Date: Mon, 13 Jul 2020 14:55:02 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 247952] ipfilter ipfstat -nhio6 show different results than -nhio Message-ID: <bug-247952-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247952 Bug ID: 247952 Summary: ipfilter ipfstat -nhio6 show different results than -nhio Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: joeb1@a1poweruser.com ipfilter ipf command was changed a long time ago to no longer require 1 rules file for ipv4 and another rules file for ipv6. Both were combined into single rules file. Seems this change was not also done to the ipfstat command. Running 12.1 RELEASE on real hardware. >cat /etc/ipf.rules pass out quick on em0 all pass in quick on em0 all pass out quick on bridge0 all pass in quick on bridge0 all pass in quick on lo0 all pass out quick on lo0 all pass out quick on re0 proto tcp/udp from any to any port = 53 keep state pass out quick on re0 proto udp from any to any port = 67 keep state pass out log quick on re0 proto icmp from any to any keep state pass out log quick on re0 proto ipv6-icmp from any to any pass out quick on re0 proto tcp from any to any port = 43 flags S keep state block out quick on re0 all block in quick on re0 proto icmp all pass in log quick family inet6 proto ipv6-icmp all block in quick on re0 all >ipfstat -nhoi 0 @1 pass out quick on em0 all 232 @2 pass out quick on bridge0 all 0 @3 pass out quick on lo0 all 7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep state 0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state 0 @6 pass out log quick on re0 proto icmp from any to any keep state 1 @7 pass out log quick on re0 proto ipv6-icmp from any to any 0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags S/FSRPAU keep state 45 @9 block out quick on re0 all 25 @1 pass in quick on em0 all 234 @2 pass in quick on bridge0 all 0 @3 pass in quick on lo0 all 0 @4 block in quick on re0 proto icmp from any to any 48 @5 block in quick on re0 all >ipfstat -nhoi6 0 @1 pass out quick on em0 all 234 @2 pass out quick on bridge0 all 0 @3 pass out quick on lo0 all 7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep state 0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state 0 @6 pass out log quick on re0 proto icmp from any to any keep state 1 @7 pass out log quick on re0 proto ipv6-icmp from any to any 0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags S/FSRPAU keep state 45 @9 block out quick on re0 all 25 @1 pass in quick on em0 all 236 @2 pass in quick on bridge0 all 0 @3 pass in quick on lo0 all 0 @4 block in quick on re0 proto icmp from any to any 469 @5 pass in log quick inet6 proto ipv6-icmp from any to any 49 @6 block in quick on re0 all >cat /var/log/security @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6 neighborsolicit/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6 neighborsolicit/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast snip Rule #5 is missing from the -nhoi listing but is present in the -nhoi6 list. This is a error. The -6 flag should be removed as obsolete and the listing show all the ipv4 & ipv6 rules in single list. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-247952-227>