TranscriptMay 7 2026, 4:23 PM
lytboris_gmail.com requested review of this revision.May 7 2026, 4:23 PM
ae added a reviewer: network.May 7 2026, 4:51 PM
pouria accepted this revision as: pouria.May 7 2026, 7:22 PM
pouria added subscribers: ziaee, pouria.

I'm not an expert on IPFW. But the code, and logic LGTM.

tests/sys/netpfil/ipfw/ipv6-flow-id.sh
2–28

Please use new format.
recently, @ziaee updated the preferred format:
https://docs.freebsd.org/en/articles/license-guide/

Even that - at the first line is no longer required.

43

Could be nice to use ifconfig -j instead. Of course, I understand this pattern is repeated across the ipfw tests.

tests/sys/netpfil/ipfw/lookup.sh
59 ↗(On Diff #177369)

This is not really related to this change.
I suggest to separate it into another commit/review.

144 ↗(On Diff #177369)

This is not really related to this change.
I suggest to separate it into another commit/review.

This revision is now accepted and ready to land.May 7 2026, 7:22 PM
lytboris_gmail.com updated this revision to Diff 177435.May 8 2026, 5:42 AM
lytboris_gmail.com marked 4 inline comments as done.
This revision now requires review to proceed.May 8 2026, 5:43 AM
This revision was not accepted when it landed; it landed in state Needs Review.Tue, May 12, 7:49 AM
Closed by commit rG3d39eadcdeb3: ipfw: fix IPv6 flow label matching (authored by lytboris_gmail.com, committed by ae). · Explain Why
This revision was automatically updated to reflect the committed changes.
ae added a commit: rG3d39eadcdeb3: ipfw: fix IPv6 flow label matching.
ae added a commit: rG8b10555b6b70: ipfw: fix IPv6 flow label matching.Tue, May 19, 7:27 AM

Revision Contents
Changeset List

PathSize
sbin/
ipfw/
5 lines
sys/
netpfil/
ipfw/
4 lines
tests/
sys/
netpfil/
common/
13 lines
ipfw/
1 line
78 lines

Diff 177622

View Options

sbin/ipfw/ipfw2.c

Loading...
View Options

sys/netpfil/ipfw/ip_fw2.c

Loading...
View Options

tests/sys/netpfil/common/pft_ping.py

Loading...
View Options

tests/sys/netpfil/ipfw/Makefile

Loading...
View Options

tests/sys/netpfil/ipfw/ipv6-flow-id.sh

Loading...