Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2005 21:30:07 GMT
From:      =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
To:        freebsd-ipfw@FreeBSD.org
Subject:   Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
Message-ID:  <200511272130.jARLU70N071333@freefall.freebsd.org>

Next in thread | Raw E-Mail | Index | Archive | Help
The following reply was made to PR kern/89472; it has been noted by GNATS.

From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com>
To: Hajimu UMEMOTO <ume@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 
 6.0-RELEASE
Date: Sun, 27 Nov 2005 22:27:40 +0100

 This is a multi-part message in MIME format.
 --------------A3E74D29D65F52E3591BAEAD
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 
 Hajimu UMEMOTO a ťcrit :
 > 
 > Hi,
 > 
 > >>>>> On Sun, 27 Nov 2005 02:15:05 +0100
 > >>>>> GaŽl Roualland <gael.roualland@dial.oleane.com> said:
 > 
 > gael> I applied the patch, and 'show' was fine (except for ipv6 instead of
 > gael> 41), but it did break my other rules.. Looks like "allow ip from any to
 > gael> any" doesn't match anything anymore...
 > 
 > Oops, please try this patch instead.
 
 It seems to work fine with this patch so far (fyi, none of the patches
 you sent applied as-is, so I applied it by manually). Thanks.
 
 Regarding the fact that ip6/ipv6 (and ip4/ipv4) cannot be used in the
 proto construction, I added a parameter to add_proto to distinguish
 between the main rule proto and potential "proto options". The patch is
 attached.
 
 GaŽl.
 
 -- 
 GaŽl Roualland -+- gael.roualland@dial.oleane.com
 --------------A3E74D29D65F52E3591BAEAD
 Content-Type: text/plain; charset=us-ascii;
  name="ipfw2.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ipfw2.patch"
 
 --- src/sbin/ipfw/ipfw2.c.orig	Sun Nov 27 22:25:33 2005
 +++ src/sbin/ipfw/ipfw2.c	Sun Nov 27 22:24:14 2005
 @@ -3590,29 +3590,33 @@ add_mactype(ipfw_insn *cmd, int ac, char
  }
  
  static ipfw_insn *
 -add_proto(ipfw_insn *cmd, char *av, u_char *proto)
 +add_proto(ipfw_insn *cmd, char *av, u_char *proto, int ismain)
  {
  	struct protoent *pe;
  
  	*proto = IPPROTO_IP;
  
 -	if (_substrcmp(av, "all") == 0)
 +	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
  		; /* do not set O_IP4 nor O_IP6 */
  	else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
 -		/* explicit "just IPv4" rule */
 -		fill_cmd(cmd, O_IP4, 0, 0);
 +		if (ismain)  /* explicit "just IPv4" rule */
 +			fill_cmd(cmd, O_IP4, 0, 0);
 +		else 
 +			fill_cmd(cmd, O_PROTO, 0, *proto);
  	else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
  		/* explicit "just IPv6" rule */
  		*proto = IPPROTO_IPV6;
 -		fill_cmd(cmd, O_IP6, 0, 0);
 -	} else if ((*proto = atoi(av)) > 0)
 -		; /* all done! */
 -	else if ((pe = getprotobyname(av)) != NULL)
 +		if (ismain)
 +			fill_cmd(cmd, O_IP6, 0, 0);
 +		else
 +			fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else if ((*proto = atoi(av)) > 0) 
 +		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	else if ((pe = getprotobyname(av)) != NULL) {
  		*proto = pe->p_proto;
 -	else
 -		return NULL;
 -	if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
  		fill_cmd(cmd, O_PROTO, 0, *proto);
 +	} else
 +		return NULL;
  
  	return cmd;
  }
 @@ -4056,7 +4060,7 @@ add(int ac, char *av[])
      OR_START(get_proto);
  	NOT_BLOCK;
  	NEED1("missing protocol");
 -	if (add_proto(cmd, *av, &proto)) {
 +	if (add_proto(cmd, *av, &proto, 1)) {
  		av++; ac--;
  		if (F_LEN(cmd) != 0) {
  			prev = cmd;
 @@ -4451,7 +4455,7 @@ read_options:
  
  		case TOK_PROTO:
  			NEED1("missing protocol");
 -			if (add_proto(cmd, *av, &proto)) {
 +			if (add_proto(cmd, *av, &proto, 0)) {
  				ac--; av++;
  			} else
  				errx(EX_DATAERR, "invalid protocol ``%s''",
 
 --------------A3E74D29D65F52E3591BAEAD--
 



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200511272130.jARLU70N071333>