[Bug 247952] ipfilter ipfstat -nhio6 show different results than -nhio
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Jul 13 14:55:03 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247952
Bug ID: 247952
Summary: ipfilter ipfstat -nhio6 show different results than
-nhio
Product: Base System
Version: 12.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: joeb1 at a1poweruser.com
ipfilter ipf command was changed a long time ago to no longer require 1 rules
file for ipv4 and another rules file for ipv6. Both were combined into single
rules file. Seems this change was not also done to the ipfstat command.
Running 12.1 RELEASE on real hardware.
>cat /etc/ipf.rules
pass out quick on em0 all
pass in quick on em0 all
pass out quick on bridge0 all
pass in quick on bridge0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on re0 proto tcp/udp from any to any port = 53 keep state
pass out quick on re0 proto udp from any to any port = 67 keep state
pass out log quick on re0 proto icmp from any to any keep state
pass out log quick on re0 proto ipv6-icmp from any to any
pass out quick on re0 proto tcp from any to any port = 43 flags S keep state
block out quick on re0 all
block in quick on re0 proto icmp all
pass in log quick family inet6 proto ipv6-icmp all
block in quick on re0 all
>ipfstat -nhoi
0 @1 pass out quick on em0 all
232 @2 pass out quick on bridge0 all
0 @3 pass out quick on lo0 all
7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep
state
0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state
0 @6 pass out log quick on re0 proto icmp from any to any keep state
1 @7 pass out log quick on re0 proto ipv6-icmp from any to any
0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags
S/FSRPAU keep state
45 @9 block out quick on re0 all
25 @1 pass in quick on em0 all
234 @2 pass in quick on bridge0 all
0 @3 pass in quick on lo0 all
0 @4 block in quick on re0 proto icmp from any to any
48 @5 block in quick on re0 all
>ipfstat -nhoi6
0 @1 pass out quick on em0 all
234 @2 pass out quick on bridge0 all
0 @3 pass out quick on lo0 all
7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep
state
0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state
0 @6 pass out log quick on re0 proto icmp from any to any keep state
1 @7 pass out log quick on re0 proto ipv6-icmp from any to any
0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags
S/FSRPAU keep state
45 @9 block out quick on re0 all
25 @1 pass in quick on em0 all
236 @2 pass in quick on bridge0 all
0 @3 pass in quick on lo0 all
0 @4 block in quick on re0 proto icmp from any to any
469 @5 pass in log quick inet6 proto ipv6-icmp from any to any
49 @6 block in quick on re0 all
>cat /var/log/security
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6
routeradvert/0 IN multicast
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6
neighborsolicit/0 IN multicast
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6
routeradvert/0 IN multicast
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6
neighborsolicit/0 IN multicast
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6
routeradvert/0 IN multicast
@0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6
routeradvert/0 IN multicast
snip
Rule #5 is missing from the -nhoi listing but is present in the -nhoi6 list.
This is a error. The -6 flag should be removed as obsolete and the listing show
all the ipv4 & ipv6 rules in single list.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list