Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jul 2002 22:43:40 -0700
From:      "Crist J. Clark" <>
To:        Luigi Rizzo <>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: RFC: ipfw behaviour with non IPv4 packets
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Jul 25, 2002 at 12:16:52AM -0700, Luigi Rizzo wrote:
> Hi,
> I would like your input here on the following issue.
> The original "ipfw" would only see IPv4 packets, so given a rule
> of the form
>         <action> ip from <src> to <dst>
> the "ip" protocol specifier effectively meant "any packet" (and
> "any" is in fact a synonym for "ip").
> IPFW2 also sees non-ipv4 packets, so in some cases (e.g. when no
> other fields refer to IPv4 information, say "ip from any to any")
> the rule can be ambiguous. As a matter of fact, the way I have
> implemented it now is
>         "ip" = "any" --> any packet, ipv4 or not 
> You can have the same ambiguity when you specify a protocol like
> "tcp" or "udp" -- do you want these rules to match only "*-over-ip4"
> or ipv6 as well ?
> I am a bit uncertain on what is the best path, but i believe a   
> reasonable one is to assume
>         "ip" = "any" --> any IP packet (v4 or v6) 
> and similarly
>         "proto" --> any packet of protocol "proto" over IP (v4 or v6)
> Comments ?

What happens when you do,

  pass ip from any to any ipoptions blah,blah...

Or some other field that is inconsistent for both IPv4 and IPv6?

Or more simply can you do,

  pass ip from to any


  pass ip from fe80::203:0405:0607:0809 to any


  pass ip from or fe80::203:0405:0607:0809 to any

And ipfw(8) will "do the right thing?" (Whatever that might be?)
Crist J. Clark                     |
                                   |    |

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>