ipfw2 for IPV6
Vladimir Kotal
vlada at devnull.cz
Tue Dec 21 02:40:22 PST 2004
On Tue, Dec 21, 2004 at 11:36:50AM +0100, Vladimir Kotal wrote:
>
> - sbin/ipfw2.c parsing code can cause incorrect functionality, even
> segfault in some cases (see included regress script)
Hmm, the regress script did not get thru, here it is:
#!/bin/sh
# presume net.inet.ip.fw.one_pass = 0
ipfw=/sbin/ipfw
$ipfw -f flush
$ipfw -f pipe flush
ipv6addr="fec0:2::2/128"
## outgoing queue
$ipfw pipe 2400 config bw 64Kbit/s queue 16KBytes
## incoming queue
$ipfw pipe 2401 config bw 64Kbit/s queue 16KBytes
# following rules load but do not function correctly
# - packets are not matched against these rules
$ipfw add 01500 pipe 2400 ipv6 from any to $ipv6addr out
$ipfw add 01500 allow ipv6 from any to $ipv6addr out
$ipfw add 01501 pipe 2401 ipv6 from $ipv6addr to any in
$ipfw add 01501 allow ipv6 from $ipv6addr to any in
# following commands omit 'in/out' tokens from parsing
$ipfw add 01600 pipe 2400 ipv6 from any to $ipv6addr ipv6 out
$ipfw add 01600 allow ipv6 from any to $ipv6addr ipv6 out
$ipfw add 01601 pipe 2401 ipv6 from $ipv6addr to any ipv6 in
$ipfw add 01601 allow ipv6 from $ipv6addr to any ipv6 in
# following commands cause segfault
$ipfw add 01700 pipe 2400 ipv6 from any to $ipv6addr out ipv6
$ipfw add 01700 allow ipv6 from any to $ipv6addr out ipv6
$ipfw add 01701 pipe 2401 ipv6 from $ipv6addr to any in ipv6
$ipfw add 01701 allow ipv6 from $ipv6addr to any in ipv6
# default deny
$ipfw add 65420 deny log all from any to any via fxp1
More information about the freebsd-ipfw
mailing list