Date: Mon, 15 Oct 2001 07:57:08 +1000 From: Christopher Vance <vance@aurema.com> To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= <rguyom@pobox.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipfilter ipv6 Message-ID: <20011015075708.B29012@aurema.com> In-Reply-To: <20011014201557.C93723@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Sun, Oct 14, 2001 at 08:15:57PM %2B0200 References: <20011014232019.A29012@aurema.com> <20011014152203.O69352-100000@darkwing.turbo.net> <20011014201557.C93723@diabolic-cow.chatgris.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 14, 2001 at 08:15:57PM +0200, Rémi Guyomarch wrote: : On Sun, Oct 14, 2001 at 03:26:27PM +0200, Henrik Holmstam wrote: : > On Sun, 14 Oct 2001, Christopher Vance wrote: : > : > > Is there any reason why FreeBSD ipfilter is compiled without ipv6? : > > Does it not work, or is nobody FreeBSDish interested? : : I don't think IPFilter is IPv6-ready. There's some support but I don't : think it's stable or tested enough at this point. I may be wrong. Is that a judgement made by ipfilter people on what it does on FreeBSD, or by FreeBSD people on what ipfilter does/doesn't do? : > > I'd prefer something to keep state, so ip6fw isn't quite what I want. : > : > Is it? I'm using default IPFilter on FreeBSD 4.4-STABLE with ipv6 and it : > works just fine. I'm keeping state and have rules with 'proto ipv6' with : > no problems. I didn't think this answered my question, but was going to check some more before replying. : "ipv6" in this context means "v6 in v4". It means you're filtering : IPv6 packets based on the IPv4 tunnel end-point address, which is : better than nothing but still far from ideal. And this response seems to agree with my understanding. : IPFilter compiled with IPv6 support needs *two* different set of : rules. One for v4 and one for v6. The v6 set is managed with "ipf -6" : instead of "ipf". See ipf(1) : : : OPTIONS : -6 This option is required to parse IPv6 rules and to : have them loaded. I was looking for ways to filter tcp and udp traffic by their ip6 addresses. ipf filtering gif/stf traffic by where the tunnel came from is not what I meant, since that's only filtering protocol 41 (or whatever) as ip4 traffic, with no understanding of ip6 addressing. It looks to me that the default compile of ipfilter on FreeBSD 4-S turns off the -6 option and the USE_INET6 cpp define, and removes mention of -6 from the manual pages. Seems like someone went to some effort to remove it, and I was wondering why, and whether it was easier to put back in. -- Christopher Vance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011015075708.B29012>