From owner-freebsd-stable@FreeBSD.ORG Sun Nov 28 01:34:56 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A149106564A for ; Sun, 28 Nov 2010 01:34:56 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id E83128FC12 for ; Sun, 28 Nov 2010 01:34:55 +0000 (UTC) Received: from mail04.syd.optusnet.com.au (mail04.syd.optusnet.com.au [211.29.132.185]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id oAS1Nvat012668 for ; Sun, 28 Nov 2010 12:23:57 +1100 Received: from maxwell.mencon.com.au (c122-107-224-152.mckinn3.vic.optusnet.com.au [122.107.224.152]) by mail04.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id oAS1Nr0F004430 for ; Sun, 28 Nov 2010 12:23:54 +1100 Received: from [203.2.73.72] (chief.mencon.com.au [203.2.73.72]) by maxwell.mencon.com.au (Postfix) with ESMTP id 365E25E98 for ; Sun, 28 Nov 2010 12:23:53 +1100 (EST) Message-ID: <4CF1AF39.3050704@menhennitt.com.au> Date: Sun, 28 Nov 2010 12:24:09 +1100 From: Graham Menhennitt User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 MIME-Version: 1.0 To: FreeBSD stable Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: ipfw oddity/bug? ipv6 != protocol 41 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2010 01:34:56 -0000 Hi all, I've found something that I think is a bug in ipfw. At the very least, it contradicts the man page and a number of web sites. It's also different behaviour from a few months ago. I have a IPV6 tunnel connection to Hurricane Electric that I use every now and then. When I want to use it, I manually enable it in ipfw and then disable it again afterwards. After a recent csup and new world and kernel, it stopped working. The script output below shows the problem. I start with IPv6 disallowed by ipfw as can be seen in the first failed ping6. Normally, I then allow ipv6 and the ping6 should work. But it seems that ipv6 isn't what it used to be. I need to explicitly use the protocol number (41) to get it to work. According to the ipfw man page, ip6 and ipv6 are the same thing, and it implies that they should both be the same as "41". Obviously they're not. So, when you add a rule with "ipv6" or "ip6" in it, "ipfw list" displays it as "ip6". When you enter a rule with "41" in it, it displays as "ipv6". Very confusing! I can't see any option to get "ipfw list" to output numeric values rather than protocol names, but moving /etc/protocols aside seems to do the trick. You can see from the last ipfw output that ip6 is the same as ipv6, but they're not the same as 41. I did a few google searches for "ipfw, freebsd, ipv6" and a number of sites say that you just do "allow ipv6 from any to any" to get it working. That's what I used to do too, but it doesn't work any more. I'm running 8-Stable csupped yesterday on i386: FreeBSD maxwell.mencon.com.au 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #28: Sun Nov 28 07:44:12 EST 2010 root@chief-freebsd.mencon.com.au:/usr/obj/usr/src/sys/maxwell i386. Does anybody have any ideas, please? Thanks, Graham Script output (with a few irrelevant bits trimmed, and some blank lines inserted for clarity): Script started on Sun Nov 28 11:26:27 2010 root@maxwell% ipfw list 50 ipfw: rule 50 does not exist root@maxwell% ping6 www.kame.net PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 --> 2001:200:dff:fff1:216:3eff:feb1:44d7 ping6: sendmsg: Permission denied root@maxwell% ipfw add 50 allow ipv6 from any to any 00050 allow ip6 from any to any root@maxwell% ipfw list 50 00050 allow ip6 from any to any root@maxwell% ping6 www.kame.net PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 --> 2001:200:dff:fff1:216:3eff:feb1:44d7 ping6: sendmsg: Permission denied root@maxwell% ipfw add 50 allow ip6 from any to any 00050 allow ip6 from any to any root@maxwell% ipfw list 50 00050 allow ip6 from any to any 00050 allow ip6 from any to any root@maxwell% ping6 www.kame.net PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 --> 2001:200:dff:fff1:216:3eff:feb1:44d7 ping6: sendmsg: Permission denied root@maxwell% ipfw add 50 allow 41 from any to any 00050 allow ipv6 from any to any root@maxwell% ping6 www.kame.net PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 --> 2001:200:dff:fff1:216:3eff:feb1:44d7 16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=0 hlim=56 time=291.889 ms root@maxwell% ipfw list 50 00050 allow ip6 from any to any 00050 allow ip6 from any to any 00050 allow ipv6 from any to any root@maxwell% mv /etc/protocols /etc/protocols_save root@maxwell% ipfw list 50 00050 allow ip6 from any to any 00050 allow ip6 from any to any 00050 allow 41 from any to any root@maxwell% exit Script done on Sun Nov 28 11:28:22 2010