Date: Wed, 23 Nov 2005 22:43:07 +0100 (CET) From: Gael Roualland <gael.roualland@dial.oleane.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Message-ID: <200511232143.jANLh7x3022902@jerry.priv> Resent-Message-ID: <200511232150.jANLoFpT016458@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 89472
>Category: bin
>Synopsis: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 23 21:50:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Gael Roualland <gael.roualland@dial.oleane.com>
>Release: FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD jerry.priv 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Sat Nov 19 20:48:17 CET 2005 gael@jerry:/home/cvsup/obj/home/cvsup/src/sys/JERRY i386
>Description:
Before ipfw2 knows about IPv6, it was possible to filter IPv6
traffic which was tunneled in IPv4 by doing something as
ipfw add allow ipv6 from a.b.c.d to me
where a.b.c.d was the tunnel end.
Now that ipfw2 does ipv6, such a line is interpreted as being
an IPv6 rule, and is rejected since the specified IP address
is not an IPv6.
The alternate syntax 'allow ip from a.b.c.d to me proto ipv6'
is accepted by ipfw, but does not work in the kernel since the
first proto test (IPv4) does not match the extracted protocol
of the packet (IPv6)
>How-To-Repeat:
ipfw add allow ipv6 from a.b.c.d to me
>Fix:
Workaround : change the "ipv6" protocol to "all", and trust
the end of the tunnel...
The real fix would IMHO to add a different test for the inner protocol
carried by a packet in addition to the protocol packet itself.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511232143.jANLh7x3022902>