Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Dec 2012 20:35:49 +0400
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        Fabian Wenk <fabian@wenks.ch>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPv6 addresses in tables not always working
Message-ID:  <50D9D5E5.8050809@FreeBSD.org>
In-Reply-To: <50D9BF00.7050507@wenks.ch>
References:  <50D9BF00.7050507@wenks.ch>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 25.12.2012 18:58, Fabian Wenk wrote:
> Hello
>
> To test tables with IPv6 for use with fail2ban (see thread "IPv6
> Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) system.
> Not all possible rules with tables which include IPv6 addresses seem to
> work.
>
>    [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087
>
> For fail2ban it will both be possible, using mixed tables with IPv4 and
> IPv6 addresses and separate tables with only IPv4 or IPv6 addresses. So
> I tried a few variants.
>
> First I created 3 different tables (IPv4 only, IPv6 only, IPv4 and IPv6
> mixed), this worked so far:
...

> Then I deleted the IPv4 and IPv6 only rules to only test with the mixed
> IPv4 and IPv6 table(46):
>
> root@freebsd9:~ # ipfw delete 1 2
> root@freebsd9:~ # ipfw show | head -1
> 00003  0   0 unreach port tcp from table(46) to me dst-port 22 in
> root@freebsd9:~ #
>
> And again testing from the remote system, the timeouts are still with
> the same difference for IPv4 and IPv6, but the message for IPv6 is now
> different:

unreach && unreach6 does different things:
Former implies O_REJECT token (which is ipv4 only) while the latter 
calls O_UNREACH6 (which is ipv6 only).

I'm not sure why we're utilizing O_UNREACH6 instead of re-using O_REJECT..

> root@freebsd9:~ # ipfw show | head -1
> 00003 12 872 unreach port tcp from table(46) to me dst-port 22 in
> root@freebsd9:~ #
>
>
> I also tried some other rules, which would be use cases for my setup
> with fail2ban, but not all of them work:
>
> freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in
> ipfw: bad address "table(6)"
> root@freebsd9:~ #
Yep, this is a known problem (and some similar still remains). Fixed in 
r240892 (r241883 for stable/9).

...

> To help collect the information regarding IPv6 support in ipfw tables,
> what other rules should I test? Or is this already enough information
> for any FreeBSD IPFW developer to be able to locate and probably fix
> this issues?
>
> I guess it is probably better to first collect some more information
> regarding IPv6 and tables here on the list and then create a
> corresponding PR later on for it.
>
>
> bye
> Fabian
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>



-- 
WBR, Alexander




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?50D9D5E5.8050809>