From owner-freebsd-ipfw@FreeBSD.ORG  Fri Apr 27 06:46:27 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5BB6B16A401
	for <freebsd-ipfw@freebsd.org>; Fri, 27 Apr 2007 06:46:27 +0000 (UTC)
	(envelope-from jan@melen.org)
Received: from foxgw.melen.org (Savi-Mel.dna.fi [83.143.60.138])
	by mx1.freebsd.org (Postfix) with ESMTP id D239A13C45D
	for <freebsd-ipfw@freebsd.org>; Fri, 27 Apr 2007 06:46:26 +0000 (UTC)
	(envelope-from jan@melen.org)
Received: from localhost ([IPv6:2001:14b8:400:f00::ffff])
	(authenticated bits=0)
	by foxgw.melen.org (8.13.8/8.13.8) with ESMTP id l3R6SObq064285
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-ipfw@freebsd.org>; Fri, 27 Apr 2007 09:28:35 +0300 (EEST)
	(envelope-from jan@melen.org)
From: Jan Mikael Melen <jan@melen.org>
To: freebsd-ipfw@freebsd.org
Date: Fri, 27 Apr 2007 09:28:33 +0300
User-Agent: KMail/1.9.5
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200704270928.34327.jan@melen.org>
X-Virus-Scanned: ClamAV version 0.88.4,
	clamav-milter version 0.88.4 on foxgw.melen.org
X-Virus-Status: Clean
Subject: ipfw2: IPv6 and new protocols
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2007 06:46:27 -0000

Hi,

Is there a specific reason why the upper-layer protocols are limited in IPv6 
with ipfw2? The problem that I see is that if there is a firewall in the net 
that uses ipfw2 you can't introduce any new protocols to IPv6 without 
updating all firewalls of the net?

When using new next header numbers ipfw2 complains "Unknown Extension 
Header(253)" although the there is a rule that allows the protocol to pass 
through, but the packet is dropped already before the rules are checked. I 
noticed from the code that for example all MIPv6 extension headers and SCTP 
are missing from the code and probably many others as well.

    Regards,
      Jan