Date: Mon, 5 Sep 2011 16:35:06 +0200 From: Ivan Voras <ivoras@freebsd.org> To: "Matthew D. Fuller" <fullermd@over-yonder.net> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipv6: "me" Message-ID: <CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA@mail.gmail.com> In-Reply-To: <20110905140121.GA2135@over-yonder.net> References: <j42fpl$ps4$1@dough.gmane.org> <20110905140121.GA2135@over-yonder.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 September 2011 16:01, Matthew D. Fuller <fullermd@over-yonder.net> wrote: > On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of > Ivan Voras, and lo! it spake thus: >> >> There is no symmetrical "me4" option which leads me to think that >> "me" matches only ipv4 and "me6" only ipv6. > > I can't answer for the code, but as far as I could tell as a user > that's the case. > > (and so my firewall script is piled up with "{ me or me6 }"'s... > sigh) I thought so too, and AFAIK it used to work like that, but it might be that something has changed. I have pretty conclusive evidence that the handling has either been extended to (ipv4 or ipv6) or at least is inconsistent. I've verified this by having these two rules: 02999 17 1360 skipto 3000 log tcp from me to any setup keep-state 03000 66661 52129939 allow tcp from me to any setup keep-state and the logs have this: Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out via em0 Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in via em0 Sep 5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP 69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0 So "tcp from me to any..." appears to match both... which would be fine, but then how do we match ipv4 only?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA>