Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Jul 2002 12:40:05 +0200 (SAT)
From:      John Hay <jhay@icomtek.csir.co.za>
To:        rizzo@icir.org (Luigi Rizzo)
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: RFC: ipfw behaviour with non IPv4 packets
Message-ID:  <200207251040.g6PAe5C64282@zibbi.icomtek.csir.co.za>
In-Reply-To: <20020725001652.A94913@iguana.icir.org> from Luigi Rizzo at "Jul 25, 2002 00:16:52 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> Hi,
> I would like your input here on the following issue.
> 
> 
> The original "ipfw" would only see IPv4 packets, so given a rule
> of the form
>  
>         <action> ip from <src> to <dst>
>  
> the "ip" protocol specifier effectively meant "any packet" (and
> "any" is in fact a synonym for "ip").
>  
> IPFW2 also sees non-ipv4 packets, so in some cases (e.g. when no
> other fields refer to IPv4 information, say "ip from any to any")
> the rule can be ambiguous. As a matter of fact, the way I have
> implemented it now is
> 
>         "ip" = "any" --> any packet, ipv4 or not 
>  
> You can have the same ambiguity when you specify a protocol like
> "tcp" or "udp" -- do you want these rules to match only "*-over-ip4"
> or ipv6 as well ?
> 
> I am a bit uncertain on what is the best path, but i believe a   
> reasonable one is to assume
> 
>         "ip" = "any" --> any IP packet (v4 or v6) 
> 
> and similarly
> 
>         "proto" --> any packet of protocol "proto" over IP (v4 or v6)
> 

It would be nice if ipfw can support both ipv4 and ipv6. Then we only need
one "thing" to manage it all.

Maybe the current "proto" field should be split in two? The current
"abuse" of it will make it difficult to be able to specify just one
of them. Currently putting ipv6 in this field means ipv6 tunneled
over ipv4, but I can see that it would be nice to have a way to
specify that a certain rule is only for ipv6 or only for ipv4 packets.

So that I can do things like:

skipto 5 ipv6 proto all from any to any # Catch all native ipv6 packets
allow ipv4 proto ipv6 from any to any # catch tunneled packets
allow all proto tcp ... # catch both ipv4 and ipv6 packets

John
-- 
John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207251040.g6PAe5C64282>