kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4
on 6.0-RELEASE
Hajimu UMEMOTO
ume at freebsd.org
Sat Nov 26 20:20:21 GMT 2005
The following reply was made to PR kern/89472; it has been noted by GNATS.
From: Hajimu UMEMOTO <ume at freebsd.org>
To: Gael Roualland <gael.roualland at dial.oleane.com>
Cc: FreeBSD-gnats-submit at freebsd.org, freebsd-ipfw at freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE
Date: Sun, 27 Nov 2005 05:19:01 +0900
Hi,
>>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET)
>>>>> Gael Roualland <gael.roualland at dial.oleane.com> said:
gael> Hum, I didn't notice the "ipv6" string was handled a bit differently
gael> than the numeric proto number in ipfw.
gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw
gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does
gael> filter it that way, opening a lot more than just protocol 41...
Umm, 41 is treated as ipv6, internally. With following patch,
allow ip from a.b.c.d to me proto 41
should work for workaround. However, it is still incomplete, and
`ipfw show' shows
allow ip from any to any proto ipv6
Apart from this limitation, it seems working to me here.
Index: sbin/ipfw/ipfw2.c
diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c
--- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005
+++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005
@@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
*proto = pe->p_proto;
else
return NULL;
- if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
+ if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 &&
+ strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0)
fill_cmd(cmd, O_PROTO, 0, *proto);
return cmd;
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume at mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
More information about the freebsd-ipfw
mailing list