Date: Sun, 27 Nov 2005 05:19:01 +0900 From: Hajimu UMEMOTO <ume@freebsd.org> To: Gael Roualland <gael.roualland@dial.oleane.com> Cc: freebsd-ipfw@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Message-ID: <ygeu0dzxive.wl%ume@mahoroba.org> In-Reply-To: <200511232143.jANLh7x3022902@jerry.priv> References: <200511232143.jANLh7x3022902@jerry.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, >>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET) >>>>> Gael Roualland <gael.roualland@dial.oleane.com> said: gael> Hum, I didn't notice the "ipv6" string was handled a bit differently gael> than the numeric proto number in ipfw. gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does gael> filter it that way, opening a lot more than just protocol 41... Umm, 41 is treated as ipv6, internally. With following patch, allow ip from a.b.c.d to me proto 41 should work for workaround. However, it is still incomplete, and `ipfw show' shows allow ip from any to any proto ipv6 Apart from this limitation, it seems working to me here. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005 @@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = pe->p_proto; else return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) + if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 && + strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0) fill_cmd(cmd, O_PROTO, 0, *proto); return cmd; Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygeu0dzxive.wl%ume>