D56869.diff
View Options

	diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
	--- a/sbin/ipfw/ipfw2.c
	+++ b/sbin/ipfw/ipfw2.c
	@@ -5515,10 +5515,7 @@
	break;

	case TOK_FLOWID:
	- if (proto != IPPROTO_IPV6 )
	- errx( EX_USAGE, "flow-id filter is active "
	- "only for ipv6 protocol\n");
	- fill_flow6( (ipfw_insn_u32 ) cmd, av, cblen);
	+ fill_flow6(insntod(cmd, u32), *av, cblen);
	av++;
	break;

	diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
	--- a/sys/netpfil/ipfw/ip_fw2.c
	+++ b/sys/netpfil/ipfw/ip_fw2.c
	@@ -780,7 +780,9 @@
	flow6id_match(int curr_flow, ipfw_insn_u32 *cmd)
	{
	int i;
	- for (i=0; i <= cmd->o.arg1; ++i)
	+ /* Mask proto version and traffic class out before comparing flow-id */
	+ curr_flow &= ntohl(IPV6_FLOWLABEL_MASK);
	+ for (i=0; i < cmd->o.arg1; ++i)
	if (curr_flow == cmd->d[i])
	return 1;
	return 0;
	diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py
	--- a/tests/sys/netpfil/common/pft_ping.py
	+++ b/tests/sys/netpfil/common/pft_ping.py
	@@ -63,6 +63,7 @@
	dst_address = send_params.get('dst_address')
	hlim = send_params.get('hlim')
	tc = send_params.get('tc')
	+ fl = send_params.get('fl')
	ip6 = sp.IPv6(dst=dst_address)
	if src_address:
	ip6.src = src_address
	@@ -70,6 +71,8 @@
	ip6.hlim = hlim
	if tc:
	ip6.tc = tc
	+ if fl:
	+ ip6.fl = fl
	return ip6


	@@ -224,6 +227,7 @@
	flags = expect_params.get('flags')
	hlim = expect_params.get('hlim')
	tc = expect_params.get('tc')
	+ fl = expect_params.get('fl')
	ip6 = packet.getlayer(sp.IPv6)
	if not ip6:
	LOGGER.debug('Packet is not IPv6!')
	@@ -245,6 +249,9 @@
	if tc and ip6.tc != tc:
	LOGGER.debug(f'Wrong TC value {ip6.tc}, expected {tc}')
	return False
	+ if fl and ip6.fl != fl:
	+ LOGGER.debug(f'Wrong Flow Label value {ip6.fl}, expected {fl}')
	+ return False
	return True


	@@ -635,6 +642,8 @@
	help='ICMP Echo Request payload size')
	parser_send.add_argument('--send-tc', type=int,
	help='IPv6 Traffic Class or IPv4 DiffServ / ToS')
	+ parser_send.add_argument('--send-fl', type=int,
	+ help='IPv6 Flow label')
	parser_send.add_argument('--send-tcpopt-unaligned', action='store_true',
	help='Include unaligned TCP options')
	parser_send.add_argument('--send-nop', action='store_true',
	@@ -652,6 +661,8 @@
	help='TCP sequence number')
	parser_expect.add_argument('--expect-tc', type=int,
	help='IPv6 Traffic Class or IPv4 DiffServ / ToS')
	+ parser_expect.add_argument('--expect-fl', type=int,
	+ help='IPv6 Flow Label')

	parser.add_argument('-v', '--verbose', action='store_true',
	help=('Enable verbose logging. Apart of potentially useful information '
	@@ -673,7 +684,7 @@
	send_params = {}
	expect_params = {}
	for param_name in (
	- 'flags', 'hlim', 'length', 'mss', 'seq', 'tc', 'frag_length',
	+ 'flags', 'hlim', 'length', 'mss', 'seq', 'tc', 'fl', 'frag_length',
	'sport', 'dport',
	):
	param_arg = vars(args).get(f'send_{param_name}')
	diff --git a/tests/sys/netpfil/ipfw/Makefile b/tests/sys/netpfil/ipfw/Makefile
	--- a/tests/sys/netpfil/ipfw/Makefile
	+++ b/tests/sys/netpfil/ipfw/Makefile
	@@ -4,6 +4,7 @@

	ATF_TESTS_SH+= fwd \
	divert \
	+ ipv6-flow-id \
	log \
	lookup \
	table
	diff --git a/tests/sys/netpfil/ipfw/ipv6-flow-id.sh b/tests/sys/netpfil/ipfw/ipv6-flow-id.sh
	new file mode 100644
	--- /dev/null
	+++ b/tests/sys/netpfil/ipfw/ipv6-flow-id.sh
	@@ -0,0 +1,78 @@
	+#
	+# Copyright (c) 2026 Boris Lytochkin
	+#
	+# SPDX-License-Identifier: BSD-2-Clause
	+#
	+
	+common_dir="$(atf_get_srcdir)/../common"
	+. ${common_dir}/utils.subr
	+
	+NC="nc -w 1 -dnN"
	+
	+setup_network_v6()
	+{
	+ epair="$1"
	+
	+ ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
	+
	+ vnet_mkjail alcatraz ${epair}b
	+
	+ ifconfig -j alcatraz ${epair}b inet6 2001:db8:42::2/64 up no_dad -ifdisabled
	+
	+ jexec alcatraz /usr/sbin/inetd -p /dev/null $(atf_get_srcdir)/lookup_inetd.conf
	+
	+ # Sanity checks
	+ atf_check -s exit:0 -o ignore ping6 -i .1 -c 3 -s 1200 2001:db8:42::2
	+ atf_check -o "inline:GOOD 82\n" ${NC} 2001:db8:42::2 82
	+}
	+
	+atf_test_case "ipv6fl" "cleanup"
	+
	+ipv6fl_head()
	+{
	+ atf_set descr 'flow-id test'
	+ atf_set require.user root
	+ atf_set require.progs python3 scapy
	+}
	+
	+ipv6fl_body()
	+{
	+
	+ firewall_init "ipfw"
	+
	+ epair=$(vnet_mkepair)
	+
	+ setup_network_v6 ${epair}
	+
	+ # Check if the firewall is able to match exact IPv6 flow label
	+ firewall_config "alcatraz" ipfw ipfw \
	+ "ipfw -q add 100 allow ip6 from any to any flow-id 0xbaad" \
	+ "ipfw -q add 200 deny ipv6-icmp from any to any icmp6types 128 in"
	+
	+ # Check Flow Label matches
	+ atf_check -s exit:0 ${common_dir}/pft_ping.py \
	+ --sendif ${epair}a \
	+ --fromaddr 2001:db8:42::1 \
	+ --to 2001:db8:42::2 \
	+ --send-fl $((0xbaad)) \
	+ --replyif ${epair}a
	+
	+ # Check Flow Label mismatch
	+ atf_check -s exit:1 ${common_dir}/pft_ping.py \
	+ --sendif ${epair}a \
	+ --fromaddr 2001:db8:42::1 \
	+ --to 2001:db8:42::2 \
	+ --send-fl $((0xf001)) \
	+ --replyif ${epair}a
	+
	+}
	+
	+ipv6fl_cleanup()
	+{
	+ firewall_cleanup $1
	+}
	+
	+atf_init_test_cases()
	+{
	+ atf_add_test_case "ipv6fl"
	+}

File Metadata

Mime Type: text/plain
Expires: Thu, May 21, 7:34 PM (10 h, 59 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33403093
Default Alt Text: D56869.diff (5 KB)

D56869.diff
No OneTemporary
Actions

D56869.diff
View Options

File Metadata

Event Timeline

D56869.diffNo OneTemporaryActions

D56869.diffView Options

File Metadata

Event Timeline

D56869.diff
No OneTemporary
Actions

D56869.diff
View Options