From owner-freebsd-net@FreeBSD.ORG Mon Sep 5 14:57:52 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FE031065676 for ; Mon, 5 Sep 2011 14:57:52 +0000 (UTC) (envelope-from ivoras@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 211DB8FC0A for ; Mon, 5 Sep 2011 14:57:51 +0000 (UTC) Received: by gxk28 with SMTP id 28so4032002gxk.13 for ; Mon, 05 Sep 2011 07:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=WfSey6fTgw0UNftyYMWpsa2jAUuuvTYLt/UW3JvzXTM=; b=eYYNIRQ/qMqGWv8fmMsm3vZer9wipCdHHDk7fNfdyo8yrbkeAmHx9K9hpGCqreNPo2 f9Ib3qcGB8POhR/eZgjjpbEz++hRPVyG3wO4YN/ygfIW5pbhySQ7gwj8THWe8Kskfhnt UYDOtlV5f6bHbN3+SCtnjaEjLg6A1zlbn1bHo= Received: by 10.101.5.21 with SMTP id h21mr2723172ani.123.1315233346089; Mon, 05 Sep 2011 07:35:46 -0700 (PDT) MIME-Version: 1.0 Sender: ivoras@gmail.com Received: by 10.100.134.4 with HTTP; Mon, 5 Sep 2011 07:35:06 -0700 (PDT) In-Reply-To: <20110905140121.GA2135@over-yonder.net> References: <20110905140121.GA2135@over-yonder.net> From: Ivan Voras Date: Mon, 5 Sep 2011 16:35:06 +0200 X-Google-Sender-Auth: sTj1oDTu8OVWHhZ5VVD5Giq6gVo Message-ID: To: "Matthew D. Fuller" Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipv6: "me" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2011 14:57:52 -0000 On 5 September 2011 16:01, Matthew D. Fuller wrote: > On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of > Ivan Voras, and lo! it spake thus: >> >> There is no symmetrical "me4" option which leads me to think that >> "me" matches only ipv4 and "me6" only ipv6. > > I can't answer for the code, but as far as I could tell as a user > that's the case. > > (and so my firewall script is piled up with "{ me or me6 }"'s... > sigh) I thought so too, and AFAIK it used to work like that, but it might be that something has changed. I have pretty conclusive evidence that the handling has either been extended to (ipv4 or ipv6) or at least is inconsistent. I've verified this by having these two rules: 02999 17 1360 skipto 3000 log tcp from me to any setup keep-state 03000 66661 52129939 allow tcp from me to any setup keep-state and the logs have this: Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out via em0 Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in via em0 Sep 5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP 69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0 So "tcp from me to any..." appears to match both... which would be fine, but then how do we match ipv4 only?