From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 6 02:53:52 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 268E4818 for ; Mon, 6 Jan 2014 02:53:52 +0000 (UTC) Received: from homiemail-a33.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by mx1.freebsd.org (Postfix) with ESMTP id 03BCA1C94 for ; Mon, 6 Jan 2014 02:53:51 +0000 (UTC) Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id CCF21594057 for ; Sun, 5 Jan 2014 18:53:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=saltant.com; h=message-id :date:from:mime-version:to:subject:content-type; s=saltant.com; bh=3O+0WtOwyW7erkN/d2bnuZPxAL8=; b=ofOuY7/3M7K/uSjWoVzf3/87iN/O MrsKdtQH4lb2U+kM5EVRUzw2xTAiDWJ6tL0KKmmaFPtgWMtzQTcZUjxL1KWuKbgH tSF9TFGvcOkAvT1U53dUNZ8nl+4n+CRa9nkGesQpeousKR+nWUyTgEw3p/eClCmu 3cLNXVlZKXjVBZk= Received: from omnific.local (twaddle.saltant.net [72.78.188.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: john@saltant.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id A4AD2594056 for ; Sun, 5 Jan 2014 18:53:44 -0800 (PST) Message-ID: <52CA1AB2.8050601@saltant.com> Date: Sun, 05 Jan 2014 21:53:38 -0500 From: "John W. O'Brien" Organization: Saltant Solutions User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: ipfw rule to match IPv4-in-IPv6 tunneled packets syntax problem X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jan 2014 02:53:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello freebsd-ipfw@, I just tripped over what seems to be a syntax bug and need some help understanding it well enough to submit a PR (or to be dissuaded from doing so). A quick look through all PRs matching 'ipfw', open and closed, does not reveal a clear duplicate. Let's say my machine has a physical interface, em0, with IPv4 address 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also have gif0 configured with these tunnel end points and an inner IPv6 address (which I do not believe is relevant). I have the following interaction with the machine. % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6 % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 Notice that when I say "ipv6", ipfw responds "ip6", but when I say "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or the unintended consequence of grammar implications I just don't fully understand? Next my peer sends me some tunneled traffic---each packet incident upon em0 starts with an IPv4 header with the proto field equal to 41, followed by an IPv6 header---and I check the rule counters. Rule 1000 has zero hits, but rule 2000 has all the hits. What would rule 1000 match? This is on 9.2-STABLE r260112. Regards, John --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJSyhq4AAoJEBRzAKlhyP/FvdMH/10cXOtRdtFqiNzO6MVkwPDx 3JUg1GiKGjz3SvvjgTIpGf9QwolAuJcJXPqUGhhMjgdBE+/6zVIItb8eTLVrAlij GL6F70xynjrVVTtxQMlu2oF2PYwsOZkPt7ZbpTkUT6YdsZFaM3ipHYvGB8aW19eH asvhGHmK1l6IcF2NAnEIccaD9P2LjJiU0fWGEOYUJ0Xu4wTY+ZCkcpvUdh8QDiiS EA8nY/AgN+vp363K4jfxrK7FadY0hzoP2sxE2Z20JTvBYFAHSI4HfyQoBVwt9zWE Qhnhi0A4ZS142xKLLJwBZ2MFAjgCj09mjzs7rvxYirmPErY8Yp8rJ7i5Cp0LVbQ= =MBTR -----END PGP SIGNATURE----- --jW5igcvct8cSIsbGu2PqDjE0u7CpqTjQw--