From owner-freebsd-security  Wed Feb 28  9:14:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140])
	by hub.freebsd.org (Postfix) with ESMTP
	id C485637B718; Wed, 28 Feb 2001 09:14:31 -0800 (PST)
	(envelope-from freebsd@dohd.org)
Received: from nala.dohd.org (tunnel01.ipv6.stack.nl [2001:610:1108:5001::1])
	by mailhost.stack.nl (Postfix) with ESMTP
	id 0D0B514F0C; Wed, 28 Feb 2001 18:14:30 +0100 (CET)
Received: by nala.dohd.org (Postfix, from userid 1008)
	id 841A3D9C2; Wed, 28 Feb 2001 18:14:27 +0100 (MET)
Date: Wed, 28 Feb 2001 18:14:26 +0100
From: Mark Huizer <freebsd@dohd.org>
To: "Jacques A. Vidrine" <n@nectar.com>
Cc: Hajimu UMEMOTO <ume@imasy.or.jp>, Arjan.deVet@adv.iae.nl,
	rasputin@FreeBSD-uk.eu.org, stable@freebsd.org,
	freebsd-security@freebsd.org, darrenr@freebsd.org
Subject: Re: IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6)
Message-ID: <20010228181426.A9026@dohd.org>
References: <20010227152544.A69259@dogma.freebsd-uk.eu.org> <20010227210734.A27354@adv.devet.org> <20010228.185102.92589032.ume@imasy.or.jp> <20010228094504.A56540@hamlet.nectar.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010228094504.A56540@hamlet.nectar.com>; from n@nectar.com on Wed, Feb 28, 2001 at 09:45:04AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > I heared from KAME guys that even though IP-filter has IPv6 code, it
> > doesn't work with IPv6 at all.  It is not only for FreeBSD but also
> > NetBSD.
> 
> Can someone confirm whether or not IPv6 rulesets work with IPFILTER
> on FreeBSD?  I don't have an environment to test this at the moment,
> but I'm pretty sure this worked previously.
> 
> By the way, if you are loading IPv4 and IPv6 rulesets, I think you
> must do something like this:
> 
>    % ipf -I -Fa
>    % ipf -I -f /etc/ipf.conf             # IPv4 rules
>    % ipf -I -6 -f /etc/ipf6.conf         # IPv6 rules
>    % ipf -s
> 
> I'd like to know before I MFC -DUSE_INET6 for the utilities.
> 
I (and Guido van Rooij) had a look at this during a boring meeting some
time ago, but it seems there were a few patches missing in the -current
tree (something like the stuff in ipv6-patch in the FreeBSD-4.0
directory). But for the record: no, ipfilter doesn't work with filtering
IPv6 in the current setup in FreeBSD -current

Mark
-- 
Nice testing in little China...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message