ipfw disabling of rulesets >23 fails, can quietly wipe all rules

Originator:wkcole
Number:rdar://16512462 Date Originated:03-Apr-2014
Status:Open Resolved:
Product:OS X Product Version:10.4.4-10.9.2
Classification:Security Reproducible:Always
 
Summary:
In all versions of MacOS since (apparently) 10.4.4 the 'ipfw set disable' command is broken for rule sets 24-30. "ipfw set disable 24" does not disable set 24 but instead quietly deletes all rules except for the special set 31 default rule. For sets 25-30, the command is a no-op that sometimes emits an error message but always returns an exit code of 0 (success.)   The 'set disable' command is an essential first step in the construction of a multi-rule set that needs to be constructed one rule at a time and is later enabled as a whole atomically with a 'set enable' command.

Version:
Confirmed on:
10.4.11 (xnu-792.24.17~1/RELEASE_PPC)
10.6.8 (xnu-1504.15.3~1/RELEASE_I386)
10.9.2 (xnu-2422.90.20~2/RELEASE_X86_64)
10.8.5 (xnu-2050.48.12~1/RELEASE_X86_64)


Notes:
From examining the published xnu sources I believe the cause of the trouble was introduced in MacOS 10.4.4. The change to bsd/netinet/ip_fw2.c between xnu-792.6.22 and xnu-792.6.56 treating the set_mask[0] bitfield as a cmd+arg package is clearly at fault, as it introduced a new code path which is only taken if one of the high 8 bits in the mask is set (i.e. if a set >23 is being disabled.) I am unable to offer any theory about what that change was meant to do.

Comments

As expected, no fix

It appears that this bug will live on for as long as ipfw exists in MacOS X. From the original:

Apple Developer Relations 08-Apr-2014 01:01 PM:

Engineering has determined that there are no plans to address this.

We are now closing this bug report.

If you have questions regarding the resolution of this issue, please update your bug report with that information.

Please be sure to regularly check new Apple releases for any updates that might affect this issue.

By wkcole at April 8, 2014, 9:49 p.m. (reply...)

Background: yes, ipfw is deprecated, BUT...

With Lion, we got the "pfctl" tool to manage the kernel packet filtering rules but despite being deprecated, ipfw is still in Mavericks and Server still preserves (rather than converting to pfctl/afctl) existing legacy ipfw configurations.

By wkcole at April 3, 2014, 4:47 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!