From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 17 19:32:06 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85C17F00 for ; Fri, 17 Jan 2014 19:32:06 +0000 (UTC) Received: from mail-ve0-x22d.google.com (mail-ve0-x22d.google.com [IPv6:2607:f8b0:400c:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 438A812C6 for ; Fri, 17 Jan 2014 19:32:06 +0000 (UTC) Received: by mail-ve0-f173.google.com with SMTP id oz11so632667veb.32 for ; Fri, 17 Jan 2014 11:32:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=zMm/RKWtNL3l07y5S+gigtsdDpWvhvGFWSdbhh1Zsm0=; b=D9CNdiIs94fHcNDCGs6Pmspha/Gkzf1rHTkmidzA50Z2cIlH4pqNFv0QQsy42gDWaE 2zhtKpwYJwltEpa6ljTqd4Z1LnFEFEOiun5BeB0uNT8A6U4JLoK0yY+PbxzfY84nE/L6 bjKbSZkFAZoju18D/oAGdi8xdk+/VHhG/ZJO5SC0BStVOuiuctMF56LbSO2CP09voMQD aeHlsIOZOFk7tYVs+G7rpyCddVRYUgukYfC5aPRexoLnnZCBIq0AoLZOso/2bAvrwgkF dlNxgXKYlc2q+b+LexYCVmRiUL1m+jMFP2fGCrg513A6op5dlUh/u+zuQb2fq1cWQtOF mhog== MIME-Version: 1.0 X-Received: by 10.220.183.202 with SMTP id ch10mr6396vcb.36.1389987125371; Fri, 17 Jan 2014 11:32:05 -0800 (PST) Sender: ndenev@gmail.com Received: by 10.220.78.84 with HTTP; Fri, 17 Jan 2014 11:32:05 -0800 (PST) In-Reply-To: <52CA1AB2.8050601@saltant.com> References: <52CA1AB2.8050601@saltant.com> Date: Fri, 17 Jan 2014 19:32:05 +0000 X-Google-Sender-Auth: VUHXfHCqENpkFeu6ZS99eqjxdXc Message-ID: Subject: Re: ipfw rule to match IPv4-in-IPv6 tunneled packets syntax problem From: Nikolay Denev To: "John W. O'Brien" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jan 2014 19:32:06 -0000 On Mon, Jan 6, 2014 at 2:53 AM, John W. O'Brien wrote: > Hello freebsd-ipfw@, > > I just tripped over what seems to be a syntax bug and need some help > understanding it well enough to submit a PR (or to be dissuaded from > doing so). A quick look through all PRs matching 'ipfw', open and > closed, does not reveal a clear duplicate. > > Let's say my machine has a physical interface, em0, with IPv4 address > 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also > have gif0 configured with these tunnel end points and an inner IPv6 > address (which I do not believe is relevant). > > I have the following interaction with the machine. > > % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 > 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6 > % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6 > 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 > > Notice that when I say "ipv6", ipfw responds "ip6", but when I say > "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or > the unintended consequence of grammar implications I just don't fully > understand? > > Next my peer sends me some tunneled traffic---each packet incident upon > em0 starts with an IPv4 header with the proto field equal to 41, > followed by an IPv6 header---and I check the rule counters. Rule 1000 > has zero hits, but rule 2000 has all the hits. > > What would rule 1000 match? > > This is on 9.2-STABLE r260112. > > Regards, > John > Just to say me too. I've banged my head a bit exactly because of this a few days ago. It was really confusing : ipfw add allow ip6 from any to any -> shows ip6 ipfw add allow ipv6 from any to any -> shows ip6 ipfw add allow 41 from any to any -> shows ipv6 While it looks like it's tersely documented in ipfw(8): ip4 | ipv4 Matches IPv4 packets. ip6 | ipv6 Matches IPv6 packets. ip | all Matches any packet. The ipv6 in proto option will be treated as inner protocol. And, the ipv4 is not available in proto option. It's still confusing. --Nikolay