From owner-freebsd-ipfw Thu Jul 25 3:40:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1122E37B400 for ; Thu, 25 Jul 2002 03:40:35 -0700 (PDT) Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id E928743E70 for ; Thu, 25 Jul 2002 03:40:29 -0700 (PDT) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.11.6/8.11.6) id g6PAe5C64282; Thu, 25 Jul 2002 12:40:05 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200207251040.g6PAe5C64282@zibbi.icomtek.csir.co.za> Subject: Re: RFC: ipfw behaviour with non IPv4 packets In-Reply-To: <20020725001652.A94913@iguana.icir.org> from Luigi Rizzo at "Jul 25, 2002 00:16:52 am" To: rizzo@icir.org (Luigi Rizzo) Date: Thu, 25 Jul 2002 12:40:05 +0200 (SAT) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Hi, > I would like your input here on the following issue. > > > The original "ipfw" would only see IPv4 packets, so given a rule > of the form > > ip from to > > the "ip" protocol specifier effectively meant "any packet" (and > "any" is in fact a synonym for "ip"). > > IPFW2 also sees non-ipv4 packets, so in some cases (e.g. when no > other fields refer to IPv4 information, say "ip from any to any") > the rule can be ambiguous. As a matter of fact, the way I have > implemented it now is > > "ip" = "any" --> any packet, ipv4 or not > > You can have the same ambiguity when you specify a protocol like > "tcp" or "udp" -- do you want these rules to match only "*-over-ip4" > or ipv6 as well ? > > I am a bit uncertain on what is the best path, but i believe a > reasonable one is to assume > > "ip" = "any" --> any IP packet (v4 or v6) > > and similarly > > "proto" --> any packet of protocol "proto" over IP (v4 or v6) > It would be nice if ipfw can support both ipv4 and ipv6. Then we only need one "thing" to manage it all. Maybe the current "proto" field should be split in two? The current "abuse" of it will make it difficult to be able to specify just one of them. Currently putting ipv6 in this field means ipv6 tunneled over ipv4, but I can see that it would be nice to have a way to specify that a certain rule is only for ipv6 or only for ipv4 packets. So that I can do things like: skipto 5 ipv6 proto all from any to any # Catch all native ipv6 packets allow ipv4 proto ipv6 from any to any # catch tunneled packets allow all proto tcp ... # catch both ipv4 and ipv6 packets John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message