From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 26 20:19:17 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFF4716A41F; Sat, 26 Nov 2005 20:19:17 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from ameno.mahoroba.org (gw4.mahoroba.org [218.45.22.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A4B43D68; Sat, 26 Nov 2005 20:19:16 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from kasuga.mahoroba.org (IDENT:iKSYrVCGnnth1RfpNVoie6MRp+k4bY5OGAx35rEQd5njD4G4EN+vRUo+4wdF1lUL@kasuga.mahoroba.org [IPv6:3ffe:501:185b:8010:20b:97ff:fe2e:b521]) (user=ume mech=CRAM-MD5 bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6 id jAQKJ1Zf089507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 27 Nov 2005 05:19:02 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 27 Nov 2005 05:19:01 +0900 Message-ID: From: Hajimu UMEMOTO To: Gael Roualland In-Reply-To: <200511232143.jANLh7x3022902@jerry.priv> References: <200511232143.jANLh7x3022902@jerry.priv> User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-freebsd6.0) MULE/5.0 (SAKAKI) X-Operating-System: FreeBSD 6.0-STABLE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (ameno.mahoroba.org [IPv6:3ffe:501:185b:8010::1]); Sun, 27 Nov 2005 05:19:02 +0900 (JST) X-Virus-Scanned: by amavisd-new X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ameno.mahoroba.org Cc: freebsd-ipfw@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 20:19:18 -0000 Hi, >>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET) >>>>> Gael Roualland said: gael> Hum, I didn't notice the "ipv6" string was handled a bit differently gael> than the numeric proto number in ipfw. gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does gael> filter it that way, opening a lot more than just protocol 41... Umm, 41 is treated as ipv6, internally. With following patch, allow ip from a.b.c.d to me proto 41 should work for workaround. However, it is still incomplete, and `ipfw show' shows allow ip from any to any proto ipv6 Apart from this limitation, it seems working to me here. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005 @@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = pe->p_proto; else return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) + if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 && + strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0) fill_cmd(cmd, O_PROTO, 0, *proto); return cmd; Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/