Date: Sun, 05 Jan 2014 21:53:38 -0500 From: "John W. O'Brien" <john@saltant.com> To: freebsd-ipfw@freebsd.org Subject: ipfw rule to match IPv4-in-IPv6 tunneled packets syntax problem Message-ID: <52CA1AB2.8050601@saltant.com>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello freebsd-ipfw@, I just tripped over what seems to be a syntax bug and need some help understanding it well enough to submit a PR (or to be dissuaded from doing so). A quick look through all PRs matching 'ipfw', open and closed, does not reveal a clear duplicate. Let's say my machine has a physical interface, em0, with IPv4 address 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also have gif0 configured with these tunnel end points and an inner IPv6 address (which I do not believe is relevant). I have the following interaction with the machine. % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6 % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 Notice that when I say "ipv6", ipfw responds "ip6", but when I say "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or the unintended consequence of grammar implications I just don't fully understand? Next my peer sends me some tunneled traffic---each packet incident upon em0 starts with an IPv4 header with the proto field equal to 41, followed by an IPv6 header---and I check the rule counters. Rule 1000 has zero hits, but rule 2000 has all the hits. What would rule 1000 match? This is on 9.2-STABLE r260112. Regards, John --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJSyhq4AAoJEBRzAKlhyP/FvdMH/10cXOtRdtFqiNzO6MVkwPDx 3JUg1GiKGjz3SvvjgTIpGf9QwolAuJcJXPqUGhhMjgdBE+/6zVIItb8eTLVrAlij GL6F70xynjrVVTtxQMlu2oF2PYwsOZkPt7ZbpTkUT6YdsZFaM3ipHYvGB8aW19eH asvhGHmK1l6IcF2NAnEIccaD9P2LjJiU0fWGEOYUJ0Xu4wTY+ZCkcpvUdh8QDiiS EA8nY/AgN+vp363K4jfxrK7FadY0hzoP2sxE2Z20JTvBYFAHSI4HfyQoBVwt9zWE Qhnhi0A4ZS142xKLLJwBZ2MFAjgCj09mjzs7rvxYirmPErY8Yp8rJ7i5Cp0LVbQ= =MBTR -----END PGP SIGNATURE----- --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52CA1AB2.8050601>