From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 25 16:36:21 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 44967A0F for ; Tue, 25 Dec 2012 16:36:21 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id CBE958FC0A for ; Tue, 25 Dec 2012 16:36:20 +0000 (UTC) Received: from [2a02:6b8:0:401:222:4dff:fe50:cd2f] (helo=dhcp170-36-red.yandex.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1TnXXj-000DaZ-3i; Tue, 25 Dec 2012 20:39:51 +0400 Message-ID: <50D9D5E5.8050809@FreeBSD.org> Date: Tue, 25 Dec 2012 20:35:49 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120627 Thunderbird/13.0.1 MIME-Version: 1.0 To: Fabian Wenk Subject: Re: IPv6 addresses in tables not always working References: <50D9BF00.7050507@wenks.ch> In-Reply-To: <50D9BF00.7050507@wenks.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Dec 2012 16:36:21 -0000 On 25.12.2012 18:58, Fabian Wenk wrote: > Hello > > To test tables with IPv6 for use with fail2ban (see thread "IPv6 > Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) system. > Not all possible rules with tables which include IPv6 addresses seem to > work. > > [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087 > > For fail2ban it will both be possible, using mixed tables with IPv4 and > IPv6 addresses and separate tables with only IPv4 or IPv6 addresses. So > I tried a few variants. > > First I created 3 different tables (IPv4 only, IPv6 only, IPv4 and IPv6 > mixed), this worked so far: ... > Then I deleted the IPv4 and IPv6 only rules to only test with the mixed > IPv4 and IPv6 table(46): > > root@freebsd9:~ # ipfw delete 1 2 > root@freebsd9:~ # ipfw show | head -1 > 00003 0 0 unreach port tcp from table(46) to me dst-port 22 in > root@freebsd9:~ # > > And again testing from the remote system, the timeouts are still with > the same difference for IPv4 and IPv6, but the message for IPv6 is now > different: unreach && unreach6 does different things: Former implies O_REJECT token (which is ipv4 only) while the latter calls O_UNREACH6 (which is ipv6 only). I'm not sure why we're utilizing O_UNREACH6 instead of re-using O_REJECT.. > root@freebsd9:~ # ipfw show | head -1 > 00003 12 872 unreach port tcp from table(46) to me dst-port 22 in > root@freebsd9:~ # > > > I also tried some other rules, which would be use cases for my setup > with fail2ban, but not all of them work: > > freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in > ipfw: bad address "table(6)" > root@freebsd9:~ # Yep, this is a known problem (and some similar still remains). Fixed in r240892 (r241883 for stable/9). ... > To help collect the information regarding IPv6 support in ipfw tables, > what other rules should I test? Or is this already enough information > for any FreeBSD IPFW developer to be able to locate and probably fix > this issues? > > I guess it is probably better to first collect some more information > regarding IPv6 and tables here on the list and then create a > corresponding PR later on for it. > > > bye > Fabian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- WBR, Alexander