Request for review: ipfw2 for IPV6

Orla McGann orly at
Fri Feb 6 03:32:43 PST 2004

On Wed, Jan 14, 2004 at 01:01:22PM -0800, Luigi Rizzo wrote:
Hi Luigi, 
> We would really appreciate testing by someone who is a kernel programmer
> who has access to ipv6 network and some knowledge of the ipv6 code,
> and thus can give advice on how to improve this code, and possibly
> suggest fixes for the trivial bugs that are there.
I installed the patch on my machine, which is running 4.9 STABLE so I had to
add "options IPFW2" to my kernel.

My machine already had ipfw getting rules from my rc.firewall script, so I
noticed the following problems straight away:
1. Rules that say "ip" mean allow "all", so they should be printed as allow
all when you do an ipfw show, so it is not mistaken for solely ipv4 traffic.

2. Some ipv4 rules appeared as "me6"
In /usr/src/sbin/ipfw/ipfw2.c there is the following code:
   strncmp(av, "ipv6", strlen(av))
which I think should be
   strcmp(av, "ipv6")
because the strncmp() function is matching "ip" instead of "ipv6".

A similar problem occured where it matched "me6" instead of "me", for the same
reason given above.

3. Autoconfiguration of my (ipv6) address didn't work, so I would suggest that
default rules for neighbour discovery should be added to the rc.firewall
ipfw 400 allow ipv6-icmp from :: to ff02::/16
ipfw 500 allow ipv6-icmp from fe80::/10 to fe80::/10
ipfw 600 allow ipv6-icmp from fe80::/10 to ff02::/16

4. You can't specify a netmask of /0 for ipv6; it gets interpreted as "me6" in
the rules. I got around this by adding the following rules, but it's not
ipfw allow all from ::/1 to ::/1
ipfw allow all from 8000::/1 to 8000::/1
ipfw allow from 8000::/1 to ::/1
ipfw allow from ::/1 to 8000::/1
5. Perhaps there should be no distinction between "me" and "me6" (i.e. have me
mean either ipv4 or ipv6), or else there should be an "any6" keyword if there
is to be a "me6".

6. There should probably be an option to have ipfw2 only handle ipv4 traffic
(and allow ip6fw to firewall ipv6 traffic).

7. The error messages are a bit ambiguous. If I give ipfw a rule such as:
ipfw allow ipv6 from any to any or
ipfw allow from any to any
I get the error message -> Unrecognised Option [-1] from

but if I use a rule like:
ipfw allow ipv4 from any to any
I get the error message -> Unrecognised Option [-1] ipv4

> The system _will_ panic if you are trying to use dummynet on
> output packets, the reasons of the panic are still to investigate.
> Dummynet on the input path seems to work, as well as on layer2.
> There might be other bugs, which I would be happy to hear about
> as i only did very limited testing.

The other thing that I came across is that the fill_icmp6types() and
fill_ext6hdr() functions don't get called anywhere in
/usr/src/sbin/ipfw/ipfw2.c. I have added some extra code here, but I am still
testing it. I will post a diff of my changes once I'm done debugging it.

Give a man a fish; you have fed him for today.  
Teach a man to use the Net and he won't bother you for weeks.

More information about the freebsd-ipfw mailing list