From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 6 02:53:52 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 268E4818 for ; Mon, 6 Jan 2014 02:53:52 +0000 (UTC) Received: from homiemail-a33.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by mx1.freebsd.org (Postfix) with ESMTP id 03BCA1C94 for ; Mon, 6 Jan 2014 02:53:51 +0000 (UTC) Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id CCF21594057 for ; Sun, 5 Jan 2014 18:53:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=saltant.com; h=message-id :date:from:mime-version:to:subject:content-type; s=saltant.com; bh=3O+0WtOwyW7erkN/d2bnuZPxAL8=; b=ofOuY7/3M7K/uSjWoVzf3/87iN/O MrsKdtQH4lb2U+kM5EVRUzw2xTAiDWJ6tL0KKmmaFPtgWMtzQTcZUjxL1KWuKbgH tSF9TFGvcOkAvT1U53dUNZ8nl+4n+CRa9nkGesQpeousKR+nWUyTgEw3p/eClCmu 3cLNXVlZKXjVBZk= Received: from omnific.local (twaddle.saltant.net [72.78.188.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: john@saltant.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id A4AD2594056 for ; Sun, 5 Jan 2014 18:53:44 -0800 (PST) Message-ID: <52CA1AB2.8050601@saltant.com> Date: Sun, 05 Jan 2014 21:53:38 -0500 From: "John W. O'Brien" Organization: Saltant Solutions User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: ipfw rule to match IPv4-in-IPv6 tunneled packets syntax problem X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jan 2014 02:53:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello freebsd-ipfw@, I just tripped over what seems to be a syntax bug and need some help understanding it well enough to submit a PR (or to be dissuaded from doing so). A quick look through all PRs matching 'ipfw', open and closed, does not reveal a clear duplicate. Let's say my machine has a physical interface, em0, with IPv4 address 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also have gif0 configured with these tunnel end points and an inner IPv6 address (which I do not believe is relevant). I have the following interaction with the machine. % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6 % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 Notice that when I say "ipv6", ipfw responds "ip6", but when I say "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or the unintended consequence of grammar implications I just don't fully understand? Next my peer sends me some tunneled traffic---each packet incident upon em0 starts with an IPv4 header with the proto field equal to 41, followed by an IPv6 header---and I check the rule counters. Rule 1000 has zero hits, but rule 2000 has all the hits. What would rule 1000 match? This is on 9.2-STABLE r260112. Regards, John --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJSyhq4AAoJEBRzAKlhyP/FvdMH/10cXOtRdtFqiNzO6MVkwPDx 3JUg1GiKGjz3SvvjgTIpGf9QwolAuJcJXPqUGhhMjgdBE+/6zVIItb8eTLVrAlij GL6F70xynjrVVTtxQMlu2oF2PYwsOZkPt7ZbpTkUT6YdsZFaM3ipHYvGB8aW19eH asvhGHmK1l6IcF2NAnEIccaD9P2LjJiU0fWGEOYUJ0Xu4wTY+ZCkcpvUdh8QDiiS EA8nY/AgN+vp363K4jfxrK7FadY0hzoP2sxE2Z20JTvBYFAHSI4HfyQoBVwt9zWE Qhnhi0A4ZS142xKLLJwBZ2MFAjgCj09mjzs7rvxYirmPErY8Yp8rJ7i5Cp0LVbQ= =MBTR -----END PGP SIGNATURE----- --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 6 11:06:48 2014 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B340B6A9 for ; Mon, 6 Jan 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9DC52107F for ; Mon, 6 Jan 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s06B6mgl045266 for ; Mon, 6 Jan 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s06B6mJH045264 for freebsd-ipfw@FreeBSD.org; Mon, 6 Jan 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Jan 2014 11:06:48 GMT Message-Id: <201401061106.s06B6mJH045264@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jan 2014 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180731 ipfw [ipfw] problem with displaying 255.255.255.255 address o kern/180729 ipfw [ipfw] ipfw nat show empty output o kern/178482 ipfw [ipfw] logging problem from vnet jail o kern/178480 ipfw [ipfw] dynamically loaded ipfw with a vimage kernel do o kern/178317 ipfw [ipfw] ipfw options need to specifed in specific order o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total.