ipfw oddity/bug? ipv6 != protocol 41
Graham Menhennitt
graham at menhennitt.com.au
Sun Nov 28 01:34:56 UTC 2010
Hi all,
I've found something that I think is a bug in ipfw. At the very least,
it contradicts the man page and a number of web sites. It's also
different behaviour from a few months ago.
I have a IPV6 tunnel connection to Hurricane Electric that I use every
now and then. When I want to use it, I manually enable it in ipfw and
then disable it again afterwards. After a recent csup and new world and
kernel, it stopped working. The script output below shows the problem.
I start with IPv6 disallowed by ipfw as can be seen in the first failed
ping6. Normally, I then allow ipv6 and the ping6 should work. But it
seems that ipv6 isn't what it used to be. I need to explicitly use the
protocol number (41) to get it to work. According to the ipfw man page,
ip6 and ipv6 are the same thing, and it implies that they should both be
the same as "41". Obviously they're not.
So, when you add a rule with "ipv6" or "ip6" in it, "ipfw list" displays
it as "ip6". When you enter a rule with "41" in it, it displays as
"ipv6". Very confusing!
I can't see any option to get "ipfw list" to output numeric values
rather than protocol names, but moving /etc/protocols aside seems to do
the trick. You can see from the last ipfw output that ip6 is the same as
ipv6, but they're not the same as 41.
I did a few google searches for "ipfw, freebsd, ipv6" and a number of
sites say that you just do "allow ipv6 from any to any" to get it
working. That's what I used to do too, but it doesn't work any more.
I'm running 8-Stable csupped yesterday on i386: FreeBSD
maxwell.mencon.com.au 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #28: Sun Nov
28 07:44:12 EST 2010
root at chief-freebsd.mencon.com.au:/usr/obj/usr/src/sys/maxwell i386.
Does anybody have any ideas, please?
Thanks,
Graham
Script output (with a few irrelevant bits trimmed, and some blank lines
inserted for clarity):
Script started on Sun Nov 28 11:26:27 2010
root at maxwell% ipfw list 50
ipfw: rule 50 does not exist
root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied
root at maxwell% ipfw add 50 allow ipv6 from any to any
00050 allow ip6 from any to any
root at maxwell% ipfw list 50
00050 allow ip6 from any to any
root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied
root at maxwell% ipfw add 50 allow ip6 from any to any
00050 allow ip6 from any to any
root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any
root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied
root at maxwell% ipfw add 50 allow 41 from any to any
00050 allow ipv6 from any to any
root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=0 hlim=56
time=291.889 ms
root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any
00050 allow ipv6 from any to any
root at maxwell% mv /etc/protocols /etc/protocols_save
root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any
00050 allow 41 from any to any
root at maxwell% exit
Script done on Sun Nov 28 11:28:22 2010
More information about the freebsd-stable
mailing list