NetBSD Problem Report #57905
From mark@ecs.vuw.ac.nz Mon Feb 5 02:46:04 2024
Return-Path: <mark@ecs.vuw.ac.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7DD001A9238
for <gnats-bugs@gnats.NetBSD.org>; Mon, 5 Feb 2024 02:46:04 +0000 (UTC)
Message-Id: <202402050245.4152jxf6026059@turakirae.ecs.vuw.ac.nz>
Date: Mon, 5 Feb 2024 15:45:59 +1300 (NZDT)
From: mark@ecs.vuw.ac.nz
Reply-To: mark@ecs.vuw.ac.nz
To: gnats-bugs@NetBSD.org
Subject: blocklistd.conf and ipv6
X-Send-Pr-Version: 3.95
>Number: 57905
>Category: misc
>Synopsis: blocklistd.conf issues with ipv6
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: misc-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 05 02:50:01 +0000 2024
>Closed-Date: Mon Feb 19 19:11:10 +0000 2024
>Last-Modified: Mon Feb 19 19:11:10 +0000 2024
>Originator: Mark Davies
>Release: NetBSD 10.0_RC3
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
System: NetBSD smb2.ecs.vuw.ac.nz 10.0_RC3 NetBSD 10.0_RC3 (XEN3_DOMU) #3: Mon Feb 5 11:54:46 NZDT 2024 mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
blocklistd.conf doesn't appear to work correctly for IPv6 addresses.
>How-To-Repeat:
I want to set blocklistd up to block ssh connections after 4 failures, except for local addresses
which should never be blocked. Where local addresses are 130.195.0.0/16, 10.0.0.0/8 and 2404:2000::/32
So I have the following /etc/blocklistd.conf
---
# Blocklist rule
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 4 6h
# adr/mask:port type proto owner name nfail disable
[remote]
130.195.0.0/16 * * * = * *
[2404:2000::/32] * * * = * *
10.0.0.0/8 * * * = * *
---
With this IPv4 connections work as expected, but all IPv6 connections are blocked
after 4 failures AND the following message is logged when blocklistd starts
Feb 5 15:18:15 smb2 blocklistd[943]: conf_getnum: /etc/blocklistd.conf, 10: Bad number for service []
If I change line 9 of my blocklistd.conf (note the off by one error in the line number reported) to
[2404:2000::/32]:ssh * * * = * *
then the message is no longer logged on startup, but all IPv6 connections are still
blocked after 4 fails.
>Fix:
dont know.
>Release-Note:
>Audit-Trail:
From: Sunil Nimmagadda <sunil@nimmagadda.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: misc/57905: blocklistd.conf and ipv6
Date: Mon, 05 Feb 2024 18:36:11 +0530
mark@ecs.vuw.ac.nz writes:
>>Number: 57905
>>Category: misc
>>Synopsis: blocklistd.conf issues with ipv6
>>Confidential: no
>>Severity: serious
>>Priority: medium
>>Responsible: misc-bug-people
>>State: open
>>Class: sw-bug
>>Submitter-Id: net
>>Arrival-Date: Mon Feb 05 02:50:01 +0000 2024
>>Originator: Mark Davies
>>Release: NetBSD 10.0_RC3
>>Organization:
> ECS, Victoria Uni. of Wellington, New Zealand.
>>Environment:
>
>
> System: NetBSD smb2.ecs.vuw.ac.nz 10.0_RC3 NetBSD 10.0_RC3 (XEN3_DOMU)
> #3: Mon Feb 5 11:54:46 NZDT 2024
> mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/XEN3_DOMU
> amd64
> Architecture: x86_64
> Machine: amd64
>>Description:
> blocklistd.conf doesn't appear to work correctly for IPv6 addresses.
>
>>How-To-Repeat:
> I want to set blocklistd up to block ssh connections after 4 failures, except for local addresses
> which should never be blocked. Where local addresses are 130.195.0.0/16, 10.0.0.0/8 and 2404:2000::/32
>
> So I have the following /etc/blocklistd.conf
>
> ---
> # Blocklist rule
> # adr/mask:port type proto owner name nfail disable
> [local]
> ssh stream * * * 4 6h
>
> # adr/mask:port type proto owner name nfail disable
> [remote]
> 130.195.0.0/16 * * * = * *
> [2404:2000::/32] * * * = * *
> 10.0.0.0/8 * * * = * *
> ---
>
> With this IPv4 connections work as expected, but all IPv6 connections are blocked
> after 4 failures AND the following message is logged when blocklistd starts
>
> Feb 5 15:18:15 smb2 blocklistd[943]: conf_getnum: /etc/blocklistd.conf, 10: Bad number for service []
>
> If I change line 9 of my blocklistd.conf (note the off by one error in the line number reported) to
>
> [2404:2000::/32]:ssh * * * = * *
>
> then the message is no longer logged on startup, but all IPv6 connections are still
> blocked after 4 fails.
>
>
>>Fix:
> dont know.
If I understood the syntax for location correctly, it should be
[2404:2000::]/32 i.e., the mask should be after the enclosing square
brackets for an IPv6 address.
Also verified that inet_pton(3) wouldn't parse 2404:2000::/32. This
patch checks if inet_pton(3) parsed address successfully and also
rectifies the line number reporting. Compile tested only, can't run IPv6
atm.
diff -r 1837af7fedd4 external/bsd/blocklist/bin/conf.c
--- a/external/bsd/blocklist/bin/conf.c Sat Feb 03 22:40:29 2024 +0000
+++ b/external/bsd/blocklist/bin/conf.c Sat Feb 03 08:46:58 2024 +0530
@@ -261,7 +261,7 @@
if (debug)
(*lfun)(LOG_DEBUG, "%s: host6 %s", __func__, p);
if (strcmp(p, "*") != 0) {
- if (inet_pton(AF_INET6, p, &sin6->sin6_addr) == -1)
+ if (inet_pton(AF_INET6, p, &sin6->sin6_addr) != 1)
goto out;
sin6->sin6_family = AF_INET6;
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
@@ -311,7 +311,7 @@
*port = htons((in_port_t)c->c_port);
return 0;
out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, pstr);
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, p);
return -1;
out1:
(*lfun)(LOG_ERR, "%s: %s, %zu: Can't specify mask %d with "
@@ -1172,7 +1172,7 @@
return;
}
- lineno = 1;
+ lineno = 0;
confset_init(&rc);
confset_init(&lc);
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: misc/57905: blocklistd.conf and ipv6
Date: Tue, 6 Feb 2024 14:28:26 +1300
On 06/02/2024 02:10, Sunil Nimmagadda wrote:
> If I understood the syntax for location correctly, it should be
> [2404:2000::]/32 i.e., the mask should be after the enclosing square
> brackets for an IPv6 address.
I thought I'd tried that at some point, but anyway ...
> Also verified that inet_pton(3) wouldn't parse 2404:2000::/32. This
> patch checks if inet_pton(3) parsed address successfully and also
> rectifies the line number reporting. Compile tested only, can't run IPv6
> atm.
confirmed that your patch gets an error reported for [2404:2000::/32]
and fixes the line number reporting, but with [2404:2000::]/32 I still get
Feb 6 14:22:27 smb2 blocklistd[3834]: conf_getnum:
/etc/blocklistd.conf, 9: Bad number for service []
cheers
mark
From: Sunil Nimmagadda <sunil@nimmagadda.net>
To: Mark Davies <mark@ecs.vuw.ac.nz>
Cc: misc-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org
Subject: Re: misc/57905: blocklistd.conf and ipv6
Date: Tue, 06 Feb 2024 16:45:02 +0530
Mark Davies <mark@ecs.vuw.ac.nz> writes:
> The following reply was made to PR misc/57905; it has been noted by GNATS.
>
> From: Mark Davies <mark@ecs.vuw.ac.nz>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: misc/57905: blocklistd.conf and ipv6
> Date: Tue, 6 Feb 2024 14:28:26 +1300
>
> On 06/02/2024 02:10, Sunil Nimmagadda wrote:
> > If I understood the syntax for location correctly, it should be
> > [2404:2000::]/32 i.e., the mask should be after the enclosing square
> > brackets for an IPv6 address.
>
> I thought I'd tried that at some point, but anyway ...
>
> > Also verified that inet_pton(3) wouldn't parse 2404:2000::/32. This
> > patch checks if inet_pton(3) parsed address successfully and also
> > rectifies the line number reporting. Compile tested only, can't run IPv6
> > atm.
>
> confirmed that your patch gets an error reported for [2404:2000::/32]
> and fixes the line number reporting, but with [2404:2000::]/32 I still get
>
> Feb 6 14:22:27 smb2 blocklistd[3834]: conf_getnum:
> /etc/blocklistd.conf, 9: Bad number for service []
>
>
> cheers
> mark
>
IPv6 case needs to set the port as "*" (FSTAR) when not specified in
the config for the conf_getport() to parse it correctly. Updated diff...
diff -r 1837af7fedd4 external/bsd/blocklist/bin/conf.c
--- a/external/bsd/blocklist/bin/conf.c Sat Feb 03 22:40:29 2024 +0000
+++ b/external/bsd/blocklist/bin/conf.c Sat Feb 03 17:25:56 2024 +0530
@@ -261,7 +261,7 @@
if (debug)
(*lfun)(LOG_DEBUG, "%s: host6 %s", __func__, p);
if (strcmp(p, "*") != 0) {
- if (inet_pton(AF_INET6, p, &sin6->sin6_addr) == -1)
+ if (inet_pton(AF_INET6, p, &sin6->sin6_addr) != 1)
goto out;
sin6->sin6_family = AF_INET6;
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
@@ -269,6 +269,8 @@
#endif
port = &sin6->sin6_port;
}
+ if (strlen(pstr) == 0)
+ pstr = "*";
} else if (pstr != p || strchr(p, '.') || conf_is_interface(p)) {
if (pstr == p)
pstr = "*";
@@ -311,7 +313,7 @@
*port = htons((in_port_t)c->c_port);
return 0;
out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, pstr);
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, p);
return -1;
out1:
(*lfun)(LOG_ERR, "%s: %s, %zu: Can't specify mask %d with "
@@ -1172,7 +1174,7 @@
return;
}
- lineno = 1;
+ lineno = 0;
confset_init(&rc);
confset_init(&lc);
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: Sunil Nimmagadda <sunil@nimmagadda.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: misc/57905: blocklistd.conf and ipv6
Date: Wed, 7 Feb 2024 11:46:04 +1300
On 07/02/2024 00:15, Sunil Nimmagadda wrote:
> IPv6 case needs to set the port as "*" (FSTAR) when not specified in
> the config for the conf_getport() to parse it correctly. Updated diff...
With that updated diff IPv6 appears to be working fine.
cheers
mark
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57905 CVS commit: src/external/bsd/blocklist/bin
Date: Thu, 8 Feb 2024 19:37:07 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 9 00:37:06 UTC 2024
Modified Files:
src/external/bsd/blocklist/bin: conf.c
Log Message:
PR/57905: Mark Davies: blocklistd fails to parse ipv6 addresses.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blocklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57905 CVS commit: src/external/bsd/blocklist/bin
Date: Fri, 9 Feb 2024 10:15:32 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 9 15:15:32 UTC 2024
Modified Files:
src/external/bsd/blocklist/bin: conf.c
Log Message:
PR/57905: Mark Davies: handle empty string.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blocklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57905 CVS commit: [netbsd-10] src/external/bsd/blocklist
Date: Sat, 17 Feb 2024 15:59:55 +0000
Module Name: src
Committed By: martin
Date: Sat Feb 17 15:59:55 UTC 2024
Modified Files:
src/external/bsd/blocklist/bin [netbsd-10]: blocklistd.conf.5 conf.c
src/external/bsd/blocklist/etc [netbsd-10]: blocklistd.conf
Log Message:
Pull up following revision(s) (requested by markd in ticket #591):
external/bsd/blocklist/bin/blocklistd.conf.5: revision 1.3
external/bsd/blocklist/bin/conf.c: revision 1.4
external/bsd/blocklist/bin/conf.c: revision 1.5
external/bsd/blocklist/bin/conf.c: revision 1.6
external/bsd/blocklist/etc/blocklistd.conf: revision 1.3
PR/57905: Mark Davies: blocklistd fails to parse ipv6 addresses.
fix typo
PR/57905: Mark Davies: handle empty string.
add an IPv6 example to blocklistd.conf(5)
add an IPv6 example to blocklistd.conf example file
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.6.1 src/external/bsd/blocklist/bin/blocklistd.conf.5
cvs rdiff -u -r1.3 -r1.3.2.1 src/external/bsd/blocklist/bin/conf.c
cvs rdiff -u -r1.2 -r1.2.6.1 src/external/bsd/blocklist/etc/blocklistd.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: markd@NetBSD.org
State-Changed-When: Mon, 19 Feb 2024 19:11:10 +0000
State-Changed-Why:
fixed and pulled up to 10.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.