ipfw oddity/bug? ipv6 != protocol 41

Graham Menhennitt graham at menhennitt.com.au
Sun Nov 28 01:34:56 UTC 2010 

Hi all,

I've found something that I think is a bug in ipfw. At the very least,
it contradicts the man page and a number of web sites. It's also
different behaviour from a few months ago.

I have a IPV6 tunnel connection to Hurricane Electric that I use every
now and then. When I want to use it, I manually enable it in ipfw and
then disable it again afterwards. After a recent csup and new world and
kernel, it stopped working. The script output below shows the problem.

I start with IPv6 disallowed by ipfw as can be seen in the first failed
ping6. Normally, I then allow ipv6 and the ping6 should work. But it
seems that ipv6 isn't what it used to be. I need to explicitly use the
protocol number (41) to get it to work. According to the ipfw man page,
ip6 and ipv6 are the same thing, and it implies that they should both be
the same as "41". Obviously they're not.

So, when you add a rule with "ipv6" or "ip6" in it, "ipfw list" displays
it as "ip6". When you enter a rule with "41" in it, it displays as
"ipv6". Very confusing!

I can't see any option to get "ipfw list" to output numeric values
rather than protocol names, but moving /etc/protocols aside seems to do
the trick. You can see from the last ipfw output that ip6 is the same as
ipv6, but they're not the same as 41.

I did a few google searches for "ipfw, freebsd, ipv6" and a number of
sites say that you just do "allow ipv6 from any to any" to get it
working. That's what I used to do too, but it doesn't work any more.

I'm running 8-Stable csupped yesterday on i386: FreeBSD
maxwell.mencon.com.au 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #28: Sun Nov
28 07:44:12 EST 2010    
root at chief-freebsd.mencon.com.au:/usr/obj/usr/src/sys/maxwell  i386.

Does anybody have any ideas, please?

Thanks,   
    Graham

Script output (with a few irrelevant bits trimmed, and some blank lines
inserted for clarity):

Script started on Sun Nov 28 11:26:27 2010

root at maxwell% ipfw list 50
ipfw: rule 50 does not exist

root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied

root at maxwell% ipfw add 50 allow ipv6 from any to any
00050 allow ip6 from any to any

root at maxwell% ipfw list 50
00050 allow ip6 from any to any

root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied

root at maxwell% ipfw add 50 allow ip6 from any to any
00050 allow ip6 from any to any

root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any

root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
ping6: sendmsg: Permission denied

root at maxwell% ipfw add 50 allow 41 from any to any
00050 allow ipv6 from any to any

root at maxwell% ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
2001:200:dff:fff1:216:3eff:feb1:44d7
16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=0 hlim=56
time=291.889 ms

root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any
00050 allow ipv6 from any to any

root at maxwell% mv /etc/protocols /etc/protocols_save

root at maxwell% ipfw list 50
00050 allow ip6 from any to any
00050 allow ip6 from any to any
00050 allow 41 from any to any
root at maxwell% exit

Script done on Sun Nov 28 11:28:22 2010

More information about the freebsd-stable mailing list