NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: misc/57905: blocklistd.conf and ipv6
The following reply was made to PR misc/57905; it has been noted by GNATS.
From: Sunil Nimmagadda <sunil%nimmagadda.net@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: misc/57905: blocklistd.conf and ipv6
Date: Mon, 05 Feb 2024 18:36:11 +0530
mark%ecs.vuw.ac.nz@localhost writes:
>>Number: 57905
>>Category: misc
>>Synopsis: blocklistd.conf issues with ipv6
>>Confidential: no
>>Severity: serious
>>Priority: medium
>>Responsible: misc-bug-people
>>State: open
>>Class: sw-bug
>>Submitter-Id: net
>>Arrival-Date: Mon Feb 05 02:50:01 +0000 2024
>>Originator: Mark Davies
>>Release: NetBSD 10.0_RC3
>>Organization:
> ECS, Victoria Uni. of Wellington, New Zealand.
>>Environment:
>
>
> System: NetBSD smb2.ecs.vuw.ac.nz 10.0_RC3 NetBSD 10.0_RC3 (XEN3_DOMU)
> #3: Mon Feb 5 11:54:46 NZDT 2024
> mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/XEN3_DOMU
> amd64
> Architecture: x86_64
> Machine: amd64
>>Description:
> blocklistd.conf doesn't appear to work correctly for IPv6 addresses.
>
>>How-To-Repeat:
> I want to set blocklistd up to block ssh connections after 4 failures, except for local addresses
> which should never be blocked. Where local addresses are 130.195.0.0/16, 10.0.0.0/8 and 2404:2000::/32
>
> So I have the following /etc/blocklistd.conf
>
> ---
> # Blocklist rule
> # adr/mask:port type proto owner name nfail disable
> [local]
> ssh stream * * * 4 6h
>
> # adr/mask:port type proto owner name nfail disable
> [remote]
> 130.195.0.0/16 * * * = * *
> [2404:2000::/32] * * * = * *
> 10.0.0.0/8 * * * = * *
> ---
>
> With this IPv4 connections work as expected, but all IPv6 connections are blocked
> after 4 failures AND the following message is logged when blocklistd starts
>
> Feb 5 15:18:15 smb2 blocklistd[943]: conf_getnum: /etc/blocklistd.conf, 10: Bad number for service []
>
> If I change line 9 of my blocklistd.conf (note the off by one error in the line number reported) to
>
> [2404:2000::/32]:ssh * * * = * *
>
> then the message is no longer logged on startup, but all IPv6 connections are still
> blocked after 4 fails.
>
>
>>Fix:
> dont know.
If I understood the syntax for location correctly, it should be
[2404:2000::]/32 i.e., the mask should be after the enclosing square
brackets for an IPv6 address.
Also verified that inet_pton(3) wouldn't parse 2404:2000::/32. This
patch checks if inet_pton(3) parsed address successfully and also
rectifies the line number reporting. Compile tested only, can't run IPv6
atm.
diff -r 1837af7fedd4 external/bsd/blocklist/bin/conf.c
--- a/external/bsd/blocklist/bin/conf.c Sat Feb 03 22:40:29 2024 +0000
+++ b/external/bsd/blocklist/bin/conf.c Sat Feb 03 08:46:58 2024 +0530
@@ -261,7 +261,7 @@
if (debug)
(*lfun)(LOG_DEBUG, "%s: host6 %s", __func__, p);
if (strcmp(p, "*") != 0) {
- if (inet_pton(AF_INET6, p, &sin6->sin6_addr) == -1)
+ if (inet_pton(AF_INET6, p, &sin6->sin6_addr) != 1)
goto out;
sin6->sin6_family = AF_INET6;
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
@@ -311,7 +311,7 @@
*port = htons((in_port_t)c->c_port);
return 0;
out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, pstr);
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, p);
return -1;
out1:
(*lfun)(LOG_ERR, "%s: %s, %zu: Can't specify mask %d with "
@@ -1172,7 +1172,7 @@
return;
}
- lineno = 1;
+ lineno = 0;
confset_init(&rc);
confset_init(&lc);
Home |
Main Index |
Thread Index |
Old Index